Edit tour

Windows Analysis Report
QyzM5yhuwd.exe

Overview

General Information

Sample name:	QyzM5yhuwd.exe renamed because original name is a hash value
Original sample name:	6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de.exe
Analysis ID:	1573982
MD5:	602d720f1184d2ad739568cbf6403331
SHA1:	c5f349be3ed0591acbe52160cb6bf5acbfbfb91f
SHA256:	6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de
Tags:	exeMedusaLockeruser-0x0d4y
Infos:

Detection

MedusaLocker

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found ransom note / readme

Multi AV Scanner detection for submitted file

Yara detected MedusaLocker Ransomware

AI detected suspicious sample

Contains functionality to encrypt and move a file in one function

Creates files in the recycle bin to hide itself

Deletes shadow drive data (may be related to ransomware)

Disables security and backup related services

Found Tor onion address

Infects executable files (exe, dll, sys, html)

Query firmware table information (likely to detect VMs)

Sigma detected: Suspicious Windows Service Tampering

Writes a notice file (html or txt) to demand a ransom

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Installs a Chrome extension

Installs a raw input device (often for capturing keystrokes)

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses net.exe to stop services

Classification

Process Tree

System is w10x64

QyzM5yhuwd.exe (PID: 1144 cmdline: "C:\Users\user\Desktop\QyzM5yhuwd.exe" MD5: 602D720F1184D2AD739568CBF6403331)

conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6172 cmdline: net stop "Acronis VSS Provider" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5212 cmdline: C:\Windows\system32\net1 stop "Acronis VSS Provider" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 3564 cmdline: net stop "Enterprise Client Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5088 cmdline: C:\Windows\system32\net1 stop "Enterprise Client Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 1080 cmdline: net stop "Sophos Agent" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 1820 cmdline: C:\Windows\system32\net1 stop "Sophos Agent" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 1944 cmdline: net stop "Sophos AutoUpdate Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 2240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2788 cmdline: C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 3972 cmdline: net stop "Sophos Clean Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6276 cmdline: C:\Windows\system32\net1 stop "Sophos Clean Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 3636 cmdline: net stop "Sophos Device Control Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 4392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 7112 cmdline: C:\Windows\system32\net1 stop "Sophos Device Control Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 5640 cmdline: net stop "Sophos File Scanner Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 7108 cmdline: C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 5856 cmdline: net stop "Sophos Health Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 4576 cmdline: C:\Windows\system32\net1 stop "Sophos Health Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 5432 cmdline: net stop "Sophos MCS Agent" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6756 cmdline: C:\Windows\system32\net1 stop "Sophos MCS Agent" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 3600 cmdline: net stop "Sophos MCS Client" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 968 cmdline: C:\Windows\system32\net1 stop "Sophos MCS Client" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6776 cmdline: net stop "Sophos Message Router" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6844 cmdline: C:\Windows\system32\net1 stop "Sophos Message Router" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 1008 cmdline: net stop "Sophos Safestore Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 1832 cmdline: C:\Windows\system32\net1 stop "Sophos Safestore Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 3720 cmdline: net stop "Sophos System Protection Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2876 cmdline: C:\Windows\system32\net1 stop "Sophos System Protection Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 2240 cmdline: net stop "Sophos Web Control Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 4016 cmdline: C:\Windows\system32\net1 stop "Sophos Web Control Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 7004 cmdline: net stop "SQLsafe Backup Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6332 cmdline: C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6964 cmdline: net stop "SQLsafe Filter Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6980 cmdline: C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 1532 cmdline: net stop "Symantec System Recovery" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3608 cmdline: C:\Windows\system32\net1 stop "Symantec System Recovery" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 4976 cmdline: net stop "Veeam Backup Catalog Data Service" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 4572 cmdline: C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 916 cmdline: net stop "AcronisAgent" /y MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 764 cmdline: C:\Windows\system32\net1 stop "AcronisAgent" /y MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
MedusaLocker	A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.	No Attribution	http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html https://asec.ahnlab.com/en/48940/ https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/ https://blog.talosintelligence.com/2020/04/medusalocker.html https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/	https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3852311222.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2003779694.0000000001567000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3812857527.0000000001594000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3175698744.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2294962907.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1791555119.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3598905508.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3402255382.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3127203114.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3079318130.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3730275872.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3870302443.000000000154D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1995209341.0000000001521000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3145239137.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1818843655.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3598944009.0000000001543000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2708498546.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2194212770.0000000001567000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1868826389.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3541829750.0000000001549000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1993152388.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3065633455.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3042193613.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2325003515.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1968349445.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2334621186.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1977929716.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1910884921.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3719725494.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2165880793.000000000155E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2541236354.0000000001512000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3422625661.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3324955354.0000000001507000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1903123863.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2365187358.0000000001516000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3146754899.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3605096332.0000000001545000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3605532068.0000000001559000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3852311222.000000000156C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3166764264.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3812857527.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2088094679.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3019712178.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2992890050.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3331089817.0000000001594000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3418860100.000000000156C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2534601643.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2009761583.0000000001567000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2248122637.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2541124307.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3745813644.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1926670448.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3145322714.0000000001526000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3042992372.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3612035104.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1888426959.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1943790351.0000000001515000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3877581274.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2031930124.0000000001516000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3355172431.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3127173092.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2001508097.0000000001567000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1852394616.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1872033487.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2537972549.0000000001591000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1899108454.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3077583736.0000000001516000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1993179696.0000000001509000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3598944009.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2860202126.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2021849873.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3161278871.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2413305865.0000000001516000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3812719661.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3882742855.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2044100208.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3145461186.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1846925533.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2341530505.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2243501292.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1821742997.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3372258557.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2155255446.000000000150F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3870051484.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3047734924.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3141944674.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3369988771.0000000001509000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2324821490.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3363997024.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3692211307.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1993037726.000000000154C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3456008694.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3646903498.0000000001594000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3605096332.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3132319120.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3359022187.000000000156C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1885310626.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3042193613.000000000156C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2412988666.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3115652353.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3079535358.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2992890050.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2243580880.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3684891898.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2160709215.0000000001510000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3421549881.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3141261131.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3324653342.000000000156C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1949133478.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3433299355.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2860202126.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3685110939.00000000015AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3339967210.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2160150753.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1995135515.0000000001516000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3290591478.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2506182530.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2099606171.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2194289591.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1995035066.000000000156A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3492855189.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3317477526.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3463443403.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1942105832.0000000001521000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2035520115.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2189115351.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2341684474.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3355224794.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3359022187.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3133186086.0000000001506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2535063809.000000000150F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1995178560.000000000156A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3132319120.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2839990271.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3592476775.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2754921253.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3246556746.0000000001506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1995829268.0000000001522000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3146466694.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3852153969.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3311974938.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2846883658.0000000001502000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3028193910.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3415359594.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2044532060.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2708569023.0000000001510000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2506142114.0000000001516000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1825672364.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3132606073.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2077383442.0000000001519000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3125123576.0000000001533000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3042862522.0000000001516000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3408342844.0000000001509000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2155027834.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2114302278.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3135022063.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3077146117.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1976174509.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3116661059.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3542541740.0000000001509000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3127413066.0000000001506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3641052144.00000000015A9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3355224794.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1946056470.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3442673224.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3592476775.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3166941364.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2189017053.0000000001561000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3605096332.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3355224794.0000000001543000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2298467572.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2365087656.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3852584276.0000000001554000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2295051735.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3236601191.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3084697309.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1993107816.0000000001562000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3125227436.0000000001506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3521806866.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3727024687.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2365087656.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3914980872.000000000158F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3640894845.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2879234188.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3134614334.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3125195273.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3521806866.0000000001543000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2058900871.0000000001519000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2412988666.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2499956024.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2326676165.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3059221702.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3119620550.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3237528942.00000000015B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3569434443.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1994918954.000000000156A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3465963096.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3704253011.00000000015AF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2182562195.0000000001563000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1990151847.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3646733045.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2022153803.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3870051484.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1975769744.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3137175440.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3476928706.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2860362164.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3812921046.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3057586389.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2232363989.0000000001518000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3605532068.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3166764264.0000000001538000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1872381734.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3726951500.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2623498682.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2755786916.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3592476775.000000000153A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3646733045.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2001683974.0000000001519000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2842318422.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3266478006.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3084585124.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3415359594.000000000156C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3147071239.0000000001506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000002.3975578193.000000000156C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2506088502.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3237431982.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3313388328.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3132278514.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3852584276.000000000155C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1993072538.0000000001515000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3028389212.0000000001517000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3119692552.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1884616177.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3877581274.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3745954951.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3426194720.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3583610911.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3048932501.000000000159E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3138111875.0000000001506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3439480657.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3369841097.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3345853819.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3598662869.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3145547958.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1847402988.0000000001523000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3268094485.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1982184334.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3870302443.000000000155C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3583610911.000000000153A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2165115385.000000000150F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1870228793.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3583610911.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3869910047.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2051717191.000000000150F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3049159863.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3275628163.0000000001507000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3435399890.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1844716005.0000000001523000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3812719661.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3077146117.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2190595036.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3115652353.0000000001518000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3813079157.00000000015AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1846882404.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3355627290.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2231247945.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3019712178.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3137104188.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2150713257.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3598662869.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2004126125.000000000150F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3125051743.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1990330001.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3489898913.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3028193910.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000002.3975315135.00000000014DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3592702122.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3605096332.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3355627290.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2521210238.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2104791230.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000002.3975176096.00000000012F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3324184757.000000000156C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3145322714.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3522287604.0000000001509000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3522111503.000000000156A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3125015912.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3268371055.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3127383570.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3140895497.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3359304506.000000000156C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3470262463.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3141261131.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3018622659.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3316563630.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2170192792.0000000001556000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3812719661.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2708626040.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2150477102.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3148219299.0000000001552000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3079318130.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2044239599.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3703866711.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3065821728.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2326676165.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3127244403.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1923887569.000000000151C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3137011918.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1975050874.0000000001517000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1923064273.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3730487483.00000000015AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3878840199.00000000012F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3134272394.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3345997403.0000000001508000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3236827133.0000000001506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2334621186.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2092651263.0000000001519000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2237257792.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2623761450.0000000001510000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3345745529.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2018328066.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3573292802.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3388494055.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1785288421.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3443116501.000000000156B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3146754899.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2099428707.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2467676994.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3146992914.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3914948212.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3421549881.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3605532068.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3492855189.000000000154A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3132606073.0000000001533000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1841131519.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1893078752.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3063555034.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3119423115.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1828521013.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2038185183.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2334820687.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2324821490.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3605532068.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1845454539.0000000001523000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3388648556.0000000001509000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2520012736.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3541829750.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3280396253.0000000001568000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3813048437.00000000015AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3161224808.0000000001506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3877581274.000000000155C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3167105223.0000000001506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2959718567.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2247469426.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2180318569.000000000155D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3146466694.000000000152D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2185209999.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1952349670.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3598662869.000000000153A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2061777699.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3612376425.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1882246078.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2031873532.0000000001569000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3408234254.0000000001547000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2467676994.000000000158D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3605725698.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1983286554.000000000151E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2083460952.0000000001519000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2521434091.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3612035104.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2261019197.000000000151B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.1895769079.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2285134778.000000000151A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.3145675223.000000000152D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2881346999.0000000001517000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000002.3975578193.000000000158E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
Process Memory Space: QyzM5yhuwd.exe PID: 1144	JoeSecurity_MedusaLocker	Yara detected MedusaLocker Ransomware	Joe Security
Click to see the 413 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Windows Service Tampering

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: net stop "Acronis VSS Provider" /y, CommandLine: net stop "Acronis VSS Provider" /y, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\QyzM5yhuwd.exe", ParentImage: C:\Users\user\Desktop\QyzM5yhuwd.exe, ParentProcessId: 1144, ParentProcessName: QyzM5yhuwd.exe, ProcessCommandLine: net stop "Acronis VSS Provider" /y, ProcessId: 6172, ProcessName: net.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net stop "Acronis VSS Provider" /y, CommandLine: net stop "Acronis VSS Provider" /y, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\QyzM5yhuwd.exe", ParentImage: C:\Users\user\Desktop\QyzM5yhuwd.exe, ParentProcessId: 1144, ParentProcessName: QyzM5yhuwd.exe, ProcessCommandLine: net stop "Acronis VSS Provider" /y, ProcessId: 6172, ProcessName: net.exe

Sigma detected: Stop Windows Service Via Net.EXE

Source: Process started

Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: net stop "Acronis VSS Provider" /y, CommandLine: net stop "Acronis VSS Provider" /y, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\QyzM5yhuwd.exe", ParentImage: C:\Users\user\Desktop\QyzM5yhuwd.exe, ParentProcessId: 1144, ParentProcessName: QyzM5yhuwd.exe, ProcessCommandLine: net stop "Acronis VSS Provider" /y, ProcessId: 6172, ProcessName: net.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T19:27:19.152372+0100	2803305	3	Unknown Traffic	192.168.2.9	49719	204.79.197.203	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QyzM5yhuwd.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: QyzM5yhuwd.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.1% probability

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AF4E60 GetSystemFirmwareTable,__Init_thread_footer,__Init_thread_footer,BCryptOpenAlgorithmProvider,BCryptGetProperty,GetProcessHeap,HeapAlloc,BCryptGetProperty,BCryptCreateHash,BCryptHashData,BCryptFinishHash,BCryptCloseAlgorithmProvider,BCryptDestroyKey,GetProcessHeap,HeapFree,__Init_thread_footer,GetSystemFirmwareTable,	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AE1520 BCryptOpenAlgorithmProvider,BCryptOpenAlgorithmProvider,	0_2_00AE1520
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AEFA00 GetFileAttributesW,SetFileAttributesW,__Init_thread_footer,__fread_nolock,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,BCryptEncrypt,BCryptEncrypt,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__fread_nolock,__fread_nolock,__Init_thread_footer,__Init_thread_footer,wsprintfW,MoveFileW,	0_2_00AEFA00
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AE1A10 BCryptDestroyKey,CryptStringToBinaryA,CryptStringToBinaryA,GetProcessHeap,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptDecodeObjectEx,CryptDecodeObjectEx,GetProcessHeap,HeapAlloc,CryptDecodeObjectEx,GetProcessHeap,HeapAlloc,BCryptImportKeyPair,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_00AE1A10
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AE15A0 BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptDestroyKey,	0_2_00AE15A0
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AE1640 BCryptGetProperty,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,BCryptGetProperty,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,BCryptSetProperty,BCryptGenerateSymmetricKey,	0_2_00AE1640
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AE17D0 BCryptEncrypt,BCryptEncrypt,BCryptEncrypt,	0_2_00AE17D0

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9	0_2_00AF4A80
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9	0_2_00AF4A80
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN RSA PUBLIC KEY-----%s-----END RSA PUBLIC KEY-----	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN RSA PUBLIC KEY-----%s-----END RSA PUBLIC KEY-----	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf	0_2_00AE1A10
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf	0_2_00AE1A10
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf	0_2_00AE1A10
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf	0_2_00AE1A10
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN RSA PUBLIC KEY-----%s-----END RSA PUBLIC KEY-----	0_2_00B584E0
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----	0_2_00B58521
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3	0_2_00B56540
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3	0_2_00AE4B20
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3	0_2_00AE4B20
Source: QyzM5yhuwd.exe	Binary or memory string: -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf

Source: QyzM5yhuwd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: QyzM5yhuwd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: inload_prod.pdb\!!!READ_ME_M source: QyzM5yhuwd.exe, 00000000.00000003.2708569023.0000000001510000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2708626040.000000000151A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx.MEDUSAnload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC22c4nd Settings\user\AppData\Local\Applica'o source: QyzM5yhuwd.exe, 00000000.00000003.2044532060.000000000156B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831CacheDataxUN source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Decemberb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.MEDUSA source: QyzM5yhuwd.exe, 00000000.00000003.2232148389.000000000154D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\!!!READ_ME_MEDUSA!!!.txt source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdbX#R source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.MEDUSA1h2txyewy\AC\Microsoft\Internet Explorer\DO source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.MEDUSAAtxtr:April:May:May:Jun:June:Jul:July:Aug:AuguT$) : source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs.MEDUSAData\Temp\Symbols\winload_prod.pdb\!!!READ_ME_MEDUSA!!!.txt13c03908334ings\user\A source: QyzM5yhuwd.exe, 00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2044100208.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2044532060.000000000156B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: too long filename: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: ConDrv.0.dr
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb@#R source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb!READ_ME_MEDUSA!!!.txt+ source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: too long filename: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: ConDrv.0.dr
Source:	Binary string: too long filename: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: ConDrv.0.dr
Source:	Binary string: $$ \|\$ /$$ \|$$ \|ntkrnlmp.pdb \|x source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2ateeC\INetHistory\!!!READ_ME_MEDUSA!!!.txt15] source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\!!!READ_ME_MEDUSA!!!.txtlication Data\Packages\Microsoft.XboxSpeechT source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb8 source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdbA\Local\Applicw~7 source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\!!!READ_ME_MEDUSA!!!.txt source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.MEDUSA!!.txt* source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3020500537.0000000001553000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\@ source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbt your busy business. source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\Medusa\Release\gaze.pdb source: QyzM5yhuwd.exe
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\!!!READ_ME_MEDUSA!!!.txtA source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3020500537.0000000001553000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\!!!READ_ME_MEDUSA!!!.txt source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3020500537.0000000001553000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx.MEDUSAnload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC22c4nd Settings\user\AppData\Local\Applica'o source: QyzM5yhuwd.exe, 00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2044100208.0000000001569000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\Medusa\Release\gaze.pdbv source: QyzM5yhuwd.exe
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*aming.lockUSA!!!.txton Data\Packages\microsoft.windowscommuni source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdbO source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: too long filename: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: ConDrv.0.dr
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E_MEDUSA!!!.txtuary:Feb:February:Mar:March:Apr:April:Ma source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdbpdb source: QyzM5yhuwd.exe, 00000000.00000003.2499956024.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ta\Temp\Symbols\winload_prod.pdbt source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3020500537.0000000001553000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.MEDUSA.txtOct:October:Nov:November:Dec:Decembereptember:Oct:October:Nov:November:Dec:Decemberf' source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.MEDUSAPackages\Micro source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\WdBoot.sys			Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\Drivers\WdBoot.sys			Jump to behavior

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AFFE1B FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,		0_2_00AFFE1B
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B49AEC FindFirstFileExW,		0_2_00B49AEC

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00AF15A0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,lstrlenW,

0_2_00AF15A0

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\.curlrc	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\Adobe\ARM\	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\Adobe\ARM\Acrobat_23.006.20320\	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\Adobe\	Jump to behavior

Networking

Found Tor onion address

Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3557059907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3557059907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3476882367.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3476882367.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3852311222.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3852311222.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3852311222.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3852311222.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2003779694.0000000001567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2003779694.0000000001567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2003779694.0000000001567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2003779694.0000000001567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3812857527.0000000001594000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3812857527.0000000001594000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3812857527.0000000001594000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3812857527.0000000001594000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2325003515.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2325003515.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2325003515.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2325003515.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3598905508.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3598905508.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3598905508.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3598905508.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3127203114.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3127203114.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3127203114.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3127203114.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3569434443.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3569434443.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3569434443.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3569434443.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3146754899.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3146754899.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3146754899.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3146754899.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1995209341.0000000001521000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1995209341.0000000001521000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1995209341.0000000001521000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1995209341.0000000001521000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1968349445.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1968349445.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1968349445.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1968349445.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2294962907.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2294962907.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2294962907.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2294962907.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1791555119.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1791555119.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1791555119.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1791555119.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3402255382.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3402255382.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3402255382.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3402255382.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3426194720.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3426194720.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3426194720.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3426194720.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3145239137.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3145239137.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3145239137.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3145239137.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3541770865.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3541770865.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3870302443.000000000154D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3870302443.000000000154D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3870302443.000000000154D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3870302443.000000000154D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3730275872.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3730275872.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3730275872.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3730275872.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1868826389.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1868826389.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1868826389.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1868826389.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3598944009.0000000001543000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3598944009.0000000001543000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3598944009.0000000001543000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3598944009.0000000001543000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3079318130.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3079318130.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3079318130.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3079318130.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2708498546.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2708498546.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2708498546.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2708498546.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2365187358.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2365187358.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2365187358.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2365187358.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1818843655.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1818843655.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1818843655.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1818843655.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3057586389.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3057586389.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3057586389.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3057586389.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3421549881.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3421549881.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3421549881.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3421549881.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3541829750.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3541829750.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3541829750.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3541829750.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3317477526.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3317477526.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3317477526.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3317477526.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3569402022.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3569402022.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1977929716.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1977929716.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1977929716.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1977929716.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3065633455.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3065633455.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3065633455.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3065633455.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2194212770.0000000001567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2194212770.0000000001567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2194212770.0000000001567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2194212770.0000000001567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3042193613.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3042193613.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3042193613.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3042193613.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3268094485.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3268094485.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3268094485.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3268094485.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3065633455.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3065633455.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3065633455.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3065633455.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1993152388.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1993152388.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1993152388.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1993152388.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3345853819.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3345853819.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3345853819.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3345853819.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2334621186.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2334621186.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2334621186.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2334621186.000000000158D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3268277298.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3268277298.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3268277298.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3268277298.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2541236354.0000000001512000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2541236354.0000000001512000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2541236354.0000000001512000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2541236354.0000000001512000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1903123863.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1903123863.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1903123863.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1903123863.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3294387243.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3294387243.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3294387243.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3294387243.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3137175440.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3137175440.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3137175440.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3137175440.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3492802740.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3492802740.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3492802740.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3492802740.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2248122637.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2248122637.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2248122637.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2248122637.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3470262463.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3470262463.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3470262463.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3470262463.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2088094679.000000000151A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2088094679.000000000151A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2088094679.000000000151A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2088094679.000000000151A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3421387080.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3421387080.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1910884921.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1910884921.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1910884921.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1910884921.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3059221702.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3059221702.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3059221702.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3059221702.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3719725494.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3719725494.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3719725494.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3719725494.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2165880793.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2165880793.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2165880793.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2165880793.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3324955354.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3324955354.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3324955354.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3324955354.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3324615514.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3324615514.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3324615514.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3324615514.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3564014858.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3564014858.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3564014858.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3605096332.0000000001545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3605096332.0000000001545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3605096332.0000000001545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3605096332.0000000001545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3057824248.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3057824248.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3057824248.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3057824248.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1926670448.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1926670448.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.1926670448.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.1926670448.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3812857527.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3812857527.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3812857527.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3812857527.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3194453907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3194453907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3194453907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3363885214.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3363885214.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3145322714.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3145322714.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3145322714.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3145322714.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2031930124.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2031930124.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2031930124.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2031930124.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3146754899.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3146754899.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3463443403.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3463443403.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3463443403.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3463443403.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2058786004.000000000155D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2058786004.000000000155D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3166764264.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3166764264.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3166764264.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3166764264.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3605532068.0000000001559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3605532068.0000000001559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3605532068.0000000001559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3605532068.0000000001559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3418860100.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3418860100.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3418860100.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3418860100.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3852311222.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3852311222.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3852311222.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3852311222.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2534601643.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2534601643.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2534601643.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2534601643.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3019712178.000000000156B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3019712178.000000000156B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3019712178.000000000156B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3019712178.000000000156B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2992890050.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2992890050.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2992890050.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.2992890050.0000000001569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2009761583.0000000001567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49719 -> 204.79.197.203:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.MSO\!!!READ_ME_MEDUSA!!!.txt

Jump to behavior

Source: global traffic	DNS traffic detected: DNS query: res.public.onecdn.static.microsoft
Source: global traffic	DNS traffic detected: DNS query: tse1.mm.bing.net

Source: QyzM5yhuwd.exe, 00000000.00000003.3415359594.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vucC2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml----------------
Source: QyzM5yhuwd.exe, 00000000.00000003.3047734924.000000000151A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3049159863.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3557059907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3476882367.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e
Source: QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3882742855.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3852153969.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3869910047.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3914948212.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000002.3975578193.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfy..ghw76o
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3280396253.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3320791387.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3313388328.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3311974938.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266478006.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cx5uMsMpRes.dllucuuxh
Source: QyzM5yhuwd.exe, 00000000.00000003.3641052144.00000000015A9000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyPROFILEszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3237528942.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3237431982.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszTestDrive.ps1hpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3557059907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3476882367.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e
Source: QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3280396253.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3320791387.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3313388328.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3311974938.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266478006.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Source: QyzM5yhuwd.exe, 00000000.00000003.2537972549.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uypkcs11.txt7cvjzmnBw
Source: QyzM5yhuwd.exe, 00000000.00000003.3569434443.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uytaskpane_onenote_cf1626b6cdd842a14c995bc7195cc9ca.cssrrors:
Source: QyzM5yhuwd.exe, 00000000.00000003.3303069748.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
Source: QyzM5yhuwd.exe, 00000000.00000003.3605096332.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429
Source: QyzM5yhuwd.exe, 00000000.00000003.3079318130.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/microsoftgraph/msgraph-sdk-javascript.git
Source: QyzM5yhuwd.exe, 00000000.00000003.3522111503.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.L
Source: QyzM5yhuwd.exe, 00000000.00000003.3522111503.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.LYNC_ringtone3.wavwav
Source: QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3280396253.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3320791387.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3313388328.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3311974938.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266478006.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.M
Source: QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3280396253.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3320791387.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3313388328.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3311974938.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266478006.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.MsMpEng.exe
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3146754899.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3057586389.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3137175440.000000000156C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3059221702.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3146754899.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3057586389.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3137175440.000000000156C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3059221702.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.plyXOcSjh%Z
Source: QyzM5yhuwd.exe, 00000000.00000003.1885310626.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3280396253.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1846925533.0000000001520000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3145461186.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3870051484.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1821742997.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2243501292.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3605096332.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3522111503.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3330865366.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3363997024.0000000001547000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3456008694.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3598944009.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3646903498.0000000001594000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3141944674.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3692211307.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3145461186.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2284968073.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3456008694.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3388367661.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://utox.org/uTox_win64.exe)
Source: QyzM5yhuwd.exe, 00000000.00000003.3541829750.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.torprojYAHOO.COM.AU.XMLkuS
Source: QyzM5yhuwd.exe, 00000000.00000003.3522111503.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.torprojecLYNC_ringtone4.wav
Source: QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3882742855.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3852153969.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3869910047.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3914948212.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000002.3975578193.000000000158E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/down
Source: QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3557059907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3476882367.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/download/):
Source: QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tpassword-hero.png
Source: QyzM5yhuwd.exe, 00000000.00000003.3415359594.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwC2RManifest.osmmui.msi.16.en-us.xmlzhtu

Source: QyzM5yhuwd.exe, 00000000.00000003.3324955354.0000000001507000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Program Files (x86)\autoit3\Examples\Helpfile\_WinAPI_RegisterRawInputDevices.au3

memstr_033d52b1-6

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\ProgramData\Microsoft OneDrive\setup\!!!READ_ME_MEDUSA!!!.txt

Dropped file: $$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ |$$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ |$$ \$$$ $$ |$$ __| $$ | $$ |$$ | $$ | \____$$\ $$ __$$ |$$ |\$ /$$ |$$ | $$ | $$ |$$ | $$ |$$\ $$ |$$ | $$ |$$ | \_/ $$ |$$$$$$$$\ $$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ |\__| \__|\________|\_______/ \______/ \______/ \__| \__|-----------------------------[ Hello, EFI !!! ]--------------------------Sorry to interrupt your busy business.WHAT HAPPEND?------------------------------------------------------------1. We have PENETRATE your network and COPIED data.We have penetrated your entire network and researched all about your data.And we have copied terabytes of all your confidential data and uploaded to private storage.* You're running a highly valued business and your data was very crucial.2. We have ENCRYPTED your files.While you are reading this message, it means your files and data has been ENCRYPTED by world's strongest ransomware.Your files have encrypted with new military-grade encryption algorithm and you can not decrypt your files.But don't worry, we can decrypt your files.There is only one possible way to get back your computers and servers, keep your privacy safe - CONTACT us via LIVE CHAT and pay for the special MEDUSA DECRYPTOR and DECRYPTION KEYs.This MEDUSA DECRYPTOR will restore your entire network within less than 1 business day.WHAT GUARANTEES?---------------------------------------------------------------We can post all of your critial data to the public and send emails to your competitors.We have professional OSINTs and media team for leak data to telegram, facebook, twitter channels and top news websites. You can easily search about us.You can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.After paying for the data breach and decryption, we guarantee that your data will never be leaked and make everything silent, this is also for our reputation.YOU should be AWARE!---------------------------------------------------------------We will speak only with an authorized person. It can be the CEO, top management etc.In case you ar not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company!Inform your supervisors and stay calm!If you do not contact us within 48 hours, We will start publish your case to our official blog and everybody will start notice your incident!--------------------[ Telegram channel ]--------------------https://t.me/+yXOcSjVjI9tjM2E0--------------------[ Of

Jump to dropped file

Yara detected MedusaLocker Ransomware

Source: Yara match	File source: 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3852311222.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2003779694.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3812857527.0000000001594000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3175698744.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2294962907.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1791555119.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3598905508.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3402255382.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3127203114.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3079318130.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3730275872.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3870302443.000000000154D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1995209341.0000000001521000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3145239137.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1818843655.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3598944009.0000000001543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2708498546.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2194212770.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1868826389.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3541829750.0000000001549000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1993152388.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3065633455.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3042193613.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2325003515.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1968349445.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2334621186.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1977929716.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1910884921.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3719725494.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2165880793.000000000155E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2541236354.0000000001512000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3422625661.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3324955354.0000000001507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1903123863.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2365187358.0000000001516000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3146754899.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3605096332.0000000001545000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3605532068.0000000001559000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3852311222.000000000156C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3166764264.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3812857527.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2088094679.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3019712178.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2992890050.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3331089817.0000000001594000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3418860100.000000000156C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2534601643.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2009761583.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2248122637.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2541124307.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3745813644.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1926670448.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3145322714.0000000001526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3042992372.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3612035104.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1888426959.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1943790351.0000000001515000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3877581274.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2031930124.0000000001516000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3355172431.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3127173092.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2001508097.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1852394616.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1872033487.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2537972549.0000000001591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1899108454.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3077583736.0000000001516000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1993179696.0000000001509000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3598944009.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2860202126.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2021849873.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3161278871.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2413305865.0000000001516000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3812719661.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3882742855.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2044100208.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3145461186.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1846925533.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2341530505.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2243501292.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1821742997.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3372258557.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2155255446.000000000150F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3870051484.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3047734924.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3141944674.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3369988771.0000000001509000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2324821490.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3363997024.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3692211307.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1993037726.000000000154C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3456008694.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3646903498.0000000001594000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3605096332.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3132319120.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3359022187.000000000156C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1885310626.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3042193613.000000000156C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2412988666.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3115652353.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3079535358.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2992890050.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2243580880.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3684891898.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2160709215.0000000001510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3421549881.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3141261131.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3324653342.000000000156C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1949133478.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3433299355.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2860202126.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3685110939.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3339967210.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2160150753.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1995135515.0000000001516000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3290591478.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2506182530.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099606171.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2194289591.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1995035066.000000000156A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3492855189.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3317477526.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3463443403.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1942105832.0000000001521000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2035520115.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2189115351.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2341684474.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3355224794.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3359022187.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3133186086.0000000001506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2535063809.000000000150F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1995178560.000000000156A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3132319120.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2839990271.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3592476775.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2754921253.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3246556746.0000000001506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1995829268.0000000001522000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3146466694.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3852153969.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3311974938.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2846883658.0000000001502000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3028193910.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3415359594.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2044532060.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2708569023.0000000001510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2506142114.0000000001516000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1825672364.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3132606073.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2077383442.0000000001519000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3125123576.0000000001533000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3042862522.0000000001516000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3408342844.0000000001509000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2155027834.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2114302278.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3135022063.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3077146117.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1976174509.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3116661059.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3542541740.0000000001509000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3127413066.0000000001506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3641052144.00000000015A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3355224794.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1946056470.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3442673224.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3592476775.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3166941364.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2189017053.0000000001561000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3605096332.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3355224794.0000000001543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2298467572.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2365087656.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3852584276.0000000001554000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2295051735.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3236601191.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3084697309.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1993107816.0000000001562000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3125227436.0000000001506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3521806866.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3727024687.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2365087656.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3914980872.000000000158F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3640894845.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2879234188.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3134614334.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3125195273.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3521806866.0000000001543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2058900871.0000000001519000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2412988666.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2499956024.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2326676165.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3059221702.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3119620550.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3237528942.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3569434443.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1994918954.000000000156A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3465963096.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3704253011.00000000015AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2182562195.0000000001563000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1990151847.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3646733045.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2022153803.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3870051484.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1975769744.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3137175440.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3476928706.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2860362164.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3812921046.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3057586389.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2232363989.0000000001518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3605532068.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3166764264.0000000001538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1872381734.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3726951500.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2623498682.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2755786916.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3592476775.000000000153A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3646733045.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2001683974.0000000001519000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2842318422.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3266478006.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3084585124.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3415359594.000000000156C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3147071239.0000000001506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3975578193.000000000156C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2506088502.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3237431982.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3313388328.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3132278514.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3852584276.000000000155C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1993072538.0000000001515000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3028389212.0000000001517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3119692552.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1884616177.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3877581274.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3745954951.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3426194720.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3583610911.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3048932501.000000000159E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3138111875.0000000001506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3439480657.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3369841097.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3345853819.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3598662869.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3145547958.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1847402988.0000000001523000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3268094485.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1982184334.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3870302443.000000000155C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3583610911.000000000153A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2165115385.000000000150F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1870228793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3583610911.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3869910047.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2051717191.000000000150F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3049159863.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3275628163.0000000001507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3435399890.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1844716005.0000000001523000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3812719661.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3077146117.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2190595036.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3115652353.0000000001518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3813079157.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1846882404.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3355627290.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2231247945.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3019712178.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3137104188.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2150713257.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3598662869.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2004126125.000000000150F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3125051743.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1990330001.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3489898913.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3028193910.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3975315135.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3592702122.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3605096332.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3355627290.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2521210238.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2104791230.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3975176096.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3324184757.000000000156C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3145322714.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3522287604.0000000001509000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3522111503.000000000156A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3125015912.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3268371055.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3127383570.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3140895497.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3359304506.000000000156C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3470262463.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3141261131.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3018622659.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3316563630.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2170192792.0000000001556000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3812719661.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2708626040.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2150477102.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3148219299.0000000001552000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3079318130.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2044239599.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3703866711.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3065821728.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2326676165.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3127244403.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1923887569.000000000151C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3137011918.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1975050874.0000000001517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1923064273.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3730487483.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3878840199.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3134272394.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3345997403.0000000001508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3236827133.0000000001506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2334621186.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2092651263.0000000001519000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2237257792.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2623761450.0000000001510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3345745529.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2018328066.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3573292802.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3388494055.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1785288421.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3443116501.000000000156B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3146754899.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099428707.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2467676994.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3146992914.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3914948212.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3421549881.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3605532068.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3492855189.000000000154A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3132606073.0000000001533000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1841131519.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1893078752.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3063555034.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3119423115.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1828521013.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2038185183.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2334820687.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2324821490.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3605532068.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1845454539.0000000001523000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3388648556.0000000001509000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2520012736.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3541829750.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3280396253.0000000001568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3813048437.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3161224808.0000000001506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3877581274.000000000155C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3167105223.0000000001506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2959718567.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2247469426.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2180318569.000000000155D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3146466694.000000000152D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2185209999.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1952349670.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3598662869.000000000153A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2061777699.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3612376425.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1882246078.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2031873532.0000000001569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3408234254.0000000001547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2467676994.000000000158D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3605725698.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1983286554.000000000151E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2083460952.0000000001519000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2521434091.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3612035104.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2261019197.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1895769079.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2285134778.000000000151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3145675223.000000000152D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2881346999.0000000001517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3975578193.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QyzM5yhuwd.exe PID: 1144, type: MEMORYSTR

Contains functionality to encrypt and move a file in one function

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00AEFA00 GetFileAttributesW,SetFileAttributesW,__Init_thread_footer,__fread_nolock,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,BCryptEncrypt,BCryptEncrypt,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__fread_nolock,__fread_nolock,__Init_thread_footer,__Init_thread_footer,wsprintfW,MoveFileW,

0_2_00AEFA00

Deletes shadow drive data (may be related to ransomware)

Source: QyzM5yhuwd.exe	Binary or memory string: vssadmin Delete Shadows /all /quiet
Source: QyzM5yhuwd.exe, 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: vssadmin Delete Shadows /all /quiet
Source: QyzM5yhuwd.exe, 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: vssadmin Delete Shadows /all /quietSQLAgent$ECWDB2macmnsvcY
Source: QyzM5yhuwd.exe, 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: VeeamMountSvcvssadmin Delete Shadows /all /quiet

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File dropped: C:\ProgramData\Microsoft OneDrive\setup\!!!READ_ME_MEDUSA!!!.txt -> decrypt your files.but don't worry, we can decrypt your files.there is only one possible way to get back your computers and servers, keep your privacy safe - contact us via live chat and pay for the special medusa decryptor and decryption keys.this medusa decryptor will restore your entire network within less than 1 business day.what guarantees?---------------------------------------------------------------we can post all of your critial data to the public and send emails to your competitors.we have professional osints and media team for leak data to telegram, facebook, twitter channels and top news websites. you can easily search about us.you can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.after paying for the data breach and decryption	Jump to dropped file
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File dropped: C:\ProgramData\Package Cache\!!!READ_ME_MEDUSA!!!.txt -> decrypt your files.but don't worry, we can decrypt your files.there is only one possible way to get back your computers and servers, keep your privacy safe - contact us via live chat and pay for the special medusa decryptor and decryption keys.this medusa decryptor will restore your entire network within less than 1 business day.what guarantees?---------------------------------------------------------------we can post all of your critial data to the public and send emails to your competitors.we have professional osints and media team for leak data to telegram, facebook, twitter channels and top news websites. you can easily search about us.you can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.after paying for the data breach and decryption	Jump to dropped file
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File dropped: C:\ProgramData\regid.1991-06.com.microsoft\!!!READ_ME_MEDUSA!!!.txt -> decrypt your files.but don't worry, we can decrypt your files.there is only one possible way to get back your computers and servers, keep your privacy safe - contact us via live chat and pay for the special medusa decryptor and decryption keys.this medusa decryptor will restore your entire network within less than 1 business day.what guarantees?---------------------------------------------------------------we can post all of your critial data to the public and send emails to your competitors.we have professional osints and media team for leak data to telegram, facebook, twitter channels and top news websites. you can easily search about us.you can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.after paying for the data breach and decryption	Jump to dropped file
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File dropped: C:\ProgramData\SoftwareDistribution\!!!READ_ME_MEDUSA!!!.txt -> decrypt your files.but don't worry, we can decrypt your files.there is only one possible way to get back your computers and servers, keep your privacy safe - contact us via live chat and pay for the special medusa decryptor and decryption keys.this medusa decryptor will restore your entire network within less than 1 business day.what guarantees?---------------------------------------------------------------we can post all of your critial data to the public and send emails to your competitors.we have professional osints and media team for leak data to telegram, facebook, twitter channels and top news websites. you can easily search about us.you can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.after paying for the data breach and decryption	Jump to dropped file
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File dropped: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\!!!READ_ME_MEDUSA!!!.txt -> decrypt your files.but don't worry, we can decrypt your files.there is only one possible way to get back your computers and servers, keep your privacy safe - contact us via live chat and pay for the special medusa decryptor and decryption keys.this medusa decryptor will restore your entire network within less than 1 business day.what guarantees?---------------------------------------------------------------we can post all of your critial data to the public and send emails to your competitors.we have professional osints and media team for leak data to telegram, facebook, twitter channels and top news websites. you can easily search about us.you can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.after paying for the data breach and decryption	Jump to dropped file
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File dropped: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\!!!READ_ME_MEDUSA!!!.txt -> decrypt your files.but don't worry, we can decrypt your files.there is only one possible way to get back your computers and servers, keep your privacy safe - contact us via live chat and pay for the special medusa decryptor and decryption keys.this medusa decryptor will restore your entire network within less than 1 business day.what guarantees?---------------------------------------------------------------we can post all of your critial data to the public and send emails to your competitors.we have professional osints and media team for leak data to telegram, facebook, twitter channels and top news websites. you can easily search about us.you can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.after paying for the data breach and decryption	Jump to dropped file
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File dropped: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\!!!READ_ME_MEDUSA!!!.txt -> decrypt your files.but don't worry, we can decrypt your files.there is only one possible way to get back your computers and servers, keep your privacy safe - contact us via live chat and pay for the special medusa decryptor and decryption keys.this medusa decryptor will restore your entire network within less than 1 business day.what guarantees?---------------------------------------------------------------we can post all of your critial data to the public and send emails to your competitors.we have professional osints and media team for leak data to telegram, facebook, twitter channels and top news websites. you can easily search about us.you can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.after paying for the data breach and decryption	Jump to dropped file
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File dropped: C:\$WinREAgent\Scratch\!!!READ_ME_MEDUSA!!!.txt -> decrypt your files.but don't worry, we can decrypt your files.there is only one possible way to get back your computers and servers, keep your privacy safe - contact us via live chat and pay for the special medusa decryptor and decryption keys.this medusa decryptor will restore your entire network within less than 1 business day.what guarantees?---------------------------------------------------------------we can post all of your critial data to the public and send emails to your competitors.we have professional osints and media team for leak data to telegram, facebook, twitter channels and top news websites. you can easily search about us.you can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.after paying for the data breach and decryption	Jump to dropped file
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File dropped: C:\$WinREAgent\!!!READ_ME_MEDUSA!!!.txt -> decrypt your files.but don't worry, we can decrypt your files.there is only one possible way to get back your computers and servers, keep your privacy safe - contact us via live chat and pay for the special medusa decryptor and decryption keys.this medusa decryptor will restore your entire network within less than 1 business day.what guarantees?---------------------------------------------------------------we can post all of your critial data to the public and send emails to your competitors.we have professional osints and media team for leak data to telegram, facebook, twitter channels and top news websites. you can easily search about us.you can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.after paying for the data breach and decryption	Jump to dropped file
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File dropped: C:\ProgramData\!!!READ_ME_MEDUSA!!!.txt -> decrypt your files.but don't worry, we can decrypt your files.there is only one possible way to get back your computers and servers, keep your privacy safe - contact us via live chat and pay for the special medusa decryptor and decryption keys.this medusa decryptor will restore your entire network within less than 1 business day.what guarantees?---------------------------------------------------------------we can post all of your critial data to the public and send emails to your competitors.we have professional osints and media team for leak data to telegram, facebook, twitter channels and top news websites. you can easily search about us.you can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues.after paying for the data breach and decryption	Jump to dropped file

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00AE1A10 BCryptDestroyKey,CryptStringToBinaryA,CryptStringToBinaryA,GetProcessHeap,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptDecodeObjectEx,CryptDecodeObjectEx,GetProcessHeap,HeapAlloc,CryptDecodeObjectEx,GetProcessHeap,HeapAlloc,BCryptImportKeyPair,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00AE1A10

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00B044BE NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

0_2_00B044BE

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AF4E60	0_2_00AF4E60
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AF37C0	0_2_00AF37C0
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AEFA00	0_2_00AEFA00
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B4623F	0_2_00B4623F
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B4C30F	0_2_00B4C30F
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B2064E	0_2_00B2064E
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B34785	0_2_00B34785
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B5087F	0_2_00B5087F
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B349B7	0_2_00B349B7
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B5099F	0_2_00B5099F
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B34BE9	0_2_00B34BE9
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B4EE6A	0_2_00B4EE6A
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B3903A	0_2_00B3903A
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B3B000	0_2_00B3B000
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B1B2AE	0_2_00B1B2AE
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B2F4A0	0_2_00B2F4A0
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B47AD9	0_2_00B47AD9

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: String function: 00B173A7 appears 55 times
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: String function: 00B18230 appears 66 times
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: String function: 00B17C96 appears 72 times
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: String function: 00B17366 appears 195 times
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: String function: 00B17C62 appears 180 times
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: String function: 00B17921 appears 180 times

Source: QyzM5yhuwd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png
Source: ConDrv.0.dr	Binary string: encrypt 0 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png 0
Source: ConDrv.0.dr	Binary string: encrypt 2 C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png 16
Source: ConDrv.0.dr	Binary string: encrypt 5 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png
Source: ConDrv.0.dr	Binary string: encrypt 0 C:\Documents and Settings\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml
Source: ConDrv.0.dr	Binary string: encrypt 1 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: ConDrv.0.dr	Binary string: encrypt 3 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png 0
Source: ConDrv.0.dr	Binary string: encrypt 4 C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 6 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png
Source: ConDrv.0.dr	Binary string: encrypt 6 C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png 47
Source: ConDrv.0.dr	Binary string: encrypt 4 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: encrypt 2 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 0 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 2 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml 16
Source: ConDrv.0.dr	Binary string: encrypt 4 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png 16
Source: ConDrv.0.dr	Binary string: encrypt 0 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 5 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png 0
Source: ConDrv.0.dr	Binary string: encrypt 3 C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: encrypt 7 C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png 47
Source: ConDrv.0.dr	Binary string: encrypt 7 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 0 C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png 0
Source: ConDrv.0.dr	Binary string: encrypt 2 C:\Documents and Settings\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 7 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png 0
Source: ConDrv.0.dr	Binary string: encrypt 5 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: ConDrv.0.dr	Binary string: encrypt 7 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png 0
Source: ConDrv.0.dr	Binary string: encrypt 0 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 7 C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png
Source: ConDrv.0.dr	Binary string: encrypt 3 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png
Source: ConDrv.0.dr	Binary string: encrypt 4 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png 0
Source: ConDrv.0.dr	Binary string: encrypt 1 C:\Documents and Settings\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png 0
Source: ConDrv.0.dr	Binary string: encrypt 3 C:\Documents and Settings\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\!!!READ_ME_MEDUSA!!!.txt
Source: ConDrv.0.dr	Binary string: encrypt 6 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png 0
Source: ConDrv.0.dr	Binary string: encrypt 0 C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png 47
Source: ConDrv.0.dr	Binary string: encrypt 5 C:\Documents and Settings\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: encrypt 1 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml 16
Source: ConDrv.0.dr	Binary string: encrypt 6 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 3 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: encrypt 4 C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png 31
Source: ConDrv.0.dr	Binary string: encrypt 1 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: ConDrv.0.dr	Binary string: encrypt 6 C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png 0
Source: ConDrv.0.dr	Binary string: encrypt 1 C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml 31
Source: ConDrv.0.dr	Binary string: encrypt 2 C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: encrypt 0 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 3 C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png 31
Source: ConDrv.0.dr	Binary string: encrypt 7 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png 0
Source: ConDrv.0.dr	Binary string: encrypt 6 C:\Documents and Settings\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png 0
Source: ConDrv.0.dr	Binary string: encrypt 6 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png 0
Source: ConDrv.0.dr	Binary string: encrypt 5 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png 16
Source: ConDrv.0.dr	Binary string: encrypt 5 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png 0
Source: ConDrv.0.dr	Binary string: encrypt 3 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 2 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png 0
Source: ConDrv.0.dr	Binary string: encrypt 7 C:\Documents and Settings\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png 0
Source: ConDrv.0.dr	Binary string: encrypt 4 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: encrypt 5 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png 0
Source: ConDrv.0.dr	Binary string: encrypt 1 C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 6 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: encrypt 2 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: encrypt 7 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: ConDrv.0.dr	Binary string: encrypt 5 C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png 0
Source: ConDrv.0.dr	Binary string: encrypt 4 C:\Documents and Settings\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png 0
Source: ConDrv.0.dr	Binary string: encrypt 2 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml 0
Source: ConDrv.0.dr	Binary string: encrypt 1 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png 0
Source: ConDrv.0.dr	Binary string: encrypt 5 C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml 47
Source: ConDrv.0.dr	Binary string: encrypt 4 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png 0
Source: ConDrv.0.dr	Binary string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\!!!READ_ME_MEDUSA!!!.txt
Source: ConDrv.0.dr	Binary string: encrypt 1 C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png 0

Source: classification engine

Classification label: mal100.rans.spre.evad.winEXE@306/308@2/0

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00AF15A0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,lstrlenW,

0_2_00AF15A0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_03

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Temp\!!!READ_ME_MEDUSA!!!.txt

Jump to behavior

Source: QyzM5yhuwd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QyzM5yhuwd.exe

ReversingLabs: Detection: 78%

Source: QyzM5yhuwd.exe	String found in binary or memory: --start--
Source: QyzM5yhuwd.exe	String found in binary or memory: --start--
Source: QyzM5yhuwd.exe	String found in binary or memory: --start--

Source: unknown	Process created: C:\Users\user\Desktop\QyzM5yhuwd.exe "C:\Users\user\Desktop\QyzM5yhuwd.exe"
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "AcronisAgent" /y

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

File written: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: QyzM5yhuwd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: QyzM5yhuwd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: QyzM5yhuwd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: QyzM5yhuwd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QyzM5yhuwd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: QyzM5yhuwd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: QyzM5yhuwd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: QyzM5yhuwd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: inload_prod.pdb\!!!READ_ME_M source: QyzM5yhuwd.exe, 00000000.00000003.2708569023.0000000001510000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2708626040.000000000151A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx.MEDUSAnload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC22c4nd Settings\user\AppData\Local\Applica'o source: QyzM5yhuwd.exe, 00000000.00000003.2044532060.000000000156B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831CacheDataxUN source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Decemberb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.MEDUSA source: QyzM5yhuwd.exe, 00000000.00000003.2232148389.000000000154D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\!!!READ_ME_MEDUSA!!!.txt source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdbX#R source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.MEDUSA1h2txyewy\AC\Microsoft\Internet Explorer\DO source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.MEDUSAAtxtr:April:May:May:Jun:June:Jul:July:Aug:AuguT$) : source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs.MEDUSAData\Temp\Symbols\winload_prod.pdb\!!!READ_ME_MEDUSA!!!.txt13c03908334ings\user\A source: QyzM5yhuwd.exe, 00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2044100208.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2044532060.000000000156B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: too long filename: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: ConDrv.0.dr
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb@#R source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb!READ_ME_MEDUSA!!!.txt+ source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: too long filename: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: ConDrv.0.dr
Source:	Binary string: too long filename: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: ConDrv.0.dr
Source:	Binary string: $$ \|\$ /$$ \|$$ \|ntkrnlmp.pdb \|x source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2ateeC\INetHistory\!!!READ_ME_MEDUSA!!!.txt15] source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\!!!READ_ME_MEDUSA!!!.txtlication Data\Packages\Microsoft.XboxSpeechT source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb8 source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdbA\Local\Applicw~7 source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\!!!READ_ME_MEDUSA!!!.txt source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.MEDUSA!!.txt* source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3020500537.0000000001553000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\@ source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbt your busy business. source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\Medusa\Release\gaze.pdb source: QyzM5yhuwd.exe
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\!!!READ_ME_MEDUSA!!!.txtA source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3020500537.0000000001553000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\!!!READ_ME_MEDUSA!!!.txt source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3020500537.0000000001553000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx.MEDUSAnload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC22c4nd Settings\user\AppData\Local\Applica'o source: QyzM5yhuwd.exe, 00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2044100208.0000000001569000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\Medusa\Release\gaze.pdbv source: QyzM5yhuwd.exe
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*aming.lockUSA!!!.txton Data\Packages\microsoft.windowscommuni source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdbO source: QyzM5yhuwd.exe, 00000000.00000003.3048767326.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: too long filename: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: ConDrv.0.dr
Source:	Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E_MEDUSA!!!.txtuary:Feb:February:Mar:March:Apr:April:Ma source: QyzM5yhuwd.exe, 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdbpdb source: QyzM5yhuwd.exe, 00000000.00000003.2499956024.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ta\Temp\Symbols\winload_prod.pdbt source: QyzM5yhuwd.exe, 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3020500537.0000000001553000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3019262517.0000000001541000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.MEDUSA.txtOct:October:Nov:November:Dec:Decembereptember:Oct:October:Nov:November:Dec:Decemberf' source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.MEDUSAPackages\Micro source: QyzM5yhuwd.exe, 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp

Source: QyzM5yhuwd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QyzM5yhuwd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QyzM5yhuwd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QyzM5yhuwd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QyzM5yhuwd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00B26809 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B26809

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B18274 push ecx; ret	0_2_00B18286
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B0D79F push 8B00B592h; iretd	0_2_00B0D7A4
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B17C3C push ecx; ret	0_2_00B17C4F
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B0DDD0 push 8B00B592h; iretd	0_2_00B0DDD5

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\WdBoot.sys			Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\Drivers\WdBoot.sys			Jump to behavior

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\!!!READ_ME_MEDUSA!!!.txt			Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\Temp\!!!READ_ME_MEDUSA!!!.txt			Jump to behavior

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office Tools\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Windows\Start Menu\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File created: C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\!!!READ_ME_MEDUSA!!!.txt	Jump to behavior

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

File created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\!!!READ_ME_MEDUSA!!!.txt

Jump to behavior

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00B040C9 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B040C9

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 7985

Jump to behavior

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-55875

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00AFFE1B FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,		0_2_00AFFE1B
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B49AEC FindFirstFileExW,		0_2_00B49AEC

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00AF15A0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,lstrlenW,

0_2_00AF15A0

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\.curlrc	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\Adobe\ARM\	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\Adobe\ARM\Acrobat_23.006.20320\	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	File opened: C:\Documents and Settings\All Users\Adobe\	Jump to behavior

Source: QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000158E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: qEMUNx

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00B1805A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B1805A

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00B26809 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B26809

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B43CED mov eax, dword ptr fs:[00000030h]	0_2_00B43CED
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B3E735 mov eax, dword ptr fs:[00000030h]	0_2_00B3E735
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B43D31 mov eax, dword ptr fs:[00000030h]	0_2_00B43D31

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00AF4E60 GetSystemFirmwareTable,__Init_thread_footer,__Init_thread_footer,BCryptOpenAlgorithmProvider,BCryptGetProperty,GetProcessHeap,HeapAlloc,BCryptGetProperty,BCryptCreateHash,BCryptHashData,BCryptFinishHash,BCryptCloseAlgorithmProvider,BCryptDestroyKey,GetProcessHeap,HeapFree,__Init_thread_footer,GetSystemFirmwareTable,

0_2_00AF4E60

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B1805A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B1805A
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B181BC SetUnhandledExceptionFilter,	0_2_00B181BC
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B17E58 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B17E58
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B31F6E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B31F6E

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "AcronisAgent" /y

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00B18288 cpuid

0_2_00B18288

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	0_2_00B16F75
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00B4C85E
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: EnumSystemLocalesW,	0_2_00B4CBE6
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: EnumSystemLocalesW,	0_2_00B42BC6
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: EnumSystemLocalesW,	0_2_00B4CB00
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: EnumSystemLocalesW,	0_2_00B4CB4B
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B4CC71
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: GetLocaleInfoW,	0_2_00B4CEC4
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00B4CFEA
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: GetLocaleInfoW,	0_2_00B4D0F0
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B4D1BF
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: GetLocaleInfoW,	0_2_00B4317F

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00B18468 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B18468

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00B493F2 _free,_free,_free,GetTimeZoneInformation,

0_2_00B493F2

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe

Code function: 0_2_00B1DFBA GetVersionExW,Concurrency::details::WinRT::Initialize,

0_2_00B1DFBA

Lowering of HIPS / PFW / Operating System Security Settings

Disables security and backup related services

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Web Control Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Acronis VSS Provider" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Enterprise Client Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos AutoUpdate Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Clean Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Device Control Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos File Scanner Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Health Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Agent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos MCS Client" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Message Router" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos Safestore Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Sophos System Protection Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Backup Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "SQLsafe Filter Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Symantec System Recovery" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Veeam Backup Catalog Data Service" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "AcronisAgent" /y	Jump to behavior

Source: ConDrv.0.dr	Binary or memory string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: ConDrv.0.dr	Binary or memory string: too long filename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe

Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B28811 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,		0_2_00B28811
Source: C:\Users\user\Desktop\QyzM5yhuwd.exe	Code function: 0_2_00B29520 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,		0_2_00B29520

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	2 System Time Discovery	1 Taint Shared Content	112 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	11 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	5 File and Directory Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	1 Browser Extensions	11 Process Injection	2 Obfuscated Files or Information	Security Account Manager	24 System Information Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	131 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QyzM5yhuwd.exe	79%	ReversingLabs	Win32.Ransomware.Medusa
QyzM5yhuwd.exe	100%	Avira	TR/Ransom.cmlzr

Source	Detection	Scanner	Label
https://t.p	0%	Avira URL Cloud	safe
http://5ar4vucC2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml----------------	0%	Avira URL Cloud	safe
https://t.plyXOcSjh%Z	0%	Avira URL Cloud	safe
http://uyku4o2yg34ekvjtszTestDrive.ps1hpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c	0%	Avira URL Cloud	safe
http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/	0%	Avira URL Cloud	safe
https://utox.org/uTox_win64.exe)	0%	Avira URL Cloud	safe
http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a	0%	Avira URL Cloud	safe
https://wwwC2RManifest.osmmui.msi.16.en-us.xmlzhtu	0%	Avira URL Cloud	safe
https://www.torprojecLYNC_ringtone4.wav	0%	Avira URL Cloud	safe
https://t.MsMpEng.exe	0%	Avira URL Cloud	safe
http://uyPROFILEszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c	0%	Avira URL Cloud	safe
https://t.LYNC_ringtone3.wavwav	0%	Avira URL Cloud	safe
https://t.L	0%	Avira URL Cloud	safe
http://cx5uMsMpRes.dllucuuxh	0%	Avira URL Cloud	safe
http://uytaskpane_onenote_cf1626b6cdd842a14c995bc7195cc9ca.cssrrors:	0%	Avira URL Cloud	safe
http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c	0%	Avira URL Cloud	safe
https://t.M	0%	Avira URL Cloud	safe
https://www.torprojYAHOO.COM.AU.XMLkuS	0%	Avira URL Cloud	safe
http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/	0%	Avira URL Cloud	safe
http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e	0%	Avira URL Cloud	safe
http://uypkcs11.txt7cvjzmnBw	0%	Avira URL Cloud	safe
http://cx5u7zxbvrfy..ghw76o	0%	Avira URL Cloud	safe
http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e	0%	Avira URL Cloud	safe
https://www.tpassword-hero.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
sni1gl.wpc.sigmacdn.net	152.199.21.175	true	false	high
res.public.onecdn.static.microsoft	unknown	unknown	false	high
tse1.mm.bing.net	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://t.me/	QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.plyXOcSjh%Z	QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3146754899.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3057586389.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3137175440.000000000156C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3059221702.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://uyku4o2yg34ekvjtszTestDrive.ps1hpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c	QyzM5yhuwd.exe, 00000000.00000003.3237528942.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3237431982.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/	QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/microsoftgraph/msgraph-sdk-javascript.git	QyzM5yhuwd.exe, 00000000.00000003.3079318130.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://5ar4vucC2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml----------------	QyzM5yhuwd.exe, 00000000.00000003.3415359594.0000000001547000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a	QyzM5yhuwd.exe, 00000000.00000003.3047734924.000000000151A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3049159863.000000000151C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://t.p	QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3146754899.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3057586389.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3137175440.000000000156C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3059221702.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwC2RManifest.osmmui.msi.16.en-us.xmlzhtu	QyzM5yhuwd.exe, 00000000.00000003.3415359594.0000000001547000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429	QyzM5yhuwd.exe, 00000000.00000003.3605096332.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://utox.org/uTox_win64.exe)	QyzM5yhuwd.exe, 00000000.00000003.1885310626.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3280396253.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1846925533.0000000001520000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3145461186.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3870051484.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1821742997.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2243501292.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3605096332.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3522111503.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3330865366.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3363997024.0000000001547000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3456008694.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3598944009.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3646903498.0000000001594000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3141944674.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3692211307.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3145461186.000000000156D000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2284968073.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3456008694.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3388367661.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.MsMpEng.exe	QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3280396253.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3320791387.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3313388328.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3311974938.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266478006.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000153A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.torproject.org/download/):	QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3557059907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3476882367.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torprojecLYNC_ringtone4.wav	QyzM5yhuwd.exe, 00000000.00000003.3522111503.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.LYNC_ringtone3.wavwav	QyzM5yhuwd.exe, 00000000.00000003.3522111503.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://uyPROFILEszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c	QyzM5yhuwd.exe, 00000000.00000003.3641052144.00000000015A9000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/	QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://t.L	QyzM5yhuwd.exe, 00000000.00000003.3522111503.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.M	QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3280396253.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3320791387.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3313388328.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3311974938.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266478006.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000153A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.torprojYAHOO.COM.AU.XMLkuS	QyzM5yhuwd.exe, 00000000.00000003.3541829750.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cx5uMsMpRes.dllucuuxh	QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3280396253.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3320791387.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3313388328.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3311974938.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266478006.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000153A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://uytaskpane_onenote_cf1626b6cdd842a14c995bc7195cc9ca.cssrrors:	QyzM5yhuwd.exe, 00000000.00000003.3569434443.0000000001549000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.torproject.org/down	QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3882742855.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3852153969.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3869910047.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3914948212.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000002.3975578193.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com	QyzM5yhuwd.exe, 00000000.00000003.3303069748.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e	QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3557059907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3476882367.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://uyku4o2yg3Offlinevjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c	QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3290591478.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3324184757.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3329328881.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3316563630.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3275527742.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3303069748.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3280396253.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3320791387.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3313388328.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3311974938.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266478006.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3246027854.000000000153A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e	QyzM5yhuwd.exe, 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3557059907.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3415248453.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3279099520.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3476882367.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3426194720.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3266722129.000000000158E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://cx5u7zxbvrfy..ghw76o	QyzM5yhuwd.exe, 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3882742855.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3852153969.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3869910047.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000003.3914948212.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, QyzM5yhuwd.exe, 00000000.00000002.3975578193.000000000158E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://uypkcs11.txt7cvjzmnBw	QyzM5yhuwd.exe, 00000000.00000003.2537972549.0000000001591000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.tpassword-hero.png	QyzM5yhuwd.exe, 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573982
Start date and time:	2024-12-12 19:25:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	60
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QyzM5yhuwd.exe renamed because original name is a hash value
Original Sample Name:	6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de.exe
Detection:	MAL
Classification:	mal100.rans.spre.evad.winEXE@306/308@2/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 63 Number of non-executed functions: 388
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.103.156.88, 2.20.41.184, 20.199.58.43, 20.111.58.202, 20.234.120.54, 52.149.20.212, 23.206.229.209, 23.218.210.69, 152.199.21.175, 20.190.147.2, 2.16.158.171, 23.218.208.109, 2.16.158.176, 13.89.179.12, 13.107.246.63, 2.16.158.40, 2.16.158.89, 2.16.158.90, 2.16.158.51, 20.42.65.92, 150.171.28.10
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, eudb.ris.api.iris.microsoft.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com, g.bing.com, arc.msn.com, res-ocdi-public.trafficmanager.net, cdn-office.azureedge.net, e12564.dspb.akamaiedge.net, iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com, go.microsoft.com, ocsp.digicert.com, login.live.com, r.bing.com, arc.trafficmanager.net, ris-prod-eudb.trafficmanager.net, www.bing.com, fs.microsoft.com, otelrules.azureedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, cdn-office.ec.azureedge.net, asf-ris-prod-frc-pub.francecentral.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, mm-mm.bing.net.trafficmanager.net, clientconfig.passport.net, umwatson.events.data.microsoft.com, api.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: QyzM5yhuwd.exe

Simulations

Behavior and APIs

Time	Type	Description
13:28:17	API Interceptor	4402x Sleep call for process: conhost.exe modified
18:28:05	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt
18:28:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.MEDUSA

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sni1gl.wpc.sigmacdn.net	Document.xla	Get hash	malicious	Unknown	Browse	152.199.21.175
	letter_sjoslin_odeonuk.com.pdf	Get hash	malicious	Unknown	Browse	152.195.19.97
	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	152.195.19.97
	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://docs.google.com/presentation/d/e/2PACX-1vQdSuwONgWFnuoaK9jWkn4a4T1fFD4ixA3V2X7f5aWnD4sHxk2b10z2j2TMxkq3G15FQX3bbwReJ2PF/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	152.199.21.175
	letter_olivia.law_mercerhole.co.uk.pdf	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	IMG_1205 #U2014 ThingLink.html	Get hash	malicious	Unknown	Browse	152.199.21.175
	Gale Associates, Inc.pdf	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://public-eur.mkt.dynamics.com/api/orgs/88a21dbe-0cab-ef11-b8e4-000d3ab73076/r/ITDpQP9xc0mGhZTOns8zcwIAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fescclim-my.sharepoint.com%252F%253Ao%253A%252Fg%252Fpersonal%252Ftech_esc_esc-clim_com%252FEhAtf79h6jhPmHVrOq0G3zQBcIqaUIUgKKgPrxeGvockQA%253Fe%253D4LkyBM%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%220%22%3Anull%7D%7D&digest=w8KszEUMxRXpc4kyRepudGYpxF6dCJlj%2BwOvs5Es14I%3D&secretVersion=7c13c22c20aa46a1b2fc8b71fde4d19a	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://ymcajeffco-my.sharepoint.com/:u:/g/personal/rcampbell_mtvernonymca_org/Eb_PxgSrk7VCrlppYfmkXowB9vCdCR2cgdVG8AQkH7BcbQ?e=b9efJ2	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
ax-0001.ax-msedge.net	file.exe	Get hash	malicious	Unknown	Browse	150.171.28.10
	6C2Oryo96G.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	win.exe	Get hash	malicious	Lynx	Browse	150.171.28.10
	RunScriptProtected.lnk.d.lnk	Get hash	malicious	Unknown	Browse	150.171.27.10
	dkarts.dll.dll	Get hash	malicious	Unknown	Browse	150.171.27.10
	1_Garmin_Campaign Information for Partners(12-10).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	150.171.27.10
	https://www.google.cv/url?duf=FbLLcAJXWZoeUZJIjST2&lfg=uVQGQao2QJuMH6TEkmpq&sa=t&fmc=XCKeeJBBTaVsgNFTQcDe&url=amp%2Fshairmylife.com%2Fkam%2FOATWMWQPC27P047EIPR32X/YWxpc29ub0B0aG9ydWsuY29t	Get hash	malicious	Unknown	Browse	150.171.27.10
	MHDeXPq2uB.exe	Get hash	malicious	RedLine	Browse	150.171.28.10
	https://prezi.com/i/wuualyitwcxt/	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	FW Tarala Electric Group shared .msg	Get hash	malicious	unknown	Browse	150.171.27.10

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.297838717780945
Encrypted:	false
SSDEEP:	12:u5RZUED5jM8uxLq/EYc54YnfXSL7yHbNmNpLXGDoWS3/Sapxe0:u5bUEDt+xWsrvtZmNpjKoWS3/Sa1
MD5:	A6E4243949DC31666C8D33717709C9F8
SHA1:	8FE573469125F30A80E1E38CAA438EB8F02BD00F
SHA-256:	3EC2474756E6C51AC524C149BDB44C910C7EBC8F4F52BFBBADE943234CEA78BE
SHA-512:	5FC4F01F864EE14242D2DABE86252EF6E81833F91912B4A448975F45CA24538D5B0F5924E74107E6FB0D068BEAC78AC0FCA652AE892DEE0E1BD5498993DC053A
Malicious:	false
Preview:	...I6C~....;..<...Tm@[1[Q.....D..{j@H..j...L...8....e...;.VJ./.h.7...1..s..x,.U.....C.\9X.:(....i.?...@....K..../.....D...q.h.FW...U-..2...MEDUSA..................yd..3.\.Ow.....h...d............Uc..d&.!.p..'................L...........[....E..0...{.f.i.#T..NC.....-.q.e.......L+....h.......y.....,B....c....~...sH.=..D.........)..3......$o..y..j....4.F...?sz...eh...5.....s.2....`.+ .#..7/...$.i.....j.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.297838717780945
Encrypted:	false
SSDEEP:	12:u5RZUED5jM8uxLq/EYc54YnfXSL7yHbNmNpLXGDoWS3/Sapxe0:u5bUEDt+xWsrvtZmNpjKoWS3/Sa1
MD5:	A6E4243949DC31666C8D33717709C9F8
SHA1:	8FE573469125F30A80E1E38CAA438EB8F02BD00F
SHA-256:	3EC2474756E6C51AC524C149BDB44C910C7EBC8F4F52BFBBADE943234CEA78BE
SHA-512:	5FC4F01F864EE14242D2DABE86252EF6E81833F91912B4A448975F45CA24538D5B0F5924E74107E6FB0D068BEAC78AC0FCA652AE892DEE0E1BD5498993DC053A
Malicious:	false
Preview:	...I6C~....;..<...Tm@[1[Q.....D..{j@H..j...L...8....e...;.VJ./.h.7...1..s..x,.U.....C.\9X.:(....i.?...@....K..../.....D...q.h.FW...U-..2...MEDUSA..................yd..3.\.Ow.....h...d............Uc..d&.!.p..'................L...........[....E..0...{.f.i.#T..NC.....-.q.e.......L+....h.......y.....,B....c....~...sH.=..D.........)..3......$o..y..j....4.F...?sz...eh...5.....s.2....`.+ .#..7/...$.i.....j.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.3231812353291685
Encrypted:	false
SSDEEP:	12:eMnMQkqcvBByyklq/ERU5Khd7SFYI3tikzGkd0BKAxe0:eGCkkP5G2YI3tikzGkdkKK
MD5:	8DBBAE292DCD09BC197DCDD679B206BF
SHA1:	9204B4AE64FEAB6011ED9EC131F1B220AEA1EE14
SHA-256:	E1199A9F9765E1DAAECC80DA516DC678E1AEF81CD95FDCD6FA719E0DD632E2AA
SHA-512:	953ABA2F20CECCA0F8C829124ABF54185735BA7F8F8DC9C49550696CD2BD58CFA5BF9D6053F500D1F0573433122102849FF4E298BBB78336066DAFBC8F5DA4A4
Malicious:	false
Preview:	:JW.._.G...j..L.9....T.Z$....{bbf.......K.........1.pA.....8...pfK..z..$....AD..T_........J"i(a.e~..%...8*M.u.%.@Q.U./X.h.....RFX.j../'FMEDUSA....................Z.....l.lP....8,.I........]...^..uo\|AO...k.~.]....5C..~A..$C.t...z..X.gn8.TE...'......$...v.}}.5..&..W....A.}.%wk<....M[Hnf...:....TI$z.c..^.n.....gn........D."7.........#(..W.\p.\..7.@?.J.X...o..._.........NsI...Z..pnl..W...IH.,.....R.t2r.C.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.3231812353291685
Encrypted:	false
SSDEEP:	12:eMnMQkqcvBByyklq/ERU5Khd7SFYI3tikzGkd0BKAxe0:eGCkkP5G2YI3tikzGkdkKK
MD5:	8DBBAE292DCD09BC197DCDD679B206BF
SHA1:	9204B4AE64FEAB6011ED9EC131F1B220AEA1EE14
SHA-256:	E1199A9F9765E1DAAECC80DA516DC678E1AEF81CD95FDCD6FA719E0DD632E2AA
SHA-512:	953ABA2F20CECCA0F8C829124ABF54185735BA7F8F8DC9C49550696CD2BD58CFA5BF9D6053F500D1F0573433122102849FF4E298BBB78336066DAFBC8F5DA4A4
Malicious:	false
Preview:	:JW.._.G...j..L.9....T.Z$....{bbf.......K.........1.pA.....8...pfK..z..$....AD..T_........J"i(a.e~..%...8*M.u.%.@Q.U./X.h.....RFX.j../'FMEDUSA....................Z.....l.lP....8,.I........]...^..uo\|AO...k.~.]....5C..~A..$C.t...z..X.gn8.TE...'......$...v.}}.5..&..W....A.}.%wk<....M[Hnf...:....TI$z.c..^.n.....gn........D."7.........#(..W.\p.\..7.@?.J.X...o..._.........NsI...Z..pnl..W...IH.,.....R.t2r.C.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.324669524188086
Encrypted:	false
SSDEEP:	12:Mb3/1mfINSf7E0NTWq/EWxGczKBhcZEdCrHBdhpTbiGiRdp/vH+xe0:MTQaSQ0XXI8idy/TOGiRdxvHk
MD5:	2F7869AFBED6AC6F854BB9418AA314BD
SHA1:	DA357CED50C227BB3BF3FE0A73537FC393816D63
SHA-256:	E484E4FBFD622692FA551A12FC9F42D507A79F30CB62F13969F72F8ED14748B8
SHA-512:	75046AC6B622499D5607DDF44FDF50E902D5DBE8512FA1ECAF7DA1796B8815B47162254374D0194E2225FB19093CEE9BD87603F1A91C4382D5BE88CD47595419
Malicious:	false
Preview:	..5.17..6l....jkR.f..bAV........F.T..M6....dL6.[R..iA\...L.&..\|g..B.CL.7z... .....AZ&..+.j.B..<......P....[.G[....i..".4.z...w...(.{.D.MEDUSA.......................2.+...!;.'(.. ..C....y..y..a....W...a..1.........~....@...a.....3.h....F.P..$=S..c;...M>...4O..,.n..(..>0e.Hi.W..t..-&v.xe.r.6......D7.H~...0..OL....n`....l.....B.6........L<`..,....y..x8........}.>..I$....W..B..........X..Ya...L..wda23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.324669524188086
Encrypted:	false
SSDEEP:	12:Mb3/1mfINSf7E0NTWq/EWxGczKBhcZEdCrHBdhpTbiGiRdp/vH+xe0:MTQaSQ0XXI8idy/TOGiRdxvHk
MD5:	2F7869AFBED6AC6F854BB9418AA314BD
SHA1:	DA357CED50C227BB3BF3FE0A73537FC393816D63
SHA-256:	E484E4FBFD622692FA551A12FC9F42D507A79F30CB62F13969F72F8ED14748B8
SHA-512:	75046AC6B622499D5607DDF44FDF50E902D5DBE8512FA1ECAF7DA1796B8815B47162254374D0194E2225FB19093CEE9BD87603F1A91C4382D5BE88CD47595419
Malicious:	false
Preview:	..5.17..6l....jkR.f..bAV........F.T..M6....dL6.[R..iA\...L.&..\|g..B.CL.7z... .....AZ&..+.j.B..<......P....[.G[....i..".4.z...w...(.{.D.MEDUSA.......................2.+...!;.'(.. ..C....y..y..a....W...a..1.........~....@...a.....3.h....F.P..$=S..c;...M>...4O..,.n..(..>0e.Hi.W..t..-&v.xe.r.6......D7.H~...0..OL....n`....l.....B.6........L<`..,....y..x8........}.>..I$....W..B..........X..Ya...L..wda23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.339586333812737
Encrypted:	false
SSDEEP:	12:06fEWVvM9EOY55q/E0TkQkP6SwV4uuNJjKxe0:B8WVX7mvT2P6SwKuuNJjo
MD5:	6A18304D73EEC078E02809412EACC356
SHA1:	ECFCE6F41A80D57CCA8B49EA0430719423EA52A2
SHA-256:	A635F3EBE57A8A076CF823787DA749F70873F7BCD8E61185BB9D4D23754D1CD0
SHA-512:	44BEEE8D9759E7111C04CF294895D2882C844652D88AB041BA3E51874842773DDE6DCD98617BD2FD7CAF12462DC0C71D6599988451923B02AFF313DEA523585A
Malicious:	false
Preview:	....1.>1..eJl;z.l.O.!.........ez]....iH...9....L........u.h.dA.-.n^......z/.`..y.Q...tc........GC.q..j{..........[.>.\.....d.\|6~._.[.MEDUSA..................m4"Q.J.!E\|r.....%.C...E...K.(.:......#.7.%c..o.`.=.p....Vm.M..C......7..$.2.p...]..l....~.V;.t..5..\|#.=AL..%..J..AE..x.25.%\|W....d[.f.....B..[".;.F..&j.,2=G...b!.\..^4s.J.F}.......T...g.AN~,..K7]ue.R..W/..ox.o/{.k..nX.=....k.. .WY..p.#r.M.2da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.339586333812737
Encrypted:	false
SSDEEP:	12:06fEWVvM9EOY55q/E0TkQkP6SwV4uuNJjKxe0:B8WVX7mvT2P6SwKuuNJjo
MD5:	6A18304D73EEC078E02809412EACC356
SHA1:	ECFCE6F41A80D57CCA8B49EA0430719423EA52A2
SHA-256:	A635F3EBE57A8A076CF823787DA749F70873F7BCD8E61185BB9D4D23754D1CD0
SHA-512:	44BEEE8D9759E7111C04CF294895D2882C844652D88AB041BA3E51874842773DDE6DCD98617BD2FD7CAF12462DC0C71D6599988451923B02AFF313DEA523585A
Malicious:	false
Preview:	....1.>1..eJl;z.l.O.!.........ez]....iH...9....L........u.h.dA.-.n^......z/.`..y.Q...tc........GC.q..j{..........[.>.\.....d.\|6~._.[.MEDUSA..................m4"Q.J.!E\|r.....%.C...E...K.(.:......#.7.%c..o.`.=.p....Vm.M..C......7..$.2.p...]..l....~.V;.t..5..\|#.=AL..%..J..AE..x.25.%\|W....d[.f.....B..[".;.F..&j.,2=G...b!.\..^4s.J.F}.......T...g.AN~,..K7]ue.R..W/..ox.o/{.k..nX.=....k.. .WY..p.#r.M.2da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\$WinREAgent\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\$WinREAgent\Scratch\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\Documents and Settings\All Users\.curlrc.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	360
Entropy (8bit):	7.182495355368452
Encrypted:	false
SSDEEP:	6:A35GosCCmJ4oOIZhwnYbZRXCjnEdl74nB8SqSfwIWFwLJ83bgf0i5z7W2iD0:A35GCCm6oOohwngkEdl74nBTxwP5HMxV
MD5:	763B1FCC924532FB0392D888C03AB601
SHA1:	45ABD5F0234F71A2F9790D0CB892CDCADFECACB7
SHA-256:	2FAE8E36F1128223C5B899DFA6E8AE3A4DA7FE710837083FD685F1386E0D8806
SHA-512:	CA5A5A6301FF5B11C4A66F67171356380A7F50D37E00250304599D13E81C63C8712F99982A3D6619C54C082A23556584358C627F572B7DA88C07136C076F48AD
Malicious:	false
Preview:	i.{.b.s'0.V..MEDUSA.....................yQ....).L@1....O6(&j..HQh.\.....z.D.%..r.}..$..=.....r.(....P].m....J.......Z. ..b..b.o.Gto.:.F.....8\f.Q...(.~.])...^....cVuX.7Y.....$i..K..-}..i...N.A.....m.......\|.C.p......O...3..s.W...fi...`..:......Yg(.....t..',.b.....jdX.."....+..xc.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	520
Entropy (8bit):	7.409343790736442
Encrypted:	false
SSDEEP:	12:v3hYe6qiyLYwZksDPWQZqVBBoMwTfGLHrfDazmwBdtxe0:vxYeBtZ9DPVIyMwDGLLfG9Bdx
MD5:	E8D1EA92A50BF9BBBAFD5330C707B4A2
SHA1:	0418880D0F8C95A576015A790FB704D292C82D0A
SHA-256:	9239C28422C55CBA34FC9383BB937E5EFB6757DBCB46145E323C87A6E3272AF9
SHA-512:	0144F4A8A69D72D22E41BC3A3C41BBA202024BD3ED11A52BC7DE81B85C01AB8D892F8491603CBF0B6BCA76D1A7CC39C586A25DB943AE71F7382BA2A828E40843
Malicious:	false
Preview:	W.\|...1.7...$?.f.6.......R.Q^H.u._.......N...Y.kA.}.J..3..c.4.......$:=.!.G.{/....C.1?.a....~..8......fQ0Z.h....u....Q.... ..s.............w[....<..9.O...~].&r...[....MEDUSA..................m..eH9u...d....~...mZ..r.Y..?.c\..5?.zG..b.t....#......^..Y.!.e..\|............>S.g...Jp..!<..P.lc..7.j(mt.L._-{0Gq~.C..U...d...e..^..J.3<*....\...R.9..;=..._.VNT<..gneW..2oK......N5..].l.#^..>.R{.....7.....+#.%R..k.Ks.>J.,q7.wH...A...F..8da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	632
Entropy (8bit):	7.593201992792028
Encrypted:	false
SSDEEP:	12:bf2rAf2kWNW/WN6K2PIg6tVrD1oamJJhlOI41GiGJilEsuxe0:bfOAf2kWNWOTPgK6amLOXUJTs0
MD5:	87439D9EB195DBF96133F7579080F6A4
SHA1:	7A7350B9F469F49F8F003040906797C5897A8095
SHA-256:	84981B5F916A585B0A704F8B4C742AC15A22155BB41015F50823C5B03B643760
SHA-512:	09079B34DA136ABCC07E9829D0D7341BE58D2903B88F5BA3E96DB2BB969A8D147B48F55F7C002440851FB72872D8473644C74FED80C649A69CC25D723383137D
Malicious:	false
Preview:	.?$Sr..u.s..U...:..j.7u..e..04....G...5~..[...+.:.......`#..j.....6.-.d`.q.DrE...V{].Y3:{j:....I..I....]!.-.....,.b..7.uX.m.L.u.....{..D$H.E....lu..ZsO......YP .K.}..:HM.G.C..~@dQ.".......=.;...;.B....Q.UN"..:.....&......W]......_..]HZ..."....B...k.BVL).`...l]H.vT6..te..........MEDUSA..................Z....d1..R.?..I..G....T.nf+m..Xc......4.....>^....%.....Y.V....M/?tQ(...-....3h...&CYfq.w<...I..6..;z...$.!.I.\..V.A.m..0........P....[p.h..x..H...\-...Y.-.#....c...!b..]....B2....a=&...vGV.....Z..#`..;...nHm....}...IPQ..l~F[;#.....`UZ...da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\_curlrc.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	360
Entropy (8bit):	7.121151319148711
Encrypted:	false
SSDEEP:	6:/7HooklCuYnyuiDEkV4b9kONkbdh7PsTXkjdmp+J0At6Qh1f9eB5z7W2iD0:/73klCuYnyuhnb9kikBh4T0j1KI6Qhxi
MD5:	304E64B32ACD170C0B1388025B0B21C9
SHA1:	C55317FFDF99166138DECFF7B65F9508E58F6325
SHA-256:	624BAF4F4B98B4D7026F55FB65E6B0D06BF1940B94085E0754DDBDEAB5873B45
SHA-512:	33C5B765CE26560976E60D8A96DE226C89B495EFD9D6DA7FC887A85CCC1FEA7E5D00A79B5FC89E69DA90819D4A46601426183656589981F7AF460422953AD0F1
Malicious:	false
Preview:	...F..".X.&...2TMEDUSA..................,&.i....k.......p....1F...U.:~<&.Wk..l?.o.>..{. Z.A.......x.a....5..q....dI..G.\m...h....]bX.OPr..\E>.aGC..m..#.h.6.......3....]....w.l...]IQ..!>.n...~..(..v...D"...^..U].(..t.jP....gLO..9.N..Q.3R..*.oo......5...9...........q.i.Ln.D...........da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	728
Entropy (8bit):	7.60094468843169
Encrypted:	false
SSDEEP:	12:R3oFUPc7AK4E0McDYD5I7N++qvp9oV70a1Ek+nbBMjAmsXeaseJbFbM0xe0:R3oFH2rxr+9SWbBMjAzXFlVx
MD5:	5920729E412E2F000813BC036B0B423D
SHA1:	7C32663F50B077A23AF8D8D8B7670B3C298E9FFF
SHA-256:	73E03411F08AA43D7799E02B63EA30BC6ECEC08C7D9506110B7152ECF532CB97
SHA-512:	34B338BB79D6109FBED9834B1D75419822C17A9C2FA8441D8D0D47825118AA590A65E046216128CAB2AEF86DA2F93BF5AF7A99BBC59A49B53A0124E0F9006683
Malicious:	false
Preview:	1....I.i\|..}Y&[)..fd.pE..$.o.B....8a.."....039......?J..].W.......Ua.(...I#...zO;.._L...}......e+..q.e.?.[O\...0......./....x.....D4.9......:;.-......~..@..\|.is...G..u.,]0.[..J...01.i..u.1(.u.Jo.8M~.......a...A.s.j.N..x...cI9....1b+.]H.._ 7&.H..p-p..w.:............S...B../..Dj...JE.-%S...0..r...U.c?..C...,.....u.V....*.:..Z.p.E..(....N..m..$....:.......8.m.#i..#MEDUSA..\|...............w.q..Dt...2.'k.\..;k......_\|..P.f..Q73f.m....$l....o...,5TR..WY.99.4}Tr.=Y..LYu..-....N2._.qh..q...!eh..0(..%v...%W.".z...W....V.pY....([_.._.>...V.bpB..K.h,...m.......J...'.(....q..y~}p....L..;...4L.....(m.j<...$DO.~.IR ..:..N....v@.Ada23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	728
Entropy (8bit):	7.546518604806694
Encrypted:	false
SSDEEP:	12:C9UDUIQ/5BimFcm515qF96TkRSEbuuIHfu76RI557Am5WHXqSakwAT2AbtUPQwu/:C/IQHim20PqF9CqpbWfLRI5TLvybtuQ/
MD5:	DA355E4701456505ED05EBF927340BDC
SHA1:	06BD7F4FE5E0408DDE7F3464774F22BBAC128E04
SHA-256:	07ED5A2A78E291D2CA38EFB1C25B1C76ED363E7359CB3CE89A95FEE3E0EA0269
SHA-512:	2DAAD1DB516BF665D15A25E793DAC8FE5A43A44CA66192D9968A96B3C0D7BD087F11285A26FE20F92283858993D2421D29ACF361E324FFDE2F11B24052012564
Malicious:	false
Preview:	.M...t..o.l.U...'.U?.......K&u..r...o #...'f.,y....3,.R..b.12.:.;"]....nV...Hn.3.`..Rh..7.u<q473.q.[.;~0."r.&$.]...gK.6...qp...9e.........:..6.{..M..'<..=.....V.;.!..@........$xL2.+/.).SbX#.W..af......I..M..N.h..p..U)....W...E..Z...p....+.....w.F.I..Dxl`7)..<(.n.@.z..........1:.n..B$.D......f..:.'.=.D&........w...U....H`Rh....mJ....s.,....N\.....`.`...MH\..Y....6ts.AMEDUSA..\|...................Mex......]...-]RX.g....My.!.y....\|..91..[E...F".U...!.Z.....E....&/.d..e....\..g6..t.5........" ......Q..H>.@.f..T....M..>)o..D..........M..;....}]&...~..H.."..t^.U..h.I..Sn~.@L...Hp./>2..b ...i.....' .\|......es..H.W9.?..c.`%.Z..p.5r..t..dVda23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	728
Entropy (8bit):	7.642351904657977
Encrypted:	false
SSDEEP:	12:s5rwLJkUZMhQcRJUIkmvFQO4U/jg3NGdma+SFAOF5l7nsCGzO+pGJdt1G5yYxwcJ:s5rMyhHJU/mvsUrg3Mma+EBF5WCaO+9L
MD5:	7F418944E4B74426FF531726F22F42CD
SHA1:	F998B47E4FA72E562DC47E31718FC14F870697FA
SHA-256:	D455F7CB56A6BBB34456CB221C0E6625267EEA100307D5C181CD06D2836D7578
SHA-512:	5DCDD3111CA9D8A785D1CF6624A3D70857009080E31B2298301AB53E990D6D74064BA6AC7F01023035A17092E2B07E0D19FBB6B0499CC380B23646F8DC5D5EE8
Malicious:	false
Preview:	..5...:MO...f..i..z....a....Q. .....\|..!...ZvgK......TF.-.hbB...5...+Y.......7[c<i.h..,f.`.^.4.0).9.....wf..}_.m.s...w....I..m.L..:O...r...L.....B...........%.1.-9.Rw..!.v0....."D.b.!SPGAF.$...WEc6.....rm...@.z..7...#.s......F>V.(.3.h..u.t.....\|$iI:Z.QS.!0sv..L.^[~...j.....M[....y......A..}I...Fm/l..z..bC...[.qi._..7.5.m...I....^......#..a.Z..=.......}..@d...MEDUSA..\|................R++...].....X.y.d...I.!..j.S.x..b8_.;..A..3g..h..pq{.#.,mz0.......d..L3Lo...]&ro..u.......{_..Jnil?...\|/...Dj.C.I..T5.Q6\|-..hA.........5i\=.6....E..Qm...O.\. .Jh..uI.+...V .ei...<..u"$.h.4.3c..>T2.0m...3.$...,^...+3O...M.Y.?.&fT.X..rz@./.;K..Yda23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	376
Entropy (8bit):	7.08892343541266
Encrypted:	false
SSDEEP:	6:6Cklm/tEn7uxe2JW1615NzRLAOVizXf04ED1vbyi6k58RfAQBWj5z7W2iD0:PklWtE0Y167jLAOVov2jyiJ8RfTUxe0
MD5:	B419F3AB7A3D752B34DAAD23295E123E
SHA1:	F94D1F260C0387AF8E35096BBE97F3C35E77E33B
SHA-256:	32037BC628C2FD6C991B2968455B3191EB1C7EB87300DFD154B7EB44CE4CF8E1
SHA-512:	372642060C64CE78C2993454DF70F8C613956B4819910D766FF877E5B73792BF1DFE53B2F4BFD22CA7659D12AF5ABA78E1187FDF5F93CB8F7514220AC7A85463
Malicious:	false
Preview:	.1.1P.d=`.15A.~.K..#..\..../i.MEDUSA....................d..Mk.iO...`...40.z..j.2...Fp..$`u)..A.2......}6..C..`:&N5..~x.)6.BP...\&..@C.W..%...S%..}.l.."...s..<....;........\|..'...Q...3.&.......n.Q..[.-.z.s.k..`L...zG....L6.s....'P.X.0..@.......\....q....a.N...x...v^X........v...N..........7..... .da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\EventStore.db.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	106840
Entropy (8bit):	7.461548670633903
Encrypted:	false
SSDEEP:	1536:jxefKlU2GDjRLwovv+/wxJKtdsa5ehA4n8/NH5LBrbwf1We:wfKm9P1wU+/wHKtdsF9Mwt
MD5:	DBE1ED6B9F402950924D17D8BD76CA56
SHA1:	E50D20C61205A249B09B2BCC78EC0C4E066D6A5A
SHA-256:	8B7B0A4A96D2E166DA0F07E5CD16C8560AB2EB404C1615594E3BB084D923FFDF
SHA-512:	21FCED630ED8C502D2355A860795FB9F69956F93606AE7DBA70D89BB2F3DFE7DD137345285B5A32ECCF75A8E2CE16AB9BAB18F319CBF7D9E2D61D912CA44F168
Malicious:	false
Preview:	.d.5C....7....K..D....."j4!%...tIl."...RA.....lM.....(.......K..~jGmc.V..1y..t..-ZoH1..m.8.e..N..k.f.b......xc..G....Y.}.p.._-o..d.tF...b\a..w.Z.../.?}d.c.m.7..-..@.g..;....~....cX..........2.3{..j...w.c...{.....g.9C...k.....".T.v......'.....$....06.G.,....ON.............LB....5!..b_.V.n6..oQ.....DJ...u!.\|...I...5..iK....%..7......z.[..%2.#f].P.$Om[_....2f..7.i~3.5G.@....}..@#HUS....:.eYNK.i.7;_Q.]b..r.#..G.....G.g...g..S~.f(.9...6'bS.......~D~...Y.L..o...%8e)L.m.r.W....t.).....B...Lz.c7.u.0...............;9..OU..q..><."F5c.Q....B..I..h).1..=..................[..o..p..6...r*&.c...X..h4a......{51.".....a./p.z%v........nK.#Z].G..Q.;..d$......w...A.._j...t....$.Cjq.MW.Q.C......A..G.....X.-y+.[c.w.ru>.x......OU..B..3.....cux.2..b..o.s.Q%...S.k..'..2.%.'.~..........8:.H.....u..#`.N.....[.P...E..T..(lGpV!..7.......`0......o......]8...d....{.....)..P.If.B....U.\|..B.M.q.....1......5.u..Uo..&..X^.gs}....L......fb..y .n.[A..V...+...5.`.Pf...-...

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\osver.txt.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	360
Entropy (8bit):	7.066643238752098
Encrypted:	false
SSDEEP:	6:mPy6Y2s9KYpxJM9mfKgV9NKTQs0pfahm0i9DrsuBLJUoJlp/G5z7W2iD0:uY2s8YpxiKJ9NM3EP9D5/l2xe0
MD5:	0741BA2FEF8282A685677D2371283D52
SHA1:	15A0F385A4160726C7072F583D6E57D11757526A
SHA-256:	D3E1AC8E51174EB1D14BE7D559F3F9E68832D01A877FEE593B1F2A8B79625982
SHA-512:	F596DFFC97CB2844FE39601F982CE75A1F20F6CD69466507B2F72CAB23E493B3E9B3AE54D496B4B6C998E8EB1F596C7B133CE6FFC722F3CEC2B23F7E47CC89FA
Malicious:	false
Preview:	o..}.RU....O..&MEDUSA...................V.J..o..a."...5..r.-.[......Z? ."?P..)...7...*^P>1......b..Q.,D;..A...w...w4...M.A.....[..C......<.x...x!.J..Y.....-.6.<%)f..a..._.9.8.Ei-..Q.f..^.r....[...).. ....4)......o........A..Z..qT6...].GLwU.l......arm..D89..s}d..O..+.m8..".&...N.+(...da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	15320
Entropy (8bit):	6.485949561629572
Encrypted:	false
SSDEEP:	192:fa8NJtMSERMrws3SR9FBaVhRjuQEar/hbSRIMLCJR5y9KJw0AOFeu:NJt0s3SR9FBChRAUh2RIMLc5pLN
MD5:	FA79ACA98ABF4887DFED634C67F6BE98
SHA1:	DFF311B0121FEC3222528D4DF8A69DFBFD003AE0
SHA-256:	E334A8A5C16395454B76BD438D128284DFDBEB145007EC5609B151E28EC51F51
SHA-512:	E07079E007397D6EBEFCA7312BD6C8181C07582C0503D182BA5141D4021D91DF6BD17D33FA99ED46E6C618AAE3EA31ACC9D25969DD1F4C82C95F243FC1B1333C
Malicious:	false
Preview:	......=.3.k......L.L.....L>....W.N.....F...F...........0=..aIL/./.,..l.P..g...C..C.SU;.Z..f..R...'#)t...D.!.n.....Um.....t(....RL.....ZR.'.A-A!...\|...l.C.. S..[......MlN.N+t..k.=4..m+...A.^..661..@#.?...)..[e......a.qsP.k./...N...<..4LK.."b...:.......\.qZU.z.E-`.t@".I..2.... ...2(%....w....s..U.N..m.....(..`.S.u............d?.-#.m`...^......."U.XW.......&O.%....+..F.1.ua..q.Ux.....W3.p6e..f'.T.2....F.d.b.:.{...q..'>...l.l..\|...Q1......k...v.W.5..B=....v.X.N..Y7.kvk>..v+...+../......R@.-......+..<$.<..vn../.........0\|j.{....._...Y_.dw.\|..#..y...].;.....!..%.....N~....I......y....!..K.!..7..2..R!..]p........T..I.F .e..j.,..z....Yf_.Ro...Q...2. ...se....q..zl.m..G...9..e.g1.....T..."dmO.[..e..Z..e.....rG ..TD.l&.-.X...d..i/..`M..I..?.q?............u..O.....2.....!......X.cK.....8....2....o.#..7....+..4V....0t.....j\[..C....(....#....}..6?.......=:.L..r.\6".A.... X...-.S.......{J;..a...z).....^..D.....S..Uv5..V...\|F.k...X....

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	15320
Entropy (8bit):	6.4805675865147
Encrypted:	false
SSDEEP:	192:O4Do87LjdiKSg+nR+vhRjuQEar/hbSRlJlXkstAj1u8:To4LjdiZg+MhRAUh2RCzj1u8
MD5:	67AAD1F42870602E503A8A8DB9EC2C61
SHA1:	07A44CA1DE24C66DBE24C8397057AA458CC0C344
SHA-256:	CA8ABC6B0452BD5CD00D64E54D4BADB3B8374A26A29B9CB9EE5C601C5B106F2A
SHA-512:	C9338CECBD5787F9CEFE6826AD1A80B0051AACF8483DA48B40BF3D2E691F66D4CDAD5DD7B710E9112CFB31AC6742BB1E93BBB6C130A50FFC3B7610C467826D9E
Malicious:	false
Preview:	...\...L/.z).}.....k....z4..n....V...F..#.........^F"Bg.!.\.'K....{..)6@&.&.......Ii_&.".&.){zl\..X.....-.2.A..cn..e.4...xi..snF.~.........4.....w.q..`Y..Y.yC'.a......$..da...J.&ka....iz..c......~.@.;...fnd..]O.Sa....o..L.\<a....Y.S.<...g4i?._.~R.,h\oH....K.5...9.Y..J.._Kk.`ie..Yti;u.?..A..l.I....#V....Q[H..q..KF...;.nS ....p...f...&.@........Rt.W%.%".9."99......M..x..)..!....yu7.~p..J.U._.ACSY.G.V%.LO)x......J.v........4;..2..J`.5.yh..lNQ..e......'.....x...O.....}=.hr=....".%.e....T9..=M.A.D...9...H..fl.^r$..KE....lS\&..Tw.(.uS..hk.Y..Qx...a#....Y..\....[.._^Q.d@.<.....&....<t.. ..1.3......te....(....t..\...:...A...\|.T}.J......:.i.x.T..s.6...L(.....:.7....#...K....#:l..;_.j...q7.\...".2.Jy4..Y.Z.V~.'.d%.,]b..d7eV..~R.sb@.A\|.....S"..i3.F.{...Q ..{..L.<.w........0...zJ...Oa..G.pE...d0.\|.....p.........5V......&..c"aY..f{h..S29(o.N...D.A`5.....6.$M%.6..s...5B.....J+....p......-U9.o...;3..Z.....+.r..I}...w.G....V...Ph..]...Y.........}..>.Uw`...

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\edb.chk.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	8536
Entropy (8bit):	7.958740374594894
Encrypted:	false
SSDEEP:	192:L1DXx4qHBAT2I3+0e1DXx4qHBAT2I3+0iK1:L1xXAT2n1xXAT2o
MD5:	A6484EF468B0306DC77D3228769120B4
SHA1:	C5E60624E6062E6C9F631869E165FDDFBA21A969
SHA-256:	9D522F7562517167315A58D7E5454ADBEC3735D3E8260C2E41FCC9975B4D8709
SHA-512:	CB986E41855EB773A0FEC45B118BE9A196CE997AD676BFC8D8D1CA8A4F6230D06B514AA307955EED55C0DAEE14ECEA218FAF92D1C51E7FD0BFD435AB386679E5
Malicious:	false
Preview:	..66.........V..c.EB.....(.UpA...~)._./D..C..$.......5q.=:.....rwW..<yd....U..U..\|n.....hz..,i....B...?.....!.n.N...o.\.&...U.%.j`.....e..A.....>k....C.v...o..+..O...?.2..z.."..hJ5h%.-....le9.F..m.3j....n.N..\|..z....Z.$.^.e..Vy..w.d....s..[...n..}a...qZ.T.<.....OI}..4....Ev........O....%/...e=.x4R..P.E.........F.<....};.......+{.o(...S...8.by&..>....+.P>.@\|...i.i~.......w.......;.]?{+.....0q...Bh...s.....rVC...6..y....M..p...v.X...1."....F..5.(Ek.A.U..oJub...^.....F..........e.).]...yzx0.L...G...6l....eugq].0..T..Q..`........=...a._..(ArG5...6..s...Z.l..V.V...5..WV....\6...Ir.a.d;.5.M,5..z.Z_.P..]a..../B...I.EF.....9.;.+h.bP...E.%..A...goD....N[...;H..C.p...H...p.)..@..5..[\.-..8..#.{.i6.6.......k.&.r..q..8.l..Gc..+4V..F..}..D5..M.r'...a..H..e..\.)......lu.......HS..S.)..R.}.cq.....f......:.....n.....g....h,...Q......?. 8<.n.+...^i...PR.).B,.L<..v.6L.......$D..\+7..G3..ZG.zV.V\|K...1J....9.XaGg..o...:..tC#._.....E..S.8F.<vV.....%.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\edb.log.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	0.5741854036849038
Encrypted:	false
SSDEEP:	1536:5b7nm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1Ztak:RXC9lHmutpJyiRDeJ/aUKrDgnmG
MD5:	7A78E3DB27AF4436CF6EA62FB4ABDDFB
SHA1:	3F297206EB60882E61F3CE66658A3CE41372B099
SHA-256:	12617A66D5C91E02B4AA7A84C3C394A022F127F355658B0FD416E856C05B1F7F
SHA-512:	FE16D9037845565C4A28F8AD0DB21611B6B79CF44C49D57DAD033340576097A9360224033DF795D3AED5E84C3A2796D4F6B926FC64775332529BD866EF2426B7
Malicious:	false
Preview:	r.Ci.a<....U....A..;.&0.z&3....\|..Pm-?.z.=...c...._..~..J....lkXZ..Q.....?+..c.s...y.3..4..,.....AMU.-.u]?:_......)...=t.....-!...E..;.H...%?.z.(.L...a...N.~.U.x..t...g+8....>.....k\...H..o~0\|[%.....d...L.XMRZ.Y?......y...^.L..<.L...z...!.8...M...ce.c..9`W..v.J....]M.8&%....?.p%:x.....XF..A.y...^.1...M...\....W.'d....bv.$.<Qz...?.....k.(.cBG,.......;q@.v....-o\....y..E\.".).u.M....D....m.P2.{..4.7._...y;.8}..8)........Z.-KW..\|.. ..5.+,..l.d..@(...pZ.n......w..........C.e..t......R..%......=.D#.].$H.Vd.J........@.8.%...2Y.{O2F.j.h6I...q6.r....OF$..3^.M_a..3.W..0MJ.s...M..A...=.....e\..g........U.g.$G...z.A/ .2.?e..RQr..Q.K..4P...@...5.h.Dzc]x...7\D.._...............T.N..".F....=r.s.eTx.....q..JnLr..e..._...i]...s...g...A.^.......U.&C.......r.......r.#.U.....>DzM...TI.8...u?q...r.hn..-.6...y.]&o..v..k..8..^.).....'....R.q..@^.....T....@E..)....q..w...D.;.1e..X 3@.....8..+f..'...O..N?.....B.. =.O-...k.}........q3.y....b.am..!./._

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr.db.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	0.8041203563907666
Encrypted:	false
SSDEEP:	1536:G8SB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSD9:tazaNvFv8V2UW/DLzN/w4wZi/Zf2a
MD5:	4C869888E5D387D39BAB1AF332A9139C
SHA1:	C7EC66F4C284E2522414040C937757AB99B8341D
SHA-256:	135ED9F79B741221C41E854BF852D87376750DFDC45E5F202787A47BCC56D189
SHA-512:	36053BF435C41309D94FBB0678901BD8B86DE512DF1701ED203C252929809226B01869F656DBB4DCCEFB5BFC21A180FF514881770B7B0C1DF0D23AD3BEEC6803
Malicious:	false
Preview:	..9q<I....%-.`j1x.....6.p.%...9...&...f/..\`9..`Ho)..'...]x....+..._Ji.U'..k.&...,.....D.F.0../Q.^O...8F_.6..ms.VPM.j....s.t.{c..$V.S)H...!.....8Lk.`.8..\|r....'6..<k...Bz-...#.wU3..w...0..OD.........Pj....w.m%..=3..jyT....A....IwU....b.......j...7=..dO..KW&Z.....p....o_.G.W:^...&..Z.........X..k.I{...NST_..8..R.. .\..e..X..$...&Xf...N....Q.....}p.....>v.k&.....ay...".......].....m..,.$.h8.km.QW.?..).......<.Xj.V...........H&C0.ms..%..."PwP(0...Xm......Z.W..^s.b..)..VOS...r24$.">....Z..@....8.....b....y.!...q.z...;.....x; .....Q.{.l.....Y.........9.]Mmq.`.P.g.3......n...\y..R.>..^.c.F.h.mw..;Q..\|..s...0..(.X.t...D......o\|.e./...."b.`h....A8k.B.^?MD.s....y_-.ub.X..............Ci.%.T.8y..)..Ew..)..,....Z...ag.;.GO.K....tl.8.....?N....d...>..^..<.j...G..&s...``i...7.....K.0..B..........>....z.@.4zX.&H...A..dF..36:+..nV...a&....<6T...2<..Td.....8J...,.0...!....":f..M.*..._.0.....T.......C...H.b........c..].A..9..)...s......L......@l.2..G.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr.jfm.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.051595206376848
Encrypted:	false
SSDEEP:	192:ZzJC0SpMNzhk7Ib4SJNmLL3HaRUgp3e6be2hQJqWHUJy9xz7G:jC09z6h4KzHaRA6/hEqWHUJyr3G
MD5:	69C01714C96FC1F1617D2D18B161A87F
SHA1:	D9286A2A000656207175C25D5C6EF30D64D9BF30
SHA-256:	EDEE8F2D6955D5CC9123873179A4B4B5AC33C813676DAFEDCA0B7D0548C79C81
SHA-512:	280A2BD9C61B04FE4D23CB6032B791F914DF09C1A73FB9ABA809E3ADA8BD350C3367CFB7214FF4C33A202FAD29988D833D2A3C57F5881DCB8401D124CD4B1422
Malicious:	false
Preview:	.X}..j..h.GO.p.s..d8.L..E...v...'f.......O0...N.7.e.6....`..\....k..zJ.P'.;...z...<..5.Q%..+.B..A.d...!.,.[:......&.c...#.....l..7.....v..DP.i\u...Q.!....^..B.ui...k..-U.=.... ..n.............E.L.e...e..U...@E.%F.J..$.fXG\q2Mu...t...+-.....aG8'.H.h.8-.M7j.m+..{.D. ....mn.R.:1.....N...=..+..DO.<..@..%.......g...BS...Jba.r........@..S.......u.. ....@..p.A-^......R!i.b.tN9.Q.W...U'.#g..z(.fV}wW....7.8.u......1...^..6!.........p..x{...Fv#/.i}.y...cG....M`..f.,.....Ut2.a.....X....rrF..H.BKp..Tkl,...^..K......l....(.......NIy....$uw..W{..x.j95.(.@.,.S...F...m.Q{.0...p.v....I4.2?u.Q.,#.{.G5s..\|C.w.7F.-5....NP.x...P......W!..k......[..gZ ....qM....J..~..Xi..z.n!..\.}....h]z.+y.j...........?f...tB..E...x.v..b.....!.o$_...C...])2..D.L{.m.....[....c..M..}B...&..{..k.$.....^...*e..3&.Q.~.).GS.b..d...A...$^.0...E..U/mU.v..V..'2\|....>.X.]H'u.T-.+N..!..,T"...E4/,B.;...<'..U=6.#_.b.....2=....T.v&.....h.......O9....nL.0..C.V......N.R....sa....=....

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppxProvisioning.xml.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	20632
Entropy (8bit):	7.013570234546262
Encrypted:	false
SSDEEP:	384:I/VjiVzZ5v6vkPNrNONUQPX40jLXqPT0/Ik98Qu:I/QVVkcPNrNONUQPX9q709lu
MD5:	A1C68249875F0B4BEA805D11ABE8E31E
SHA1:	6515953E5B778D22178632541EF280BF74D9D345
SHA-256:	AA6261E89D6B3D362054AA4962B6B3E5DD8393B754B9632731F7AA559BAA5C17
SHA-512:	96778E5BAC69310BDA5D7F743BBA587554172CE28639C440E553852BBF8DB0DF305EC3FE6BF11152B5D2022C35B4894A44EC228CD4E4F48AEF32EC43A051C51B
Malicious:	false
Preview:	=....-.."%O..3..<.%D.hr.!Q-b:h.-.t3....w.....{=S\|...x0..^.d.......z.?=...DCF%..h...s..9..eE......Cc.%#...T....(...V.%%H.X...N.......Y{h..b.>.6:x...bM.z[.f...Q=...4..!$.>.V..(....'..)..U.7..o.q...O....np...........1....... ./:-_..s.}..&.3e....{[F.I$....@...<....e.EN..M.~...~N...m....Y}..c...P..y.5.?K.Z.._>...vfm.C~>...v...h[..}..G..S..o.TE0...M....l@-}...\.\|....sr...............Nx...q..4..8...P..r~.>0....`...E...w.!(.\.r\|.........bi....(.@`K....Qb..f..(.q..GlD....#b..g..<.p..CB.V._........2.......19.X&-.%g..+d...X.h._......e..5..1Ng...Khmc..o7:.IP4\|.{....6X......... !f..u&..`...".....c1.%...$...d:yt.S`..O...V.sX.....,`.5...f.}./....s....r.z(......E..9._l.. .......he..'..`..kNZ2..H.....n,)....<...B=x..nVC.lB.......1._..+.CG..b.m\|.q.P...fQ3..i.....4.&......O.....5M..\kV......wM..i..Ht.P...M"...I\|...ew.n...Jk.dv.....Y..".&..^.+..G.q.\E..".T...C.....9!.U...6...Sy..Nu.G.3...F.yI.......$.v.8\|...5..*.....K.......HA.P......J D..`.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	536
Entropy (8bit):	7.472197035078609
Encrypted:	false
SSDEEP:	12:7tSbUC7xmo5TNHQhGISMMjIHSHSlzogrkKZPkS/Ab9/bz+xe0:7tBkZxehBRMjIyWzoBKZPknJHk
MD5:	BE78696729EE22FF32ADA0DEA9352191
SHA1:	A2A47E5F216221C734642429A28BADDCA8737CFC
SHA-256:	7FBD236CB0566D2910B74AA4719C5AA617FD10809670E16E3F952B8C650CCF51
SHA-512:	6A9DE53CE9B8EF1B40EBE5964EB6678D009CA6CFD518D534F4F1948D3329455D4FFC42A4FC809DD815BCC52D8D6F9CC74B96D4531BEAE3D7EC950053D1E567C8
Malicious:	false
Preview:	Fl.Oy...&...)..m1m$.Z7.4.C7......./...}b.b....,..q....D._..I-#M.=.u]H.v.N)...`....D...._...z.9,...v......0....j&'...B.#...pW7y.5..Pd.]9.N..XHh.L]....O.Wo\....P.P"qM....\|....o.S..;v.D.}..MEDUSA....................E>.(6.T..c....N.S.If.......Hs.....g.7U<=tB.......v..Q..)7^.....e..........Vt..fJ...(.1....A.).. V.`.k.wZ}....8gbZh....-#@.B...i.$~.j.z .X.4?+TV.qC67.RVlZ(K......x"...?.z.[QJ......>.q..=..Yh.o..*C)b...<.Y.D..r..j.\....=...f.......H2.3..da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	760
Entropy (8bit):	7.66060652840931
Encrypted:	false
SSDEEP:	12:rM5i1srBBOL70WzKZdpkJAgTuO44TM6+gQEyDgw/506+sAF2/NvV/boMOcrotiJ0:rDIuX0C6LkqgyFSM5/zhAsAF2/3QcrqB
MD5:	DBFBF2F804520C9098EFA9B2C9977BE4
SHA1:	7D834895692AE4D9A3926B140B17177C62DAC760
SHA-256:	93C9DA6B3DA0F36BA5E5CF8BC42ADE9880C66122F249E9F5E9F22B7FB8ABB8F5
SHA-512:	E4921350E2AEECDAEBB112AA9ADF73BCD1CC7BF065ED9E7662A591444E9B620BEBEC74BEF183AFEF4EF3AAAB590BA12AA9761F14D4FF8F564FA3402824E9D8A5
Malicious:	false
Preview:	..!.....Z......^..Vi0T.\|.."........./A.2t...b(.#.;%'..S.$/.C.&].....m..Er.,.j.......T...:NM...M.N.."LcK.....PT..d\...v.HY..o....;.'6.l.n...F..hm.gNY..(...{....W.39%l.o......!.R...K.$.[oZ..O_L^.+......d..dD.RP&.K.1..3.C.M/.CR$................y[....Zs...t..T.H.\...mM.3$.Q..-.g.....Z....^.,DU6R..]Hb&......$...SY.(...b.+...#\.Y4.]....@...vz..].5.{..S..a....J!..v.o\t.Q.)...m.l....g....%5.U.Ty=..MEDUSA...................Hfx...6:+=......ha1......L....j...6...~DWF...;.d.'X...W\|..4]...:K.....%t>U.I....s...~....~T).up...{...\...l[.D.....+^....XM......nBfZ-.....C[[..x.....3mx7.....v.......C..)&(.,f.#.Z............\..H5.+6.....s...@C"D....2........#...O....da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	520
Entropy (8bit):	7.417676082216234
Encrypted:	false
SSDEEP:	12:AWQZ/tl2rDz1LmORQ6UiVC9vGCHTwO0tsuxe0:BQkDlFUGClLHUts0
MD5:	B0598EE953E0BF0E67F925A402FEF0DE
SHA1:	5E375BCDB9FB5224EC861E543E028B5D859B96E6
SHA-256:	64A13D6FC6CA4F2794A17FFC9ABE58DF47B298C06025F2054A2223EBBCEC5E23
SHA-512:	82628CAC6524553C2D436CBA225505362D7219705737D04D7A2264639FB73D2067CAA61245455FB82C30BF5F483B37501CA9636456A0B2EB3108477EAA55F062
Malicious:	false
Preview:	\|.aA.XHA......Ez.;....T......R...\|M..`..... .&Lf<F...G..VZ....>..<..'..r..!...Y6.N..B..wS8.c.W..wKz...i...Zy...y.y....CVa6.....p..a$s..9V;j=M+.g...#..~.....F..i..MEDUSA.........................:.....h".HK..=J.SL.-).e~..]FOb.e..41.....F......H........)\|..=I.kR.x.f...#=...@S%.2...........r.OQ7[d..t.q.5..<....wdT/.*.UT...(..[Z...^;.cd...n? y...DF...V.9.Ln...'2.iV.,!...f.d_.Q....2......n.....:.G$}.G../mr`..8..H.......J.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	2328
Entropy (8bit):	7.897933110971015
Encrypted:	false
SSDEEP:	48:2duqpTwyYZnvNEPPm6JU1HpYVrYM6ls8Cx:2du2T2NvNEPPm6i1SrYML
MD5:	AD213137F745D9E092CFEA007E6B685A
SHA1:	1822D9584955EA64B77464A3C4175E4B0635BF25
SHA-256:	5400AC3EDE93C9455FCBD320EF551DA41245C18BAB22134A63CB46197F3F0A4C
SHA-512:	DC55162697553A9436518274812B41BC295755EAD7C40C852C1494ED31563EC842674B20E7CB6BA07AC00F9DA9F88710210E7481D2A42449B1230B845141B230
Malicious:	false
Preview:	^..:u.@VG;_%..1D..`..Z#.E...r.%>!..aT(6..........JO.u/.....c}=....e...)....G..m.P.~..tQ.}.9J4..y..S...1.c#!wQqi....-..".wA.....f..T..U.....\|...0...OG;....@.e.c.....nBa..d.4....w_..e.....s__....rA....#..q..\|Q.[..x...m.7.H;.......lfB]e.B.e..H.9aG.4....v.}.....Oc.a.....^..z..U...V;A..H.........y...Qz. .fH.\|SU>Y&]...-..bJ....../.i+>._.._r..I....'..Pa..=.....~..~..R.7..$!2..a.(._ .W%.U...h...b...rn}...".1.kjE..L.T.`../...4^....!.Q_.e.b..!7.M.....M...=.-..".)f....=].{oG.v/..\|}.Q....Z....V...Q.1.%....a... V...ajzK..z.{N.@.\|.$.MP.#ar....'.......{.lK..E].g(...'.-..m......T._...3....l...?j4.<.:g..5VG.;..dp..`.....4.......`.I.......T.0.T.....+..o>__..$'.NS...>-t.......z.z.5..(.-...b...=...p2........"....Gk.L...kkL....k...j.....+....8..N..{W.E..@[;....D&6...Z.c.O5....e..Q....S..(o.?.....[H.....E..KP......b..S`..3\|8.J....`........o2...e.._HH.Xc.....w.g4..G.2z.bn.../.j?..[...A}l....d"....E.....CV.8.....\.b+%..Y..a.9.b...!......4.2..h..P.o.}..\|b...:...8tR.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	1736
Entropy (8bit):	7.867950719745794
Encrypted:	false
SSDEEP:	24:3zI+5J+at9c6RNVtlLJYmAnv3S7sT2ECMF0w0yjfRke2aodl5kLHpuUnS:jg/OVb9YmEvC7rB401yNkeR8y1u+S
MD5:	B2A40D7ABF1493BDA94F1662D500E13E
SHA1:	00A61B48AEDC43889EE9C35E4E7173A265F42134
SHA-256:	A79CF11CD465AED0AE958D8CDDA47ACDC2D5C28D44687C7BF3A4BCAFCE822743
SHA-512:	17AD2128B2F008348B0BB5BECE9F8225DC4786B382F84D936FF8CE35AB26850BAF35BC79D6B8DDA60BA6940D05D189CC341CC8C108D24A453C72AD1C54AA8D39
Malicious:	false
Preview:	...9:h.i..V...C2....8.d_.o.%...p.."Ab.t.'f....2.-,..N.V(mv....q.VB..K..A.^....;.nG.f........u...2.5^.lQS.....K....{j;.h.[.G..u0.....zi.V...V.P.jm....T...[F...Y...PV.4x..._.b.\..:yF.zmL.I.F.. ..,.c?.4.....4w.(R2jy)0..9.%.&H.b....Qcf577.....zI.=......N..3.!..).j.iI.X.d.P........'..aO:..'@......fB....J.I...M.s..\|..}...K..L..^.A....>..r....-.....6M.v.cX..Q.$Oo8.Z.......D..L..@v..C..F6.W!.......oL}..;....Lb.x..O..b.,..=...<...}.BW4c.IA\|S".f.....Z..uZ}....~&..W(H..W.A./_..m........3,....,...sf?.q....\|._....,]7..3..+..Z.[C4r9dg{.....r.v.j4za..9..#...D..r,?4..{...HO<.@9&.%.b.".c.q....0...[[.Q7P.(.....lW..n =kYk.=j.L...f..6....o..j8K..d.........jJ.^"N.F.f..<sS.`v.S.0N-.}..q}:#....i.........E."..b..b,j.A..d.??I....@x...!.....P.[....5..~..6...^Azp....+.;cf>..i....Eq}..k5....<.io....P].n.)....[.Y_.G._...n.A'7)/d...q.x...n.&).5.U..o.=.....?.<p....4.\.Y,..<..].C..z(r\..2M<.n.s..C^J.tno.=...,.....=Q..h.......V.#8d\|....S...:...../........Fk!...p?

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1736
Entropy (8bit):	7.878009812272706
Encrypted:	false
SSDEEP:	48:bl7RznZHS/3BMdId4QskprYI91/LIIBTmIhCO+2NM:R9N8KdIvBYEXbh1i
MD5:	0E8AAA5A9A83029F72905FCE701856DB
SHA1:	C65AA704ADBBF72E0647615FB2CB8D054EEE7FE6
SHA-256:	B32F3BC4D94BE8CE0FA349F11E4CE2E4A906FDAFFDA3A120593B1DD4F26B801D
SHA-512:	CE286E17DD333B8ADB525A0DE12294F70FEB33536EFC70E16E04588B311184BC25D6E89EC9624CEEE2A938F9AA6BC4E095CE8D36DBDFECA78210AF83D165092E
Malicious:	false
Preview:	.5J.C.o...W.....w..J..u.Nr...".m.1.}R.......l.?r.7.~. m..?.\....#...u{>..#.}...Az...LCK....9^..d..PD.....2..Wv.KV.....^......"..].X...5.m._..&.....s...;OZ..)~.K.....C.D_\|z..3.qy...y...2j..p....N..-B...J.V DwR....M[...$.l.~A."6..vP.i..Q.ze0.fM.VzT.ZD.on...%`.+......+~.,...`...7._bO.......uX..:"=...l.....5...............$@f8...e.1v..:..u...T%p]..H...z..&.{VF..".\|..&.6$f....b.G&7...a.=e....J..H...Z....7...a......e..3^.e..p.....k..R....rla...?.\.g..#..q g..M...$l.vz..4.r.5l.[.a."....L..>....Z.`.)..........j...9.r......#r.M..S....j..8R.~.y......5'>... .+."!.j...,G.... .u..B....e.>.'..Wp@#p.y...4..l!;......./.....a\.:.vY=m....L<f......_6_..T.....].2.h.R.PV.~...p.J'...>;.........J..Q[-........F.8K.G26^6..4.....).....b...L.].vO.1.tN.N.-.............@...T[.P..L....V.S7...._..!._...Q6=c.A.hM7>rA.0...<o......W3E.....<......6Q....pE~.>!.....u].S_..+.P...,B#G!..-..7a.f.s...W.o.....s.............&.#.R5..83^.b........XN....IM.... 1i.Z \|%e

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1940328
Entropy (8bit):	4.988874488400142
Encrypted:	false
SSDEEP:	6144:92cbBrbKzK7Li695AD1okJmV8FYcyQqdufypthsy0vJlBm+gJ:9Nb1mOvbHARtJG7cyQqyOsy0xlgtJ
MD5:	BE1955B31F7CF77DE1D1EBA61FF10EB4
SHA1:	1AFBF3CF544A24BD9388F894DB6D1F8C3A4220BC
SHA-256:	8D01268EFB03495221CBAD521DFCD6F911042480E3F1D9F6398A902387025F38
SHA-512:	624120545F15B4EA22C8EBB75923829D1FB34804E6FB6BF50C1891DDEDFE120E8DE69B9F35C5165EA317C85E514EB3826255594BF5FBF9E1193ED6EA8B766F85
Malicious:	false
Preview:	..\|.5I....t3._./X..V../....... '.Jm...r..j..".....5...1.ob:.g...K..W.?f."u^...>....5J..x;.V....QWoR.p82.x.H.>.J=_H.K=Y.$....p..zz.....jM..o.....x.-..;.44r..F......$.....:.._`.?G..[...T.K......(..M..N.....M.I...&..iY(.x.....T..k0.....X.i.V.... .......4Y7.j..g....L;\|p@F......).'...a..=.q.d.....? ....x.......+F......{8..t......7.....7..\|R{..)...L=...}5...9C..v{.b.Z......Z.I..(.M...oK..g.(OpEKb...X...........m.7......Z..T...^.@.Zo.5A..U.........0.....<..q..._7D.1...K.DGZ{..<].q..........U.2g..O...@e..o.8,.<0r6..h....U...y(..<f,.....L9........).7EbA.N.G[......:p(@.{.t.7..#.PD.l..J.1.(.q.w.D...+9..xAJ....Wc.E._.B..C)...........].5Ms... .....&.......rC..\|.Y..\|..h6...4..L.%5....aw9....}..P...Y....Y.....e.Zm......v.H0]y8...r.<F..l...}..`....9%%....q.2G.b...\|..........8A...,Z.c..@.\....M...r......<..)Q..}...`....A]3.4.e x.$jCT.Y.ZiT-S?EY>j;9.H70}a..).8.>.k.2..Ual{R. ..0Q...,.]..i.\Rx..q<*.~...c.9..T...s........BW..8....;$.Zz2W7..9...NNm0...

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	112408
Entropy (8bit):	6.599121797729821
Encrypted:	false
SSDEEP:	768:mNWvdS+hH6u4tc3BFtHfUzGUyhduiUJkmXTPk6xDBgJSEB0MF3xPSrZjDT8tXBcz:iW16VtIdU3y7z8r4oDBgAEB73wtrDPL
MD5:	E987C99AC066A700807C0BF2425A3FB3
SHA1:	864D88CA061CB77A9D00A1CC14E1D8282174A22A
SHA-256:	7D78CC36945658C88456312332154DEA52B09CDC835E2E05014829DCF626F162
SHA-512:	71B21D40263A9DDD12DAF0D6EC1F2EA4023FD47CFC5C71FA0BC32381277159D04F31B6DBC2783DCADB26485FF85442885ACFFBE4EEA6D62E8541246E251E3121
Malicious:	false
Preview:	c../...A.u...3..>z'...&.)^P..<n..?C@=.}...\|...$.........2}S......f....zn.........KhF5....Ysf.......w...f...h..z.gu...7.:..h..@k"../...;MM.....ah..Tt...~.....=...d.<.......].(&}%u.l6..n...1..p=.J._A...3\.s9.\|Y...6...<.@.>..]..4..CG....v.<.."....,.%...O<...?....D..g..Z".gK.......Z/..o.....Q..i......7K..{.F.5[.......=^.....t3.-.r..x.-..Qq...w...\,/......M..l.yv....".Q.Nx:..}=u...0gr.p.k.yA.....w.z...Y....W....iB.9...SV..).. >.....[.D.9o.0.T..s.7+..Iw.KB\.zpXi..\|..~..Z.C..J"_.f-w.6.;..q.N7..!...(...oiG..A.%..G.._..>>....}/...dj.3}...=.._g....B.....'0$jl..Y>.t. ..............\|..........H.B..\|.P.>......<0....I....N./V_.o.]$....=..9j....@.....^Km............~... .o...N...WA.y..yg..?....K..A.aJ..%..U..(..1..p...G....a..{...`..a[...{Y.4..gL....DcNro........9....;...p?@.C/E.%..e.......x3j......Tz....8.y..@.#.D.-8....+.1.,\S...7....;.w.\....t.[...<]...ej...bI..a.F.#...?.....i.1.o........&..(..}..). `G....'...-$y....`QN.U+..u....z...2i. =.:.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	112280
Entropy (8bit):	6.594595007156978
Encrypted:	false
SSDEEP:	1536:XGAX42WC6VtQyBhU3y7XC4c48vWEB738FCOr6A79D:1WCitjECzC4Z8vWi6COr6ARD
MD5:	1825AC5F4D795620BC7CD259DBBD94C5
SHA1:	5D7289577C4D45938BBF95C7CBE7CEEFD58A7A37
SHA-256:	4EE51B448922F7BFA4F1FF0E0221C7C22C1E3144E266838EB04A014DBD77BDF0
SHA-512:	6B8ABC0A92887FBB720A22F371DADDCE14A8D35BD80A1C85AB98480DEA6E61CE25E6926B1A139FC76CF74D9A1EB82E81A8EBD5B3FFFCAFF92AE1FF7F402385F9
Malicious:	false
Preview:	.au..%...q..-N.A.)aJ..ts....?....6O.j..k..d....@...e-~.u.Q.2Q..%}.B..@........\..6x.X.R2..+Sz..0..)XgCxT....w}...s..t...XX\..u..O.`c..!..ze.-../d.......mA...................bDr..A...Zc.Gt".. .....'..L.[u.?\h'.._1..2...EL.........f.XA....e.@.RN...>P...P;.2..3.\R.jP.s.%..I....?.Y.s.......YCb.9.......1 .Q.....;..>=..Dl.x#.......\..7n..../-dZ...<6P..S...).p.\|~A..NW`@)...C.O....M.<x3...+...;aq.E..Ph..\|v...j.D4....j.I[a.j...5..N...LK...$......\|.E......+.R\Qi..=7V....Qx...sj...e.q........eIN.jZI..i......V.@...........F.\|..lJ...I....`........6.k...=.{....].nl..d..4...Ah..a..s~...RD.s<.l74.....c,;....^....MR.k..n.4..yj.....}]..}0.t7..2..&.14./8........4_W6...V@5......r....<Y.v...2S..............m.9.&...9...D/..b........e3i;.W....\.LN+..N5MM..d.....;Ku..K..s`>...P./.c...nN&)...{....k\...V.mN...i....p.....h?.!K/.c~;..a_.p...d.X.\u.A..wd....,]....NK....r...........5S.K=.....T.xs....&s...o...QrjF.Jd.L..+.".V..%@..C.{.V7....(.9..0.."...V.Sz!...m.5!JZ...e.\|.8...

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	3080
Entropy (8bit):	7.9264929146952765
Encrypted:	false
SSDEEP:	48:Nk+GO6vBNiaAVXAZ1G1NZJgzV/E5eXYAr5DbQCS7l0pZgI8qXgSXxMl3WrgE/P4v:NrGLZbGqC8Fr5DbPU0Hdr8
MD5:	1EBCEE57C557906059A86E3A0C453D4F
SHA1:	11810F5EF95C63689858F20160FBF3B870BE3BD1
SHA-256:	F570DEE80BAF12DFBEBBBE7EAAAEAF20F78C859E9FD21CF1586FEFC46964BB08
SHA-512:	6B635DB87B18E6D1429E6ACD94FBE5286018C9F3732D0D36B88E17DEEC8E8442269F63D0E1A62F36130D0B0D6CF0EABB0419D66164BBB47CC4F31BC12B2C31E3
Malicious:	false
Preview:	QX..hM./X)....MT...c....^mUFW._Y......1&IS....'f.XWn..i....K. .6Y6..H.TF..V.D"...w.h.M..s.%..%>......T-.J.(x.I.u...\..`~....!....T.$....V../.^..e......^p.........l...DT.ikK]...K&.0.3D[N ..._w.`}.`6.YQsZ.e+]..KI.....3M..(..I..........1..Dx.[}..xE...x....F..O......zyA.%.O.y...as.y.:.`i.qY'..+..,. ...H=m..Y+..i7...Hp.kk......._y......Ot..?.t.Ef....4.......n,;...b..,........p....r.l.&.\Y}..0.B...R.]...W.o;..LH`....%.....g....s.1.z_`.......N..W....z&!.p..j.l....!^._..f.]....E.@Zr.g..m.`o2.H83.N..Q`PJ......l.6...qf.F.8.%R.%..j.....!...n...&.O....-0>.TE:f.@%.....lH.W..B....M>X.. ..h^.RC....u~bL...n.t\..+2......w.B7J................\i6..@..y=......t...f..x.[.`D.....7..+.D....7;.&.........\``.J....}..`......I..).).A......7;..u.$.......K.....YE....fNw.....ZUn/..Y.KY.XZRY.P.[.@....2.a....u#......%WE.(s[.....f......m)a64.?}...9j...H..........y ...".S.P..-.!Z.....>.......'!:./.X~BX.%....-.....0>L..3..).:..A..&q.!:.s5P.oR...2...R3.S._..1(m..

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	2149304
Entropy (8bit):	4.928421951550829
Encrypted:	false
SSDEEP:	6144:CEDLBq0sSPiFLL1v0RPfmn4V175nHxndlY:CuBqZh+RPbVB5nHxnfY
MD5:	F9A4A47C729902A4A42353810CE96050
SHA1:	0EBE6008F77CA08C1527AE198639FC9573E3B0B4
SHA-256:	94058D3375CC5472E35DDD60F8F43C09C1D8ACECD706CA2485FF6279144DE4F5
SHA-512:	7657A003077D75AB80D5B97F118B0802C8C68ABE894856677CBB6D63DDAA7E2E03CAB98C1A7DF6808742F5284D1E83BC06FF108849921F18E8FABB325947449D
Malicious:	false
Preview:	`..}.[.Q.0..C!...4..}.W.]<:2!Z.L/...'.. QN..JW..X\.v...r%...u\.iF.s.[.[.rQ.../..d0....3L!..].....1..j....@..3O_....f......q.....~?..C.-x?...O../.O./l.j?I...Y.D#..7..9......./)..7.....D..R.[.."/..AC.........xO_..hu....X..o:w.G...XaN.x.}....dP.s...q. ....".......-.`7[}...f.~..?..v..l..t..$..D4.0v...i.a...6"!...X.....'.6.Q...+...T..Yr@.+%...5..-l.0]..k.VG..N..L.X.)......R.w.........q..h.v...........~Es8.x...~.....0.T...1.qX..n@...kx..[.....+.tO-. .B..s.)....d.....`..........8..d...j.q.I.,...=..Vf...T...9...hIX;..I.^...b...i.....:.7!.......*.d...p...l.%f...c.f......;+S..T.>...6...j.si.r6d.^2....w.{..0_{}W...:0...S~?....G.gp.q..}5..n.jCD...48.e%.FZ......_.t...e.U...I...."........~m!.< .?D..Y}.#.ezY.WB.....`._F=eN.....f...F:y.....@bt..$.)....L.Ic.=D.H..w...n........4..oR.s....=.c.%.0.w...Y$..z.z.B....,........x.u.....Jr}.F..v...\|l[EP.k..!.}-.TC......LD...[I.cX.....U..N......G..:...>T#X......../.3.D...........<}.7.'.....1..#..:.[....G..-5...>./.....

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	392
Entropy (8bit):	7.196916071914694
Encrypted:	false
SSDEEP:	12:1FtsF47/63eKVADWK8wwPw8aw5+gHuxe0:7zO3PiK/wCwBwc
MD5:	D158235C5B622DE2044B22966FA6B985
SHA1:	FD2AC3242C105F94E127C0C7E71212897BB2A477
SHA-256:	69370BD9BD0A990957E32442509AFD08487D5B3732EF2AD2A3A7891DEF0ED9F8
SHA-512:	A59928F22AD801D5E9A3A2777F715D4BB74056295062E0545D204B7D1652932F5D0F13AE9BF61F817B79C478DC615BD2C81D3EF901816A90FBFD28720439F31E
Malicious:	false
Preview:	..7..D.......)G...v4.J..q.QW..^...._6.<..D...!.2MEDUSA..)...................'t.-....I..p..........o...L.l..7..&.....F&.d.).\...9...@.=o.....Fo.J...6.a.7...+I......p.xU.&......[:....QX..Y...b.,..z.\.S.....Y..t.!......x;..pt.QL....._UK....(.H.P$..<...{w...`6%u..j.$U...`..ac...A......&N.P.G......=:...B0W's....*,.z%.$].da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	33112
Entropy (8bit):	3.982698603812187
Encrypted:	false
SSDEEP:	384:TJzbVzRoFl7i84W+yN6cga8kC9HzAxy8kC9HzAxrb:TJz5Ryn4Wj6cga5CUy5CUrb
MD5:	E1A0F68C4EB757DBCA6568CEBAF56798
SHA1:	37E98C927E664E07FAB169CD053C27F4DF5074C2
SHA-256:	60E8DCEF9649A5F70693EC77F2133D3F69D1FD2F094E6B640FD145BC6BF7089D
SHA-512:	9FE472D46E2454EA273DCB5E4BC37CA56C442C8A724CCDFD24388F91188BC4A6A687F022BBCE7F813C66261952C1AF2A87D13AAA221EA4DB439F1955C6F3605F
Malicious:	false
Preview:	.H...x.....zl.j..])1p.9.~.^........P...q@.O.O....n........H...0....../s.i}..%.....]...J.hO@....h..u.f..$s.-.n.A;..1...OR`..D....S..m..~E.2.S.#.~.......l.o.#..:y<..0...5.W.u...F`.....Cdt..]^M...E.3..-....Ve......!.b.ng...Q....>#...:i`A..e).F.H......Y..2...Q.S....7.u...c.v.......+z.Wc.Qv^.-.....<l.......k....0...\....n.._p.mY.Ps...5....2..bX.....O..R+..._..O.i.C.z....F.%1!.T.1..D.r.re......".l......\|..C.g.P..W.J....3...j:.K.M....`..F.E:.w..[.V..m....J9.....x.,.x....r'T....{.Y.....@......~Z....[....(..(u..e......%M..;.........~...F...........#..G.V...o2.....0.p...../).fM.........WP.e.m.....b.,....,....p/W..Y.Q.d...L..x.kMe......D98......~.....X..b.....J_.1./....C..5......s..S...).h...D.....).l..\WH>..lA..W.......X...%{......L.QGV9......;h.S{.juq.....OP:T-<h...G%..Y.W."......[.....&H2.^.v{..../.^.t....GJ3 .nCE<...+'.h.zP.#.MGS.....e...YB.....d.^h!.ao..H....}...V.)...0;.....@........._.x..G..{....^.../.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	29016
Entropy (8bit):	6.130064221912058
Encrypted:	false
SSDEEP:	384:rADczdPyZ3YODkzn0DZil9nK6dZEnwywNIKADkJxGeGM4B4:rAgGDQSil/dZEFwPADyGeGM4q
MD5:	7DF52117E9CB6FA50C7A0205AE644896
SHA1:	47E4213187064CA8A11B5EE62BC8A2E3AEC6D5D4
SHA-256:	6D64CEAEEFD053621358F58FD252927500802AFE5DBC0C5A7E1D1A62E0A27674
SHA-512:	7833C7FA7888BD816D2D07EA0E1A447162116F34B9490A19B9B89F1F11D63311416CDDA1CCEEE98CAC384F1C8B1B24B1987E8332995159D6DF7DAB81AE46B920
Malicious:	false
Preview:	.!#...-.Fg...n}.. >.%X..}I9..$..9...GA.<O.6=DLU.Lp.j.A.uo...?&.Oe)...m. .^..0.B.@9.N=.5....#>.......]89.....Z...;h:.nL.26..0.b.S<...j......9A...s.,iw.3...O.,...A..S...$........L... .m..;..Edq~LI.t.ZJ...X...Hy`6..>M...i.....~..i...<.(HL...iy..I2T.....4%..:a.\.a6w./....bo...~C.b....U..aOY..{R..O.j.....S..y....Y...d..\|3.Qa..Ir.n.B.%H..+......0R.p}+.\|p]j.......EeI-.Y...../B...T._.0.j...w..[.T).......dJ.Y.cm..!I.[Ae.~\|.A...J......l...R#/$.......v]t8...%R.m.btb.@...1.9 ..=u......v.:.......$.l......Uv.y..8B..u........0.....v{.dO..+.Un..-.r...v.+..W?c1....e..(./.g.......n{.....4'..Z.n/....Z......P.....].v...7...1..a.._...;A..o.4.Q/.FeX...1.....\|...?V.@.... ...J.b6..n...$e.a...&M8...k..\|..,?.rWO........<....Z..>B.l.5... ...D.B.Y.t.+z....6D.>......W3OG..P..."..].^.e...e.u.......=.$...]._.1%.../m.u*5.^J#..z.k..@AF...p_b..h.....h.6%~.H.?7....I..W..uN..I....!W.0..~..f..t.e{.ov...^.6..".,.n.^.w....I.U...=...n.....Ss..D.`...3F.!P.GDh.....?A.C

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	365016
Entropy (8bit):	5.467710099379457
Encrypted:	false
SSDEEP:	6144:lnXVy6zScwyPxTqul5ZthY5METmRLu17Yq331rnj3q6d6p/:t5n6Jx8
MD5:	4D1DD247EF48DD58C82B5008243816EA
SHA1:	1F5CBE7E71A1C9525C936AA0389B0648E3E30A58
SHA-256:	BCA221BB7E77A21A2AF7539F3CAAC25AE2326F9C883F506A5E4CDBF42F5180A3
SHA-512:	95EFBB5C5C6B8186235ACD30102C887F86ABCA1C24B8BD05B7F66D9511BDCEB44AAD00B874FDD169F00F7EBD2DA6965C309A41402E5F0643FEBEA6B8512E6B7C
Malicious:	false
Preview:	..(..X'.&.....8....B.._.V...(.)Q.t@&.T...].......k......m.........t@..a.S...}.....2..F.Vg._=.....g..d....../..P.Cj..SL...];..A...I.......\X..w..{...!.....q...{..........XD.e.!...PO.#.{......^.# ..P.c..c>N.E....HJ......_.kw....<....w.N/.C...(g.:F.....xU#U..7....sR.X..."..l..0......d.....%M....Q.nv..uV_.-.^..Z..Z.. ...x.=.....5.......e..'.$...<..kv.FG(U-\|.Xs....9..E..?.!...br.M.?..w].U.}.....k=..p.?,S.:...P....... }...z>0jd...(o^.&...`...W.d.x...6..H.....m!.j....:..D....r.....}..~......@2a...)$'#..M......b../..?...\8..{......@_..W...".-.7..ZHCt!F...1..q'".@\|..CL..#s...8.H.m....[c...j....~..1..?.qv!.t. `:.~.1>.f...46......b.j....B.i..ZRP.R/....f..Ogz.W;<...<]...w.M.U...)..g..ZNj...$.. .S3.R,Cc!.Y;8......V.....G........r.f.$.... ....[.HZzPv1p.{.l..Z.gUDj..i.....g~:..G.^.q.......e.$...j.s../83.. ..G....d....uC.w...<.2Q...7...5..b@.m.,..\|85.#...mTC..E..K..rg...(v.C..t....X*I..n.@.....T..s9..C...@.f.N..}f.u3..=...~B..&.v`-..7H.5..\|..kM.@.i..

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	13320
Entropy (8bit):	6.944127318420755
Encrypted:	false
SSDEEP:	192:O+WwxWHzeJhSzbM/v72ENtY53LZC7UBIYmt1/u/fSy51mcxilLKjNIsK6iVyu5Bx:JEHzWubMMNZJBIYmt/y5me5XiVbBx
MD5:	ECFA879C31EDE51ED2178A6D43EF72E7
SHA1:	B866A93880A13EED453CDD4A0781BA68E6BF3FD5
SHA-256:	38B9910246171E3184976159092DC0657EE63A88ACDE18FDEA4B0B127632B651
SHA-512:	81A17C72EB5FDA15FC2891E4EFE333CB728746E93644C06AB9BC517F38D5B8FCC5FB65689B3387AFA3781CECADF126CB684D6E1189918D76FF104E012422CBE9
Malicious:	false
Preview:	#.oj..j9}..F..I.I..........[..../.......^.w........Sn.9.....LT5.M..'9_...BjH.\.......m.u.tC..h..6...~^4(...1&.K.J.<.... .;......&x......4......\|.#..#tS.....t.....b...05L..\9....^7. ..2.....=Z...46....j...\|....8(.!.K.i....So.`..&..0.....=^...]83Q..U.5.........M...6.:.....].a...tFV.qe.....Az..RT.7.&7R.... ...Hf.>..J.....U[..W4:..\|.i..(...p..B.h...u...x.~.p..hZ[...V.g..w..H....O&..@z....B..'W0...?.{..'.R....A......-..07.k#n.Bs.!....Z`.yA.t..QvO.4}..&..4...l...-.QO.p.j....H....N.... l%U.Z....."X..t...z.)&.&:...}.S..d...RE#..Q.....-..~.0....[].V...$M.S=7...h......R...UM...~.C.J....@J.....\|.}..:...i.o......&.E.=.D.@;&...!...;#!..?.S.].qc1..Fm1.{...\|05.....u.......\|r.....`G.x:........!..w".....x.....k..Df$..!bB.Q....\|]^.%L..c........v...5...f..(.7.Fo..\|..M.u.PoHa.I.hy(...%].......A!...iF.nq5.H-.f.M.p.E.t..<.H8ph......\|.<..l....T.S....7..Yrs.h....ETF....:..1\|d.e..\.!........%..)x....jj.G.=..C.p.:.wE.VZ.cw$.._..c.=.1.H.J..l4.$T

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\wlidsvcconfig.xml.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	14600
Entropy (8bit):	7.060077474086633
Encrypted:	false
SSDEEP:	192:4xx3Uy9vbKKSHKsQ3OfY3LZC7U/IwKZ1bSvHSm5128Z1gKmoj1vBQIpf+1PXbFlt:fy9vuzH0ZJ/IwKZzm51j9f+NKFKbh1
MD5:	37B6195CCC11F63469C5BFBA3A7A81D9
SHA1:	50E6D39FD1AA6EE4C4FACD44D61C9DCA39709040
SHA-256:	5C4C7A070470FFA8E3A32295C0E739E73DB68449A955B84E71DD71F715D9895A
SHA-512:	AFE8FE8B0487E77F69996931FFAE787F9EBD6AC72258DEA05F7B9D5A59279F1B7F7B8020A38327D7575AA65BB22E7D34FB727EA41FE7592EA5898772F85D4B52
Malicious:	false
Preview:	#X......q...\|.-&zL.h".....zk..\..u...,.^.........\KF..Bc-.G.^s9j.%.v..oU.C.h.....RS.....mn....rv..%Ic.Ca.:8..8...'."...V.....Yd.#. ..$.N))...r.... (.....g..UY....{[.../u.t....t..M..!.7..P(K.G`..Iu....K. .ME..5.X!..;...3..&..c:..$.2p......4.),.;....>o..d..;...b.W...>3m..>...`.~P .,.D..-.d.S...=....Z..w..W.q...N...(&v.`$.QI......t.\#..H..M.Q,.l.....Y.I6.y...}.../O....?dA.EJ$..`.....Hq....?..;.`4Cs..r...r.:.<...h.".....X...<.%.....S..QV....)..<U..s.n.....X..g$..]..KR...-2....v`x.ea..z.e..0..B...{h-...s......HC..v]H.$.9.Q......'p....1W).eb..=.n{E..M..u....!H..r........Z......gzV....%o....a..^.%...7onV..........\..0K.[...q.....FN.w..I.A{+.b..-z"l!...AE..ob...........)h.qf.x&.;..:)...Th. R3...w..4......d.6`...$..@74R(..9..&.-........9...1.p/..Ypo..5#)Qb$..FT.w.k<....x.,N...844........qL......5[>xxGDRn.e..a......YR$.R..>...... .1......F..[.=.'8....,.....5...N_..\..<..e.C......P..uI!.q.C\|%...xu.....l0.J$..`.vw+...y.0.....Le.RT...........Ln....

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\edb00001.log.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	1.562769224049361
Encrypted:	false
SSDEEP:	3072:6LtxnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsXYsJoR:SNooCEYhgYEL0InkR
MD5:	3F3EA3F30D2BB40759548BE980BC0C22
SHA1:	4F4EC2AF37315890142C24F44DFD0016A8FCE826
SHA-256:	DB8353149737F521BDC4560DBA68C35EFF4FAEE835822308999AABA0C8839089
SHA-512:	09BF78F8515E8A502C84B3BD62779188275F9418673DDA547E1C881E4847CE65B3A45E559CDB1D80780B434ECD55BA4004A0D11E7F59CD824B1FEE39B524DED1
Malicious:	false
Preview:	.CL..3$".dyn..Z2O@..>..)...-<.z{.\|T......qJV..>.Tu[..+......7..h>.6........T...,.3.I.....y#0....!....s...J..0. .f....i1.j6.i......_.:.>b....e...w.J..).f,S~.<....b%JsY.\|.u.....k. .V...(...[g.....P.Xa...'O....Cm...v.E..<..xi..b.'1.....I."S.Fr.B....&.H...#'o\|....\|3m..?..........N.cN.xg........F....\|L.c.=.$...B...P.bC.H...B.........FD....`......"f#).#...X...x(.GAJ......UN...OB..>..~l........)..x4...p...2...?P..k/.9GTD..qU...kDw)e..te.l..D._.U^F..........x[.i.1..".5.x.# ..i.qX+v..a]........zf.U...Rp..C..}.^.DG...i..X..=....-.y=......F#6.}...4..d3.Q..F#....pp..G..U......sL1...@...2/K...yL.lX.....$.....Np...x.$..F^O.k-B!.-r3..:u.u..T..xh.......s`.c.p....2o..8..k..q..K}YNn."S.1.J..?x.....X.>AC.-...~@.H...BdI.......$nC.W.+ .k.........@nKX...K.....k..*-=C^=a..o0..{..yI5.T.t5..........r.....4....0....S.../..s..d.........h.H.D...Tu,.u.{...J..].<..%..h.O.\.....)...[9..\b.u..5b.KW..0#.l.'........H...9.....K.YB.5..l......M..s$.WY.....TX0.h.a...=.\|8...O....F..>.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\edbres00001.jrs.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	0.1079003759840901
Encrypted:	false
SSDEEP:	192:S/Xx/4nvizBryZOpus/Bs/Xx/4nvizBryZOpus/Bm:SvOnvityZOwsKvOnvityZOwsw
MD5:	AA4C54D19565477D5F3E804F8482CB4A
SHA1:	012B6DA0133BDE3C83ACAFCAC06350337E1C1C04
SHA-256:	86516AA8834C3E3A8E433FBEEF257C19594F2C6BF7CA43BF9A2B3BFD8A57C8B5
SHA-512:	626750E7DFF934D1D0FA1C9846CC6BADC44CBF456F2C978BEE98601498D9CE7299C4A4CDE6A0B2BB8AFF923DAE1A20CD4397F63F3D683C5A5F8A7DC383CB7F2C
Malicious:	false
Preview:	....L1....#....p{2....u=.H..$.l...0.&+...GM..R.....n.%/.....<7..$.J!.0...... ....qW.6../..7...I..b....#^u..r...n?....-d.Y.{...U...,...3i.~.....%..G....G.$.y/..\`.....s`{.$.A....`t.\|..:vC.T..c.2NbJ%u.Uw....R....v.I......YQ~4..V...C..mE...84...].0.....3".......:.(.$..../7R.f.......w9{W.....a.X...t.2P#f.ih...5....-..AM.H,....(...W#..$.P.n}!..7..A&.]u$.^r.I..K2C.6.....H.;.S0.j....g..nz d&H%..y.........)E....1n....L......Z4.n...F..w......s.T..Fq....Kio$......>L...^....7.w...a. ..h.)..B.0..5.a........?....<XK^.....+...E {4.j.1..<..$&?E.8h.S..GkM......r..m#.g...S...@...g.Y.%..q...l.s+L>.o....O..$...t..A..pC..x..~.A...."...{5d)..w....5..l-....:.Tn.....r^.<@:.....0L....z.dh.....?......H.OSH..E.p...h....?_.=..\Cj..:9.....H............M../.....X~.@m........y.o."q<.....8.D.H".3,...g....K.QO..o.....,.Y.mv~F.4....Oo...%q...c.:.....J..^..C....A.h..X...O.&..O.. o?..bb.".Q..........o.&....s..Q..W.V.{..X.N..3.*....._.......3._

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\edbres00002.jrs.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	0.10792275591905623
Encrypted:	false
SSDEEP:	192:xmBT5jK8f4qL2ewcnIKLmBT5jK8f4qL2ewcnIKhS:xmBTVzf4qRwkpLmBTVzf4qRwkphS
MD5:	125633E5013C73956AB8258F80DD5057
SHA1:	3F54A0673A72B175B6D502EBCA24CD1156053594
SHA-256:	FB892D3FFB8440D45FB7E3C033C05C6880DFC15C6DFEA032BDD9A5DEC8C2BD9C
SHA-512:	ECE890AB4EC0215FFA9ECC25AB073FDBE70CE793B2FB7FA1C1279A07654F2DAA2EA5DC90E7C504215EB6518C4E63EE5E9B7D8896BC680B9BB00CB8A93B6681E9
Malicious:	false
Preview:	.R=.<h.1e3..........93...I.\...Y..D.Z.=....o..z%.<..b.>.l\.diP.bX...[]jTn...s.l..M..s.!q..\|{.&Zv.(..".?.!~....b(.L...:..8..E.uR>.z\..x...aW.P..%,.%..."?. !]..E.O...5F....f.....[asS..%.......^.2.sz..[.[.:.......O5./.9vh.....V...Kk.N7.BA.2R.T~4V3P....t;.0R......./....3.%6....fF...:.......'......5.q.......[..C...L....9....+..Dd.1.3.m.j......s..^..Sr..b.....{.....n...;.dB#.17!...H....qr.R....Y1$..X.:3...d4.k7m.0}&O.++.t>..U8.\.....fg.RZ!>..Hz@..k..n.\|?.(i/9...C....'..jvn.k..5..<o.7...,ug.b...R.......5f'H.k....z..K.m..]#.T+.J..Y<.....z....6.....&fI.iT......!..H.j..$..R...... .....}..{2H.P.P..... ..)......r.G..>q.N.l3..A.-..Np.<...R...O.i...........q?,C.32jq+..j.S...x..4.inc-DS.G0!.1M..H/.u.q....:"G./.....a.....2Jd.~w...S.L....._tkZ.)o..9.......=\N,.H.O.kQ...X..........c..t....B_q'jP.:...X......,gs3e..4.p...........I.EP.....mAO..:P.)8N..Y^...J.....a...n.p'b.;r..b..j.z.T_.O..]..ZD...L..\|}<...A...~..$.\|.{.:../A.NR..+D...K.1.....'.P$.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\edbtmp.log.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	0.1079564239582651
Encrypted:	false
SSDEEP:	192:JCVNzh70dISwc1Qn2cpGmCVNzh70dISwc1Qn2cpG33H0:4VBZ060VBZ06I0
MD5:	AC90CF7520E0B61C6B085B6BE2BAB9F5
SHA1:	DDE56729AEBC629053BEDCF6021CA526B2503C8A
SHA-256:	A1A9F56DBAE3FFF2ABB3BF761E8DDCDF19CF0C8705F1156B109AB599CBAD96DF
SHA-512:	3D6E7A386CE3115394D8CC93B424B33521447B1D71E94EABD0CB3586EE5EE456D6D7CC85721B30E5F61F67B3172BE105BD923DD9A23DADED31BD88606F96E7BC
Malicious:	false
Preview:	'.-...).C~..p.3.#P..!.;X.(....C.=......B..v.0.k.M.....R(..C K&..a...m..Z...%.{..\=.+.:.....g....^.Rdp.a.p...W...j~l].T....e....k...X..I"...s..L0.....{rf..>1...4C....{.....dc:..Kc.m#.%..b..V.T.B...@:..6.Q..o.w..T.Je..,..M.bS+Fg.F...V............A+.....I...#MC....(.Um.......e......RE.#..q..K,x.R.oBNk.....q...r\.Y.t...gp........T.m-B...o..-...T..x.U..[...i.>....l.J..S..J.].Z^..$.~..7.&.........~.....&UQl....4...=}...M.'P)....p_.U..o...}=...f....T.\|..HF..TTG.....`..Z.;rc.q.n..;...AErW.....E-......j.3.WH.(..J-.......sF`CS...u..#..T.2_.....!...%.xBo..ST.E..6...l$#pB.R...p....OY/...f..g@V......_1a.b.(......Xm..).3..Yl.Q.D)b...<.?.a8.z.+.r.j..&}..Af8\.........k.....]...!..R.C..N.R..x.?....m1.?..^..'.3..>e.....g.v..v.....W#l_9t,.....X..Ox.\.hi..n.0..pg.:.OQm.?.b...B.......'..6W.F..e.......&.1R..v..rd.l4C.y]:...L.~\|U3.,......F.....(N;.v.`..Z.0.......%C.....c.s..Wx,.R..%.v..w..Ic..].........@D..).wm.ob?.......v..Z... 2...{...q."j,...v!...."N..Mwg.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	16777560
Entropy (8bit):	2.1020966094637386
Encrypted:	false
SSDEEP:	98304:kLwrVEFGi+KLAFicQ8ZEHjem+xJRlkwNU3le:+mKLAFicQ8ZEHjem+fRlyle
MD5:	F914AA67B21DF5449A21B25DE0F935C2
SHA1:	13072239C77F428C173D29D4AAFB472891327D9F
SHA-256:	DFA39A6EC8FDF2A1B03D71338E3580AE26F245601B56CB3DEAA67981185B3877
SHA-512:	88D8522841BD4830DB6AA5AD92ECBD90A156826801B38791213F8A202B3920338579F1B710E691A90135D945B9C10A48684B6C4BBBB36D4FFA81C030A44D1E10
Malicious:	false
Preview:	.l\|l......'r.....k.. ..${.m.;.@:..).k...\|....>.....+I7..iu.B.9..].gd....._.1A........&....:..3Z.N...n<..V......"H.......dx....c.c.....e+.@..(._.z...)2......U.+.+....xn....C.."s.<`y.[.j.......{.........BP5.\|{......._#.;.r.6*S....,.<)....j.Nv.Ylg~..[..#..>Y.a.8u.[..81Z\|~....r.P{.X\|.&v\|u.C.5J..e.S.....r}L.FqH.M..m.}.{.J..H.._.z....DA.....5:$.d..6.:.+......T9...+<...#,.U.....lK.>\|4/......K\.....r@.U...M.....Lq..g....E.X.....h....k.>4...:}.Bb.=.n.MN.$.....f.o7..]k..ov.6.p.hiV..H-.....b....B.4....2cM.....5$........<7...^RU.e..`....u......e2&.@.....}.a..u87.......]^.t.O.:G..D,...7...m.b.VG...5s..jb(LUW,@.gB.mX.Pe.5......x.o..v..V..o....B.<V.z..E..mm..W..`...R..L.&V..E.Jr.)AD6.U.s...sa....UpX_.j.....$...&..^.......uX.r...o..."cIO^.uh.....Tg..:EN.......I;.....'..(z..-.L...hf...T....s..4...3~..I........EjH..t....A.!.l.Y..\.B?k..v....\4..B&...".W.W.]....6./J.i(...(.......Q').........V..G./.6..?..<-..Pn.,.-....x.i...A.B..t..$..]P......?w}._0.Fp.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.jfm.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.0910813977701945
Encrypted:	false
SSDEEP:	192:P7QWjMJ6jTk/bmyxBV4t2h65Ka99Xcvwjt5CEvcUIPw:P75jMJMwmyz7Qn8vStLEUL
MD5:	1B715434834627C5B8AD40371C2FF822
SHA1:	97B17EDAC153EE376CEBFEB092E86D4B53F39295
SHA-256:	BF487F33D3F0A8BE795AF75B97F1A5451434B6094B40CBCEEC274EA20B8B0A28
SHA-512:	7313427D45A144B541216E3110E8E02D15C2802CAE3B3845E6586997EE37B41ECE57C1D9DB0475E0356068428235450AD7B67C2F2C2BC64CADD9B9E385D69E7B
Malicious:	false
Preview:	...B......+..)..P.. .k..$2..t.h...M...."h..R.x>..........W.c[..s...II..b...h.%<..L\..S6.J....r.4....v.K...O........C..;,...q.9.q...g.W..%..+.2.o,...B..{of....3..r...$..c...9Q...W.N:.7."...}.]W+.d..Th.)<......#.......a/..6.s...t._..........p.Qr..j]"....a....v..i"..#.b.7s.?..Y8.e.k.%.9...6 .v.=G.%8.mYB.6a.~...^...._.....iN.......$xdl.....Vb.e.XZ......>U.N.1.g.S.=.. ..s.......8p.o....;o...FT..."B....(..f:~W.....!u-..#..j...c^._9F. ....0'....?....L...:.vUTz.d?..>.(..w..o.....P.@...zT......b.r....aU%.&.2...."....bhDb.Xj..o....j..i......,.p.1..^F...E.A_...&.........w.^...r9......%U.j.0.1#z...OI....A'.p.mr....8..:.,%@...v....A....i..!..#..{...]...,R&mjm.,o..b.L...}[.?g..'.....0.o7..\|.A(.y..1K0R.)K..`o..qy.F....z...n4...0..a{....W.e....f..3$7....{..S..j.b..L...........\|..MH..5.hu........t..P.......v}.=1.Z-....-8...m@%...".....B..f..........c...n.<!.m........4....L63;+.h.O.t.......1..;F....e...~k..-.Fd\.S...\|..\|....j.Q.Si..#.{._.....\|..m.SB.*.a....]

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\edb.jcp.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	8536
Entropy (8bit):	7.957042790531482
Encrypted:	false
SSDEEP:	192:oVnqREwDIfQVsqkpN5i+UZEWYopVnqREwDIfQVsqkpN5i+UZEWYW:oyD2QHeN5iFxpyD2QHeN5iFL
MD5:	9C14AD70FF0068CBEDCA7A18029E32B8
SHA1:	F0572C4ACEF6C7855BEF213BC8CF223E568F6324
SHA-256:	1E0B1FDCFD482B541990A3E3E6C5995604A11A97A3B0E2F464D3A1EB0FC7776F
SHA-512:	E6BBFCE23F99D899711DB4AFDAEE7DEC21736138F65BF8814D617A4D891AD38FC56BAC653572F4CA0E86A72499DFACD6B075F1A2CEEB759381EABA48D14AC155
Malicious:	false
Preview:	..Z..V.....<.7/.......z".e.....w....R..]..uq..<...W..'w.%.Z.L..:...E>...aU..S[....]s%..sn-.....?fxf<.1y....m.l.h%...]..7........x...&.[k[.%.m.y...Rvey.\|.C.........n..BORkr`&Z....n......N....a.B...Kl.Rl......@4).q.2..'S..$.z&.\|..nsP.....l...p......&9..3.n^.C..&].e"...d.1+...N....<F......!u.....i.1{I..V.GP`...z...7a.~6o..pk...../w....u>...qV.p...q.Q..5....O.>3W`....].7"..z.\|...iSo.//1.!. e].o5D..J..s=.)...g..E\|.pJ...Z.....`]#....}/t1..@..<..0<S.].ax......... ...B..9.fP.}...ec..o>..$..n.".....X.OgwD/....5.v$5.@.~.T..F.........O.a1.....2>.2....I>..}..?...Y...b.M..5IOuShwhg_;......+.%.m......k..,).5.4Zl.....#.F.......d....<xO..6....O..g..e....%Q...i.....wx.Lpy.`>zrv.w.56..?..B.v.[......1.........a;\|./.U.}.......3....kC7..v.7.>..~.....c.,...w.#.$dz..$5.$.FNd.....M.T..Hc...-._..\|.t.fw..J..Q4.x%T@c..A._..J.....8RFP;...Y`..D.]...I.c.4..$.w..h...=..n..M..e.W.Wi=..cA.......MoH7....-PC....5..9 ../.i.K....jF+...(. ...\......E'.bJ}8....G.M~..e.^......

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\edb.jtx.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1048920
Entropy (8bit):	0.21482524716535992
Encrypted:	false
SSDEEP:	384:MIVhuNStxJ5xF/82V5sUh50P8J3Ffp10L/VL1Bl+4gMbVb:MIVhznxF/1V5sUh50PCFn0NL1O4t
MD5:	107EBA6DAF4A36A42701F9AEE2077367
SHA1:	BB8A36A06401EEEB2BDC5C2867A4EF10CF3529CE
SHA-256:	64BF73F133EFCCC479BD1F09DBE9BD8C88980CB8BD771FF45F1A342CCBEB11EC
SHA-512:	BC8243D7C3D579827DD96270B65D8A7B933D2F9E9F87DDB2138E09891AA093C1FC13013708A21EA7A4206BC48A47628F34EE9CDF272170E18FA10D50E632C799
Malicious:	false
Preview:	..b.?.n.{.........g....:...\....Ur}....>...!.....k.Z...m+........B..F......&L~...5...6.g.X.>.\|g..ID@~./N..g.-K1...m.s.nJZ...d%.2...._1e.%...=^....Z..~.I@.d.8<.!...tq.....}c..U....h<.2=H..%....#......CJ64...!...p.H......I.=c.d..<Q..n.9.`T...l60..../.\xp=g..3...B.~.;...9.....es.]...Ik1.....Sz...^.J+...<............'.K.\|.5k..0...#.n^DJ..._(.....4...G..n..3.Z.\|{....)[..7D...^P^.D..g...f,._ ...4.....9'..a'\S..w0..\.C..b((.Lu.~i......Yr..]......../..d5.....0.Ym.K.s&..3,2>.`k......o._O.p...G-\|.....KF..R".....iZ0_..9..\...8B ..l..[.'..y..U&........Q.F.~..<(.;. ^..B.....9.....o......_..M.AC...H.N..U~...........8h......~;t..o..)......r..<....j.V.k....q...eV.....8l[.7.i..<..C.!= J.J.aPM.../.w.l.\M.iw...2...D.Hr.l.5..v..$&...Iq.....l..v8..V.qB.o....Wp....e.y.y..u.....L.b.x.P{.<x...x.6#..cxe.......O...I.....6 ......./^w....Z.>El.^y./F.s.M....(..0.X.U.0.s..Dk.\|k......0,........P.jw....gEA........@...6.y.P.'d...+..~..{...M.....5...

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\edb00011.jtx.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1048920
Entropy (8bit):	4.131958928945475
Encrypted:	false
SSDEEP:	12288:AKVjathnDnytIy6L60k/akmsGvZc0qkhXDd72Fm962p7ISW7rzG:A9jrhpyk66DW7rK
MD5:	3DC26C586C845B5E5E19DD798BC6FAF4
SHA1:	977287E6464CD19AF37198AAD3703D83DF6C40B5
SHA-256:	76B39D7410CD73CCF22E1429E81ED563938E2C23D35035D3A979FC4547553694
SHA-512:	2B35225DF20776B184940C0F540E3DE4422333ED6CAF89A2DA21C7CDD851E74CA138F225E82AF7EFD73B5307FE73F481EACFE006FA97AE1466D1E24CC49DD35E
Malicious:	false
Preview:	}.[......V.!.........3Z..fK./.:.M.7..k......L.c.F.....7].9..i.Z.p.M.v....&6C.n..d.AC.".....`9.<..i...\|.9...;u..7'R...K........4T\..z..p..S,$Q...[..a5..QoA*.r0.Pz..C.~^...P.rf..........b.>.._~.......D....}...F..93kG.........Y+.S.....c{]..,...>..4,x5.BP......y..~.o7..fS:...X...R..n".u.,d...2O&Y.>s.2..[.!:T^.M.a..Te..(..f.h;..-...[.g".e.d..............X.J...X94......b.Q,.=j....3...:.l...o0...j.E..0..0.6.yn.A.V.+I.(..b...$......YnQ4hd.P.1G..%@.../...P...z..o...).d........>'..Q.Ng`...6O..M.J>o.q`\|o.u....n.0L2 ....PD.....P&...dC..$.......Z'X>...b...y...h..M..._.l.F3..E4WG1...1].T<v.7..!i.@z.Q.....n.w..%...X.\|.nkV9..]d..8......M......Fo....y..W....2.LIY..t.6....y..;Tt.. ..w.Ji4@:..m6..}.6p/...\|.'K..<7d.Q_#..K..eBkWflN...-..;.0... 9.....#.%.I.....{j{.. ....4.{.o.H..sMx..!i...y..B6z..$..h.>....gz..T..?..J..'.pL..L..=.#..#.M.Q.O..#Nq.7.....^.V....(...d.0..y..,..^e...Et.N....N<.......g...y.jj5......k:l..S-.`F,....p. 3.}..\...<...r......z.}.)$J...0.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\edb00012.jtx.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1048920
Entropy (8bit):	4.620902962550584
Encrypted:	false
SSDEEP:	24576:TldktDH4q5xXT3j9NxXPI/ZooK3xXUrcUtINyhzCFQMOiaws7SQxX:TldKDH4q5xXT3j9NxXPI/ZooK3xXUrc+
MD5:	93D9A5DD52D613EA6F6B3C8E3D09B96E
SHA1:	6B152F2E2FDFD8E10996C1FEA3818AE38EC6D720
SHA-256:	801AB5C226754109D2D6F8AD0E2A8FD07AE9B16D08AC2DCA401E34F857F836C3
SHA-512:	BBAE3F99EA0AF222A883D79FF8300009F877AD760F869A1B27404D1458E1A165596C0664C7CC3800ED3C6590892B695E1373384AF1F2A3F4D5FBF3D4FB7BE49D
Malicious:	false
Preview:	-.......FY.q...6b...K;..T).u.v.ve.c........{{u.G.4L..bvW&P.h.i.S...w.....3.....0.$Z"...P:....gE.d.5.3.kM2..>v.>.Y...T...=.R...>..P....F.\|l%..`..].X.?.n.n!9P.e.SN"..)...6.r.......8^.,.K...c+.P-.0>.o.E...E..(..?...{.....X\.....w.z..3=.6z....-.zc..P.........n..m.t..^..w.l.p..5.}.d...5c./E=BM.#.=..JY8..B.e.?-y.)T..-.$.`.V...b.G. ..Ul...w.Z.Q/".R>..M.I...#.m).0.M.......3iv..U.T....>iN....`...J_.x.`U..N.G?....`.....rDD..s.d.1';%.. ..\..d..h.)Sn..9~..E./.......U.BIk.R.Z$N.QhH.^....O.......W.Tq..Gf.l]x.....,}?.^F.j.D..........m....@1....P:....\..X..SM.a.........,..^CBHz.mQ..,-...2~.2?..0.[U.<.&=.6..+nQ..i.R...C.\."..(\|.u..0.......y....p..e.......>I3_a.Wy#_..kc*.v..O.uk..1+v$.u.}.U3..U.D../..b..K.`.M?.f....}.U..I...%P..E..+.. SE...f...8.1pl.c}.......S.....ku9V...R.So.....0...m.........vx.X........,X....z\|.h.3.?.+J^.5-.8&Mry.i..X/..ovIE....;..u.t.......q.(A..&<.M..y...3....[.s....Y'].c.....R'..2.h.Y..."Y.Y.."9... ..I.:.........i...G.k...K...

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\edb00013.jtx.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1048920
Entropy (8bit):	4.177294637400534
Encrypted:	false
SSDEEP:	12288:XhoWRrRTCEda74xOPcVyzQJGn0NqLIhDuRG7Q9aHE5OjIFCP8h2hQ/PXa5OWjQWk:XhoWtRTHlEVj
MD5:	3C6A5DF3B185B56492291CB9B2A125A0
SHA1:	57F17ECBC6FD8EFB3D25108F52F7577366C56512
SHA-256:	FD9A8313F97AF07B0C6DDF5AF7F10CECC0A712C34C4807956132969818475AE0
SHA-512:	929A601276520ED25C880ABD3BE2D52FFDFC6B99B06F923CD14FC6A6C05D0F5930630580D21ADAB671C0D317326EB5A27440FC0330B2CFA4EDBBBDBEF7BB4E42
Malicious:	false
Preview:	6...It.....(X .f...KmC.[.ao;5`..,x..B.I..v.E."Y..<gHb.B...."...?=...$+.W.../....:.=..I..h....b.R0A.-.........;.s...%..1.b..?..9.......oo...]...W.d:S^M.FYB.D)B.OO[\.q._....7.B$.i.E.. .T.......H.T.........;.....p.4.{.'....K.H.gM}.D.L.=.."..........e..^ly..D7b.).y.....9.. \,...D"WV.V.9.........9)/.V....?....,.n2...Q>..{..Q...R...E...EY?)...('.Z...u.H,....B.,.l.^......}.dz......0>..8..D..<(?n.......n..x..2.5.......[....#.bR:}.5N.v@Y......c.A......Huf.....X.<..}~..2..?;.\.D2(........Zf....Z.........A`!'.........yj..]..]L....h..s......I.YE...}.p0.-../.>...5.I....4..B=...?....~.Ox^d.....8Tx.........3O...1S@.i.;.....VM(..]...#}e)C..)..a..+@.?..(..+..S....7..[G.o.......FA...31.. 1..../.QKR<@.....!(..p.u..2mclP#DxX+....5....ZPX....lR..w.:i..Sd...vWf(Ef.>.......S(.0...)\|.M........\......H...:..!J*..7.....i.7..w.....?..N.p......#.....y8\|.}.u..]....N...>"..B...aI9B,B..{..s..F%^m.s..N!....s.%.....G_.y....1DH}_wh5Y..U3O...Q.............a..X.v.p.D..k .

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1048920
Entropy (8bit):	1.5197815564221362
Encrypted:	false
SSDEEP:	3072:uwqfVqzyyrFoOeHQ63tHAs0OyiS8L0D9EToxEizyZ3dNVj9Ta8lpk:Uc8wQuDZVmNSH
MD5:	E6E23A561DF91CA930F97A96011E4E16
SHA1:	9EF6B748FB9933D7E3DAEB9B8E181B9B1BAB46DF
SHA-256:	5C1D8552D23C2794FFDEF4FEB672ED734F6344C4B260FF0EFF03D2574AD7F77A
SHA-512:	FE4312A5DD48F292FED3B99552281AC340ECA19D7A7BC8509C6B545729759C247328E8FE8CF078283325F2528F5058F688C240BBD7BB9F1508555593892378CD
Malicious:	false
Preview:	.6B...I...g..W.....M'^.F.;.....N....$..,B/v...A......V.......N.U..6v4.".....a...<1.jd.I.!.9.p.(........FZ=.....{...:........8...5..o...J....-^.!e...RR?......O.][.z..]..!a..&..G..do.a2.0.S..Q.>.x._..E.J...9..{Q.e...q..&.L...vbz.\...HQ.5U..........4y.#..e......T.tn.a...[M..J\...2.#.%=..H....`..$.......e...\|...!.kC...cw.,..s&..e....j..[..f..@;D...%..2W..C.#n*]X.....x.S.h5s'w10...qx.......eU........L.G.-..B.@+....$.P.O...V./.y.v..&...J.=>)..n.....k.Xm..QVUD..\|..?!.tB,.r]-..G.[. .p...,.cbk9Rf..^...FMX....SXS....j.7.....:..'7.K.Ew..Z ....9...!M&L.(.oM....TB.C.0..-.36.C`.f(.....5D...ed....Fh...M..JV.".Q..U.~G.N...9c...V....T....v..b...a.L.Mt..4..2.K....n..P...E..MF.T_.1.............%.r...z.\..~Q.h.....G..M%Cn;.i.......... V...h4].2s\|.k.L.....H.....B.9T...4sj..H~~..8i}?B %^sr...L..^.)..q.aJ.7.U..&....wd.......<.wk4-p.`....n.....W. .%........s..^5..^q.7..S......=.iD.GWO...w..%.ptgi...i........v..R.O.JN...9....,`'.C.$9G.>.........U..._].4..C...B

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	164184
Entropy (8bit):	3.04176129617769
Encrypted:	false
SSDEEP:	768:hEndBNOeQkaY0EndBNOeQkaYcOeQkaYcOeQkaYcOeQkaYcOeQkaYcOeQkaYcOeQ8:hyWeQ5yWeQweQweQweQweQweQweQweQN
MD5:	B9B013C16D6811CCB4AD3012697BC0FA
SHA1:	1266556CFBC68C80465CC251C0B885B6BECEB21F
SHA-256:	D64B4022B6A0FA591638A8FF4851335DF95BB938AB7581499E4587798B014003
SHA-512:	9F28F44A0A1B462721E76AE2B246762F39B99BDA799098150C598CD21422B22479261EACF358F42EE68A8207CE2A4CBB848EEBA5669A268BF674EF3E18DC3C6E
Malicious:	false
Preview:	W.mp./N....V.u.....N..a...7p$.;....._...O.1...fXW.N.Y.........;.......p...o.[........MV/#a._.....\|p.nQJ....<.3.x.4?l...D.u..{.e:a...zY.TNE]A.}.<..?.R..h....6fX.e....k.qn-.g.X6. ...,`.%.`.....%K?.\|.v.?.MjY..........6......N.....2.....F&.f..n......E.._...S;.....g-\|,\..`?/..@2z8.(..ZaGM....n/...J._....+..g...M....f.{.". ./j...GTw.#...FPJ..%.......Xq....j9.w@X...heT.r......u_.xv{B.F0..a1.S"..Z..h...I..!#.......o.&q..w.b..d.><,M......^3.7q.!)...J$H8.g.....BdCG%...m0....2FmU.....g..P.I....,...... R.`..%........R..I..p....69.......c~.t{...T......e.O.P.7#=........o.....U.5(..S..q-.....#08....O:.Gf3.0..AiR'..FA.Bk$b....5//.......JC`.X....]u)...<.....]...Y.`~......O./y.G...1..K.d^M...Anc..........@.......G.b.\.....;k...].X.N.....f".R....P.X:5.b......d.......w`..0G%....^..mL?.F93.o=.......^.(..4...#.Q...b...j.....q...LO.....>...8..c.../.V........SZ...)aq......+P.x\|3.(..VhYMPZ....},..f..g.!a.'....n.x..V.._......G.2..]*Ls!.J9...g..Z.U....x.z.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	196952
Entropy (8bit):	3.4403224804068233
Encrypted:	false
SSDEEP:	1536:y2a3zShM9KKAJXMT3sh3sUShzNNU/YiyDFqflt5E3sh3sh3sh3stu:S6M9KJWT8h6z4h3E888Au
MD5:	4E944B51EE775258F93DD00AF19B3D25
SHA1:	D3557C6411BAC30977E008A52DBD03E5471BCCFB
SHA-256:	66B415C361D8D50F6E642D3D1DA272B86B23213F18655F1DC3189A11834FBE97
SHA-512:	DB1DAECFE21E7FC714CAB27BBD00443A312A0D51674947084FCF4128F8A3D8C82C902E4EEC9DCC5B05804E1BE219AC88DF73304AB3BCA1C1511B6AC48BF9F643
Malicious:	false
Preview:	#.H."..@x.y~\|.Np#.L.uD<..q .W.w..DT...1R{..@..F..~b..vX.?x...P..UlH.Y..Uv.;.............&:.iB.o\|tP...;....a.f.....L.?...F-. ...j..i.^<........l........a.].j.nk...$t..... _.,..o.J.oLh......e..3..G......xX>.....:.E.=\./"..'.wS.....Pg.\$J.<.....?...,..,I.M,..V.f.q.o__..K.U#.1..~R.r........0..V..[v.C....F.\EU..jK.?F.<.m...9...Z..O...f...(U......w].P.....QG.....T..e....P..GM8k...WI(..RIA........v.}$....\|.f..O..%..u..jb../.<..G.Hv+}....j....)...}...y.....b..jF..w[...MC.jO.4..!H.p.T1W.i.G......nu..c. ..A#K..p.>......}&.."E..M.:0N=g.....V?l.aiaO.{..b.o^.N.. <..f+9[..o.......r...@.c.I.n... .\.q.9...3...K!~.cs...9..H.d..Lw...l.D...I......./.tj..5.J...H9y....5.>q.P...5Dycm......v..;a%.Y.]M3..O....0u...8l...Z.n\|~4.I....F....f.z{..,....R...D..i..'._..da....h..b.\..,.4E.-.=.z....^.g.FD..v...w....i..._..?.l..Y.~j....q9..Z.u.Vr.I@.CEw..s..o..i.kb@._...Hd*..Q.1x$..,mK..D..>..!#&sm....$...z...+......VMu&W.o...n.w....yX.......}s......k..7...".Wn.i`..

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.046244321366311
Encrypted:	false
SSDEEP:	192:ojqSaQ3vFxhakSKZnu8Dz3ZZZ8m4AJiP7akxhDRyHKGcleJIwyPHeNAUL6v:3Sa2vnR/nx3Z8/4u7fxNRyjYlkLG
MD5:	405E4A6155978DB990E91192C4D6D6D5
SHA1:	58EB58917F5AB9710E834FFDEB9D0729CCFCF141
SHA-256:	657501FEBFDC2B874B2B72E8821059EB9FF3391EE25F930B388EA805E0442A1C
SHA-512:	A0F23D1F731E6829F3A811EBF751919353FA45675338EDDA84F05351AB0DD61D10EF8DEF5F2701C42CF0D1F1F0578218E332A5325E1D20DA67BCFAD0896EE5A8
Malicious:	false
Preview:	.O.......J..[.\|R..S.........-K.G.1........D~[.x...4A.!.=..9@3.:-3..Db..UY.;.K.."...#S.?....8.d.s..4.[.BZ"..h]{'.b..8A1\|I.m;Z...u....]@........p\=..)....J.o..2....".0.O?...}.@.\.}...d......5:v............=.'d.c..@.>.E.._...<.n7.$./.p.o5.....e..........'...D..wbH..nf.k....7C...<]$.d6..rU......5(.{'P..rbC....&....d.1..y...R..N.xCN.[.....$..K8.E.uJV..R...z.6...j,.a..........d.).g.F..%I..T.p.......{......".\|A%....s.J.....2.L.5-2.[G.!Pt.n..,.+..(3.D/..!i..>...z.....'.F...K.....fy.....F...2fY........f...t.....+..z.[.ih.].z@s%KG.Q@.....V}v.Cu....1'.....d/..k....I.\|rAm~.v..\|l..h.e.'...........B,D..do7.....]..f.r....=?}..X....N&u...d.iM...#..&]#^E.._?.u'..m.......M..]=g...;!9.~....d.P..O.s.UT..B.0..Peb.H.X)...(H]..-...Q.B...T..g9....!.4.......Jo.......w!A.g...\|.@T.v.-..2..a...\|.nGkG.`B...0...W..W.....Y.&....{..J.I.'.g...{;.P....H>Z.~..w..o...N..0.+.N.q..nb...*..."<y..\o2..[..4..:..."..[[M. .j..wMR..!....9...b.x..#a..>}..8e.~.Z...8s.o...(Cvv..tn..

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	8536
Entropy (8bit):	7.951878072967586
Encrypted:	false
SSDEEP:	192:TwtDmMmwN48VhG6CkNjzP9jsgW7WTUoewtDmMmwN48VhG6CkNjzP9jsgW7WTUoKk:6N48Vw6CyFjswxN48Vw6CyFjswl
MD5:	A543400512449FDC1F9E6D824364C540
SHA1:	5627591467B7AE1F7BB237CC54184268DA74D8B3
SHA-256:	37918C299AC08E59AB685C80AF883D1B92A8AD2BB75C5C9349A5504F62B9FDFE
SHA-512:	9FE8D8E568B1F34CC54CB366F28944838807BAC79E849640920C357298946189CB4B84B64AF33369E8E280343F91562F5062EBFB831B68564728DD73EB257A86
Malicious:	false
Preview:	.n..9.I.LD.f.+.6..~.4..N..6k..Q..>$..(>Qk....\|..[...0.....Cxf....V.Bf.!7.Q.x..(..m......DE\7..S .%p.'C........\..W...P.V5..c..4....-.P...).';..\C...$z.3._..W...H.._..NuDZ...,.i...G...Y....~~%...#v........O...w..\|.!.....:8.......kUX.pR..m.G...4.$.VO..Y}....V.6...m..a....Ff?R.....0C..A3.7B..\|.E..j.[..Y...h..K..U..X...1x..V.....k..U..f(."...f=IJ..D.z...gi..%E.S.L .....=1p...[....Y...h.TD.4.#.....3.y..J_.....N..cA?.T.M.v.9./B...8...(..{A.O..ja.Z....u..X....q"}pW....Wx.............3.a%...rN3.(.......k.I..21...u..^.4.m.BE>A:^............v............Ac/]...)ax.....Iq6#....9....J..W..2.n^.R.b..W......r...m....R....A.;..P....w;....,.W=........;......-.~..h..k..\|.......Ng....u.9mA...j$..ne~z.p........I.p..4P..RM......}&%.^.......v...K.....M:.&..M.I4.0(Yr....)RG....%............mw..8.E&5.SX.H...`2....3...72v8...&..T.w:wp%.\|..4Vtn^..z=.4E........Q....m..3@.]C.q....'...t.[...U..t.Me..M..Ep.x......@1.... wF.,..._Y.OA.i8d....Fl...`F5..\/I.5.>.Uz.s.G...

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\edb.log.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.448800696205545
Encrypted:	false
SSDEEP:	768:2BNk58j8DKaxuiF4CLHUxuiF4CLHUxuiF4CLHrY:o+5E8RxSg0xSg0xSgE
MD5:	85242B8E4A784701879F8D1DA6C82163
SHA1:	D87BA1E44BD63E0E979028A7E153502046006ACD
SHA-256:	66B9A7C08E2CEF35E35D2CF32A920A5D0F4A3ECF4CA441CD692D22930F5E7CD8
SHA-512:	F3BF1F959656C7C9D6E3337C3B950B021CC2A1ED36F87D746D0049A07B34145C6E0CC34EBC93407085274F6C6C0BF4D438E6CF59CC5129A04EE9F6A72B21E6DC
Malicious:	false
Preview:	}..7.....A....^.."./.L........8Cw.$..J.J.........9a..$.=.......Y....3..!.:<.....7...........sz>.u.QJ..R..$7.LN...0....\|.C.pE...n.v=.:)...L.\piW7.&.....BB.nsvZ.!d;...:.K.:(...Ln.....MN....d<..Yu..kX....#.....E.r/.C.'<..RiZQ.z.L..\.W...Kq}.T..O.....F1.[.-?.e.Z...b......m..1UK..+..-.4x.Y..@X.a.@}....r.l....t,.........i@$...7E4.g.K..m6uP..HHa.h....I......2.Y..I`j.W.9: ...I...j-.R..~S...>.%o}.0.........x...R0..Sh.....5Y...49.u.....U.Y...sN,.D.........K.PY...O2..iKv..g.>....k.\|.`.J...S.-......O.G...^...c.g...k..a...+&....+.b..G.W......C........(...2)......UR3+.s....C.......kX.....5d.j\.....1..lF;}.#..7...B(sZ.G.l..AD.u..O&6...(.S..c.-]....gD.K.m&....].\|!.... m..2....P....W.\|8i....J.GvIp.u.x.[...o.Bf=.F.}........)...P.tp)yA(...\...+..Kd.."!d..!....^zj.Hd.:F.....Y.2...w.;G`......[..d.@_..o.^..Ym......U<..Ti........w...=aN.lX.<r.....wa2l.98.t..#pb...5.X...`.w3..9.\?2-..+Q.s.\|.b..I[X.e....2............j.e:@.j.#.F.....M.0.ES.k..d.....1..H4...\.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	5.226236910527177
Encrypted:	false
SSDEEP:	768:FnPCoD2sTR1dYXQoRmoDopGw44ESQleoAnJro3xHFclyd6KZN+y0uL7:R52qR1dSRRtDulgSQllwIFcPkN+y08
MD5:	06F8DD7DF176E6369EA85E166084A512
SHA1:	7F6981E940F1525E31DE3B0625F16BC40AD58F70
SHA-256:	FAD18DF8F539B40FD18C0C69C5383734CB2AFCD5688BD91588E1B7EF18FEA80E
SHA-512:	D5155F6CD580F60E69EFFFC48CB31EE5598FBFC6A1C79CEB835C96408FFC1FBFE8268C83DBA88E2A372C76A0DF823C036D01B149B1FE3290CCDEA5555FB5E13A
Malicious:	false
Preview:	...Y.....+.V..0.su.T .......lR.e.W....\...R....#..X..S.....Al...Y.9`.w..t...fu.........=..z..T.o..f.x}e...a.}..?...{_+v..G0.......g=..E..R.,.l...e..M.......O..ZG..x.....S....FK...s(..I..o......lOL.(...HUP.^G...8.....dA5O..z.....^{...oh.?t-..V.:=.j.z...l........\.E.W.L.9..80#.q?..C..me.+....vM.. 8.J.2.49F1;..A..3.U.....W...>.My..~0.........1....z....w... ....BJ.s...7C<yDb.q..=7.m;.(..... .D..kk.#..6w..]I;..n..G.Z.....&N....W..8r^.g.LG..G&K.sN.E,2.".\|....`.4...8O/.).z0...)..o....c.uOTe.]....5..'..D.'........H......O...@.,..J.....]$H..);FEzq.-;.'..C...a....D.uL...w....+f..q..^.<k..D....A..(..@g..\|iUO.6Y..f...............m.H..V.]... J......,...G.....,....5.[....'-7DD.p..-.....)....J ..t....H..,{.....i......tn.+l.~.5D.'.<"?..>.....0...l.\|Y../..VxZK.<..>...).t..Q..bj^....Q..tN.A#..0....L..X6.w%.'.'G.-...BO........(......v..)bO..3.....Y.zz.pjY.,....O..3.5.."....}..J.~.b. ....@C...a....!.G9........:...q.....<....8x.R....4......4[.>P...s...c.8T....

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\edb00002.log.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.618605710494084
Encrypted:	false
SSDEEP:	384:ggHzOZc0W0HBauuTd8anCAkZ48A8anCAkZ48A8anCAkZ48A8anCAkZ4N:zAc0WPdWAkgWAkgWAkgWAkA
MD5:	9F8E94D7D6689AE91552B9A666D721AF
SHA1:	E6A596B62383039A1B8CC5B2B5F6BA7CEDF351C6
SHA-256:	344746657DAA739AB117C3C0B43B1CBD7EF06BAB6DE8C544DC365C0A3C9B24DE
SHA-512:	0DB23E00051AC2CF9C45BDAB43AC89A045559368366B6BF2842E5EB5D93DD45C3D4870504C6834718797BB2A6B2227D0699D89EE28C03A30572E690D2ECF185D
Malicious:	false
Preview:	.b.MC.....Q.X.j...S.;..T.....BA...E.$y...0.U....c..>.K..[...e.6..n..m...m..+$.AA...Q..........&<.@......&.1.....z^.....<G.w6TL.....v7.....k....q\..k.T&=?..0.c...f....:W!!.d!.KG..U......#.e....].....c.......>......B....:..m.!.....x..!..R.!.q....h.!+.z5T~).....7..k..g..n.5=n...V\.z.....NwD.R~..#"..D.0.RS..;GZ........7.T>.......f.zv......G..y..u.E..<..Q.-l3._......'Q..J. ..Rs.#c.g..V..k..K.3(Z...q...&....Y.*{...$Tj..%.._..D:4U.O.B6&.r...%........d.J.].,...N.;...}.bD.N.......n.g.p..S...d~`.z9y<..Cf...Q.t~.F....Uo.#..T...bWb..I...w..v/....3{j....Q...d....... I...KDER)..!s.CC....Mr.D..E.E....`...7..R...v....l....=..g.....yp.....\|.....>C_..q...^.U... .@;.:l....hT...t..n...nC,\.....C.#.dIp.T.{.....Ow.....v..0z0.....6.l..x.c..{bz..V..L>..J..Kn.F0;.X^.3..}.b.J<....J...(...-.#.......u.e:.t.p...,P...eb..,#}.n_]<a...\|......p_..H.;..kk.A.,..`q.....VR...[..........;.G..(..>15s#..Xnb`1<..r..8.v...b.q..@.W_V..m...m.u.t....@._.a...$y.I....M.g.F+....3.O..^...r.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\edb00003.log.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.5442078972632367
Encrypted:	false
SSDEEP:	384:d9P+3E5vvPLyNNFrWExvxdDm7X19MgEuuA0SCcVtTAroToupCAkDuzEAC+K8hf:v+3M/SrWEJnm5HFuUCigAkifFFhf
MD5:	A75D75896FB3825E0A625E1CDF0917F0
SHA1:	FA661DA1A51B5138AABB293D71255BDD8893D3C1
SHA-256:	0218C926EA6965CC5396A03D213CD9BD270505760C8ECDF6408682B573DD2268
SHA-512:	9707962BA39803D494ADE0AAF76FD557181B02BD791829BB4571AE67B1920DFEE45ED8A03E59FC8F9B8F0BB1CBE2318F650E5824A8B4FF4C08BF61773F8A4354
Malicious:	false
Preview:	...m..&.5[....Y.j........S...]...\|E...ix..h..L.YQ........L......<..?.....9...S.~.p....I......X...P..db..K]t.L.vJ.....;.bLU ...O...YU...g+.@..l...<...Mv$..z..0../RAQ,./..7.p7......{...s....b...".5.(..dT..'.H....,.......y..zU.H^..%_s...vi.}.r3.......O7FUy"A..L..m...a....HL...c..V.........ub.M....C.LL_....U.... /.8..6.. jL.....z ...M.+..>.Y........-.9..3.F.1J.}.Q(.5......d..{.]......4....7............2..V\|d....<cxm`:..xJ....U.?d..@k....w2Ly..y.?..L=..T.\...y.3.. ..]g...@.&{....A....5......:.B.-N.....B...s.2.Y.(...9..7.I..l>Y'....y..J.HE..y'.7B.fI].\.._{....r......u..$\|^@..g.Y.4o.~.:.CE.?.@...O.Q..5...A..c.I....{\..-...%......]/.-..?wT.mo.......C.....A.9.....^.OsD.`.....%I.....]..".....3...).5..Q..6S....ar.l79..[.......}..ED.......2..A.......Vv1..N.~.4f..[t...=x.G\.a....8p..\|.O:..T.q\|.IOT.me..uJ}?...I.....VOk.v...8.).&.H.5....>..>.^&'.a:..3r.u.[..M.J~...J6....c...@.P.f.[.....@X...!..Z.......%...~.d. ..44...(K[..6....i....\|BVC....S...

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.3963557990656703
Encrypted:	false
SSDEEP:	384:8rXqINDmIarXqINDmIarXqINDmIarXqINDmIarXqINDmIg:8rXLNaTrXLNaTrXLNaTrXLNaTrXLNaV
MD5:	83867094D265F1E3FC9FD67FECE0079C
SHA1:	C2C33D6DA24A5AE474EC615DD636551F060E103D
SHA-256:	ED941A69A8CFB49EA9E7D7FAF851D36D5F68699A7F77D87D76D422CE53777AA9
SHA-512:	73C2A43FDAE90B0F5625B12A2D2917B3A013C0575851E36C7AF28D4C8683C03E980669A80BA084F693831D5874A70CCED2839D56180644DFF07A193004B7881E
Malicious:	false
Preview:	^,.i$...G.I.....h.C.(I.O..K6...l...@...J1.... &..3.M.VY..&...!..=.I.....u..$\..~...8...!.E.....b..A...nP,..v..... ...9.cHP./3q.$.1...........jY.zs...u..6..UX.m.8.....0..7./Y.'.7......&$......4.>.x...).K...[.c....S..<.D.]0.-f.....>.....G.-h....LI!.<.g..svZ..}.+......@..\|.....-.i.t}...t[.-o...@.>M.........E.fB..........U+.....aY..F..~....%)..;%!.q..g.. .......E...+;.....!..9...?[..C65.:.6.......E.'`.....\#V..F.Q.mUu.........%......&r..$f]...:.XbGv..a...}.....+T.a..6...vu...G.~?...D..9.....vu.....k...kOM{.E..d...Q..4..ua.....8....a....w;..[DL........G...0#1..s....W.n.Kf.Z.R..~....\.SJ...}w.AO......Q..<...zJS..$Hr[..{.......0F...I.YP.YB...T..T.nn...f...+.0..C......N{a.......(.c.[...ui.8.... cfcpw...>s1<.3l....[...5Wz.t0.<.g..t.H.\...07...t...j.z{i4..8..5?..j)..x.......4Y ..@..]...l...N.&...]..UO..yy.&.^[.....mm...dX.._/...O...?.W.I.pTc..`.8M!..%../K..E..n..F....._sr....;4..yIOA...tu\|.e@.w..n.E...+.OX....k....V.@.5x....u2.c.{..u.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.40479341955545
Encrypted:	false
SSDEEP:	384:BJqrT813bjMm7JqrT813bjMm7JqrT813bjMm7JqrT813bjMm7JqrT813bjMmh:aTS3MRTS3MRTS3MRTS3MRTS3Me
MD5:	CD5FF861F17EBB652E156422CA8CDAD6
SHA1:	A640FC5452E91B5FDFE31222753BA0A2E1BAE2C3
SHA-256:	EF89A27F049AF480E1AD7801DD07AD7F96342689B3151BD8DF4BC0D86EA41A08
SHA-512:	F60274DEF16707C8966659E83690FF4AE8897E9954420D8FEB827F5CAA6D988337B7F7B2730836754D4A92CD1414E0B802F5B0875F1934F1C3F80746C70AB76D
Malicious:	false
Preview:	.a..s...J...z....R..%....."L.O.:CL-......4.u..{.N...^.k.)M/Z{`95B..k...&._..5.j.e.J{V.........z.$.U.K.6+..,+.H.Yoz.v9.r@.........W.S.5.~.tb....u.,.o.)...b^u.8....vq&.4OE.bG..Q...6.]..R..........=...w.v.}...D/..~3.1..;...^&p.q ..Hg.(...cb6.A.........t.....HM....z..;.r.Z..0................qf....\.a..Q@6e..BS..UOLL...)uc.6....R.F........ .3.E...!.&...8.E.Y..?.P.\|.A.U.R"F.........n...<o.....am..gi..:.b.`p....4...I.K.{j.....I....D...8.F...M"..J.>4.Rq.....G!.s!&<M....b....jB?...81.6"..&qU.._.h}..../.w.F...&h.h..@..4_.....A...(7..0.;..&.....gX...=M.#"\x.C./). x..+.y....{K..G.E..Q...4..2..Ij..0.....?>.>....U.G.8...).0.g..m.^.=...v$.......C.}...(6..O......K@3....I... .p..^._...%...L.?.b'Q..J...B..n.."L...yL..:,e..w~..X..9#.Y.Yf6.O$.qJ....g.A.2X.t.%..oX;\,.\.Lky"... .U...Z...J.g.......NN.4..j..bm.x...2O.~.2.....R..q~...;.>k .y....crL;...&>.F...8...'cJ.X.=.!d .@....j(.4.q.e.Z....56w....U...........D..u...y.m&....d.1....F......0?.0..E.QA..f.F@j.Y

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.398941454373217
Encrypted:	false
SSDEEP:	768:VHBFrk6HBFrk6HBFrk6HBFrk6HBFrkl94:VHbFHbFHbFHbFHbE94
MD5:	F1E651073D1DABCDFA3EF61E8A6C98F4
SHA1:	C29E0F53EFD59E0A3E4B15AA0BAB7513195F6B42
SHA-256:	360E95187F03C8B72C2A215F8F3B400622A487C53CE0B4BDF072F8FD284729E7
SHA-512:	B4AA647D993647C089C9D36F3114FCB327D00C689D729A68A69179C805BDE87B069E6B135FFABD698368FB1A40D19C0F5B8BB86525A3161289B26549F23FA199
Malicious:	false
Preview:	_..y.nC_Z.^.\..3k.O.c.R.:..`.#..L...xM`...t.c...._...\|n/_...`..V.-lw3i..Y]./.;..EA v.,.9<#4.3.O..\{D.T...Z&$Xj.;D.4.A..6..}`...L.w+./.^....Oqu.H...k.........fQ..A.qo...,.$..l..u.Ck'9Y\.>x{G.n........(.}.?.n........A.IWB.1.hT.+s....0..M..!E.t....../..'p.J?kF....Li.byef....5.zhUP.......@...v}."....!~.\|5t..d...[x.!..z.i..V.yS+^p.."G.B.lt....#R....#...@..+....z.i......u[@...y......l...[.'d...........$.k.. ..EL9e.$]....,!.j.B...`..V.#"k>..R...o....vD.J>L.:......... .W...Y.....'...}V....~J...&..Py..I...a{.j,....Y.IOh...3..a\J.L.qC..{..0L...h.).m..%2..=........a...J....l...UM..M6-...zC.D..FTIt.z.A..f.&F.X.s2.A<.-......L.Dto.Q.b.9..9...i..gXJ3~y,..@..i.^q...w.Z.Ao.?.9...1Hl,j......?..`..$.1..1$.66.D.....);.......Q\>..-.....;....\|~......-..>bl.U..........'. ...U#w.({q....hH!.\T..Rf..L.......=.L..!"d...X.\Gf...X..Z..\....K$j.D.*......8B.J.~(.....r...I.o......\|..5...P..._...p..G..'.8...%.~.'.]...p/...v..>B]..r}......E....#47....i~.:6.eM......&$.."5

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	602520
Entropy (8bit):	3.077710085003342
Encrypted:	false
SSDEEP:	3072:kJ7B/B/B/B/B/B/B/B/Bmqi0k4562ZK8ro4KWE5I2XB/B/B/B/B/B/B/B/BV:+u0X62xkWET
MD5:	22044DDB13D444FBEEED854BF1EB194C
SHA1:	B54E730E2C374D7051A2D88C2E44364A6AC86FED
SHA-256:	2D54BD842FB9EE2FEC36D564E884F3DAACA70EA4A560070F2CF45D37F04595DD
SHA-512:	1948305455968AA30674E74E1394F1B2F1FFB04840F1BE564729D4BB93276EA47870E03FBF84F31CC066274FBAE6F059F2531D539B1994C83858AF0CE671687A
Malicious:	false
Preview:	~...S...y..\m..ky.Vt..........\|.3;..V...<.(...P.$~..+f..H.P...;t.4.d..........]j...$..P5.9.....{.\.._h.U.7RBk..5..#..u.6..!...fe;.aV.h.NVO...j...g.Z....v..^....$..j..o..z....u]Td.SX.[@...9.....Ll..rGAK........m...../...T}...T...}..No.j0..RR....E.q..c&m.WW{kG.....e....'9....+......%..i.r.Q. ..o.j`~_[.r.3]...Qu...n...)OL.O...3.......?%...^...>..F..5.C'....D...J0......t:(.x.dG.-........qG.H.....4.w..$......P..^.J`v.v.....fp....pz.P...;].>.y.:.I2...Z~n..X.P..]TR.....?...8..}=9._.:..{.hI.`.v.)=...........)].".R..!..6.DX.]..Xc.S%y.P..?...L8..}.....c.b..b8...&&....~... ../....hJq.1..r.q.{..cr.+..H.<m!.>`\|..(.....".^.W.=.E..L..-...f..us..aQ..t.!.uQ.;.....;%...ht~Y..,...\|;..3=.=....DJ>.Z.{.% .7.:...F.\c..\).....{...].^u.:..&.:z&z.VX.E....~..FI....I.~.s.dBJ...d.......7....h...\.. ....}e.n....P..\...9vQ.....q2.FU...:.._C".Cr".v....`.z:`..9....w1...-.r4E\L.kh70.X8o.....B.=C@..3T.g.....}..Y\......5.;...Uf....c...H.u.Q....K`gQ..m.....:.'w....e.f.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	6408
Entropy (8bit):	7.967541665109367
Encrypted:	false
SSDEEP:	96:aKyc/z7WGs53JxLQR2fmy/F/NJuCkFO+52rpVRgYZQYd5yZap03P2cknG:tzls533O2f7noTQrpVnZfd5yZT3P2u
MD5:	2D71118DB8986275E17AEE0C4ABC0E00
SHA1:	5417E5CD570BD3C706A8E169A5B340F16A598ABA
SHA-256:	8E99741C54A80560D5E8933636E3B024F8EFB90A356C0657A5EF6F2F12EA3FED
SHA-512:	3B0934C57742BC251DCFF9CA4C0593DA1B8A87AF4BF45DAF71F92132A0C9DB7B8D170C92FA360DF021ACCA760D380E16F2A06C5CB97999D4406F728E6AFCD2DD
Malicious:	false
Preview:	.f.^.W5.9JvR.z@.\..c.."d.E2...#..L.P&plt ...y..'".....[...~.....]...q....0G.......<..,Lo...G.. XLnS.E...V.[...">E.7-.........P.Z...#...7..._....^..Te.<Ga..aF.Q....n...9.~........2.Ko.P..........g...{7........M.!<<j.c;.-..t..w../..".}h ...0?..j.X._.H..0..y.....O....XJ,o.F7...[..E.....A....9..@R.q.5y..U).uNC.Y^....3.GZ.......s..J.PM.q a..+.Q...~....9..~.ipx.Q.m..i.v[..\|.1.9.-.6.(...d.cU.5r.'6/...w..x...2..L.....,........,wo..F..D.Z..i..9y+..".]....@@b.n...~..v^Dx...pQ..).....]gw..s.-v.k.y.F.,N..X\.h..sv."#..\|U.D9. ...cD.._GZj...j.......e....k.).[3....x?kz..........W..xx..x...V"...1)...,.)=...k.....+.R..7....F.9...9.U.~\..tLS.b.w.^..$...&....~.4>...0.\|....,4.a....!.Ti..Y.2).:.im..a..n.....DG^.C.+..L.g....n.p..zt$(^.....,.......N..\u...Q..w..T.V.#P.3\|...r~........zLV.hj...b.)gV.D..A....F?.".(Wx........^;q..j.B....J.2..UC...@......L".m..M:. FfN.......X..]..6Q.%:L......m^E.}...........i.......Z...8....`.D.N.y..As .&0...]y..._.M\|....

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	2744
Entropy (8bit):	7.91677108389799
Encrypted:	false
SSDEEP:	48:h7VF0/ULqts/hDa4OOzUTeJOGIAUoLiWv87Uq9sp6q+8XQeiaM1y79r/8VpWkoP:i/ULcUDwf1APOWv87vNq+8XQeL8VpjK
MD5:	8C6E2E665E92FAE9862CB5B6AFFC3099
SHA1:	CB375D17D4B3578948DF957806CCB5DB5ECD2607
SHA-256:	1B53D9C10CF3C8572F529FB1BFA3F5A9461554ACC5B42E99D7118770849579C4
SHA-512:	C0F161C178D6E6BF9030D83EFE03A578B7E11D1E94C0CEFFFE9D462468D6562115BEDFBC5C4C76F57CE5C17A65BEC528B5127B2278C00055587299DB2AD938FD
Malicious:	false
Preview:	.g0.....~.y..u......#.6$.W..hvU......Wg0..J....D.u....3..]....$....$.\...Y..._V...@'....a...x........E...0....{j..D..W..t..t.9.c..TZ..T.v.;.-....... ...Q.5..e.B.XR.b..l...s.. .[x..)..eS.s.w.U..;~.(......![.....&f.....}.R.......c....X.......x&LR[80].#.B.F...s6hV&..aN..j....Y....:..H}.5.u.i!#C...<U!..:a[..P.0.L..y...^aiM.(....!h..%..8........J..._..;..@..iB....w.....r.).?}.....p.%.S.S^U.c?..^e.l...`hRA..A.....4.....?...V....}..9.VU.XS6.)#9......h.cGVHh...^X..v...@.m...w...x.&.....8z..u..#...=...2..P..H.ufW..l...!$g.....k>..`...0}.fS.d.HZ...%....\y\R..bp.z.2..!.m......C.0.4.....}q^.43.%....V..E.{>.(...../t?_.......L.OdG....2...F.sMU:.y.7..B.E.{K..r..E.Ru....."a.....p....&p\|.....x.....OwE......`.Q...\...>."Nt.C.$ .5....Jdz.[..9~.H...$..%6.....DmJ...E..=I......r.p.@..b..8z..A.....-N.B...+.x.3)..B....6O...s.?..e...S..e.l..h..]..z.Z...%h.(i..+..~u..W..DZ/...i......6p..n...6........1l...<0`.w.h.....'Y)UL..{@..N....._RZ.].....T.fS.*..S.2h[.p....

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	792
Entropy (8bit):	7.665744250522034
Encrypted:	false
SSDEEP:	24:nujpEpuxyHM6Ei3eTIrbYhuWHDOprl6uYeTGNTy+w3g:nCOpR4i3ecHoVDOllNyLw3g
MD5:	08B58627223E87208E73EF35CDFD3465
SHA1:	9DCD417169ABC975D84983F3D59D7685923E33EF
SHA-256:	36F0B93BA37A5B6C7CCA9D9F8C49305BE37E13FCD086B99527766BA065D69CFF
SHA-512:	B185DC6385012A6A28ADE28E976529176B7D3A92009FF085D72918ABF769EA8BCDA06E824E3C7315084AD23DF4BEEBB692665F67EFB65BDB8992788569001F44
Malicious:	false
Preview:	..w.v..J.^j...9.6....kU.x(yO.........N..+.l=~l...j....I.Xv..4.s..N.\|..+...50...Cl.T....2\|.../...".>1.L.\|yr'.m..W..Q.Pa[}..un.*..f.......&...:Ky....W...)_..9..Y....xT...&d.&..]=...A...U.$\M..M!.3..=.d...8Y. .J..o.!.p0.....>.+......s...... +.d...\|...".j.{>..C.p.....Hj..,.3.^(.'xcc.....z:...........$.#d.}.........b..B.JS.....~ ..xlP.......Z...LD..e.<..$.jweTN\|H..G..%.v...o..z(...k....TQU.d..w.;~...km.}..h.T0.`....3.L.H...BMEDUSA......................T.i...N%G..N.....D."9/.t.M.C....o..................:.....N... .1....B..Y...tv. x.....ua.^u..t.....`...I.........v.0....7......V.../c..[..okg...a+-As...uJr.'4.4..BB...C..x.!N...."...I...)..V...Di...A......s.....x...w.........W..sJ.J...Y..da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.695057434420166
Encrypted:	false
SSDEEP:	12:zTN2czQiIELCb2289biE6c7l63ezxSGv6+ZHudB2RUUjyHp8+Ci3UctHkefmJQRh:bkN228R9RZ632SG9Rm2xjEibefiU4ccg
MD5:	735BBCA40B519EADAC89D371E54A1715
SHA1:	211FEC65E85736FF85973DE723863575DEA3484D
SHA-256:	97CC21D02A4DDFA8FF018D3AF42D65BD65E70C5AE62EB22DC64F15F14A735F14
SHA-512:	E3C482824776A64BD56E5C3647BE59A7E60D50201D03FEC415983CC47F224D18670099395A929DFFF9D30EAD213B1C2CE49701EABD03B7ECC7A49988C6CA5540
Malicious:	false
Preview:	g........+.p.Y<.j.$......M ..K.{...}.rb.<#.=zYV7[Z`G.n.=....2..(d...W.H..Q.z..u.u.E4.!Qrh.t^l.....D....0.....L...g..@..5.{&C..PRX..s.u.M.Cwv..........)..~9b....F.>a..>K.%NG-..q.W....h!.....7:x7a:a............<0.\.....Fw~%a....,...... .z.F....I.2.....9.S/m..rRN.._u.....v>.A....J..V.4J@j&.._.937.M..1.?8$..A...~.d...k....1...l.%.=.x....v...b...9...gaQ...q.o.z.Q.].;...._....w.....=.$........E.}..........QOS..%A..:.c`....(.Y.3..t....SK...y.V...e2...6..g.h./Q.O.\|.....I..[?M.....~..".e.D.s.7..MEDUSA..................4.I^.....9~.ZGA.....P2.$...L....K.......\d...7r.B....r)0.}.v.../.p0mA...GS.....w.7........P.....~..F.f<...A&:.+._...{../d.;........./..>..MF.pb...............D......\|..6U............)...g..F;x.Q......!.]c._~.t.....sl...>...o=Q.#..u?..Y..u...'..Tda23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	968
Entropy (8bit):	7.757775722645991
Encrypted:	false
SSDEEP:	24:sHSs5MY6IeQMwNEvMp3m/Rg9zLji4QTSF1POvPk:sH3VoQRNEv5Jezfit8
MD5:	9B85DE961C620D01C4D4E612D1DAA874
SHA1:	DF2A9D735C135C473FEE4F328D9EDDAA26B4AE15
SHA-256:	8B0F744A15CCA361B37473319EEEC8209BE6871935BC80DC1F6766ABCC997E90
SHA-512:	569A86B5C54709F4CACED06E83C55C628490B89A3F7DA2F013CA5CCE20239B3162A17F41B6E44D01DFBB8E8481E64F64622CAEA6E2A4CDBB454FE7C3434DFD5A
Malicious:	false
Preview:	O.n..a..V_.d...x...m.}...&)....V...X..V..W.+..\..}.l...;..p....&.........(.k..T.yx.P.b7'A.......rR..{.lkx.kvWU.Q5...q...\...L2R.....n....N...<a...\|/..B..........(... ..o.s.9D..d.......?.k;....wg.M..uX...t..1.Dho...:.'.,..I%.t.E@.........M.h....6.......\|1.~.N...ks.&...dd,.....(...+.! ....H.u.".....Y.+....Y.......N..H...b.wN.#\....Wg..0......I_....Q....q.:.iR......+........S.!...CX...G.!.........m..5......7..#.T.(0..7...^......}`...:,..:i.'.q}.R.....53..nI.P'......nB90.5X......R.....g.M...y.o...R...erld..6.1.K.z~..Z..K...s.$^%.>.a?}...f...rBT......-;..gd>..%.....2.F.F3..L.U ........MKQ.OMEDUSA..i..................'.Rz..62z..y.Z.o1...DB...Q15w..S..8.Xv...-l~.......@vEb..lT.C...D.0..N...n...y........+...I....l[.TU.[x&2.%..t)../........,<(..u.r*.S.Nh...e!...96},a.`./..K..j....]3 ]..4-p(.vh...z.....]M.. ..VC?....J..lh..BK...A}...6...z...........p..l.&tda23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	602520
Entropy (8bit):	3.0787065415454693
Encrypted:	false
SSDEEP:	6144:P+afafafafafafafaf99dtGDKFQlwV1afafafafafafafafadj:PfyyyyyyyF9dtINlwVQyyyyyyyyB
MD5:	8731C095E4AC39E3DD4DD8B2B2E04CF8
SHA1:	FF2F960604D81569731F02D61C9FCC085EEE42B0
SHA-256:	C9BEC4750A3C85042DDB8FA6B36A2B65430DC083D962BD6CDC291A19D732598B
SHA-512:	9B8FB01847DFDC94A79732349186591A89CC8C0C1FEACA84B0124037FFC88E27D24FCBE59267FD40F873C7EEC099867EEC77F4503C7A5256BF8ABEAE375D37DA
Malicious:	false
Preview:	oF../...._..xE...(..;{.P..Y.r....2.$...hW...r..<.k.0]..u..y..]....S./.,..oT..(.7.u..]{B.?I..iT_y.M..k.&bN...nS.............P.V....TT\.../.y....."kC.....I.@\|..[..0.Y/w=+rY4S/D..,.Q.cd..$CD....h8,E.5......B'.q.wZ>.i..$`/....(07....f%..Y.]E...]S).a..l.Y.4`..e7..Y...^.7..j..x..p...A...`6.$..']nF......z..qH......<..G1..$z".>.....~>5......ax&Cfh...V.~.`..............T.ds..ZN.4{%u).......g.~..q.:.}.....!4l}.o...!~Zb.#..`..P..~....).)..Y.....5....."...+~x...%.R.eA...`.:..........F...FX.'Z2R....\|...........G.E..9..B..n....\|....?..@y.......G.e...ua.Msg=r..zP#.6.D.....-Zd......1....k.,...h..<./c..X..T.!....P.../.......,p...].\|..,.C...3.B..sBB..f....lIp.0..&../Su.p.3.4......W.z...B.HY.^.G...I../4.J..Qg..K....->..,......V..Y..\........a...1..#...%0...W.pB....~.}.vT........c..<..7.A.k....'.pMa.=..A:....N..;#..!s....c.......v..Q....`...M.8........&[A.../.D).W....D...s.......LH..7..1=.g.{........!.......u=O..8....o..UFP.]C(.5.Xk..y..

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	6408
Entropy (8bit):	7.97010759627894
Encrypted:	false
SSDEEP:	96:M8EeQidr4YvqNsR6fdDmdEpCMsysanzgz73UmeIBw/TNh2VRY1:zQidRvosRDEoHrn3UpI+bNv1
MD5:	31C399CCC04C3F7A0B704FF80E2C3C86
SHA1:	E21D0869014F75FE24326C6FA6D13566B48F7EB6
SHA-256:	E8421A6C4A3980E57422F56DFBEE3454F09A6E13B8AFDBA92CD6AC945F844FFC
SHA-512:	4E9552DF9B3A6CD0F24E52560857CD911C53923F19392C19A8020006BDB224BAB37B116DBE2E94511CC2B4D0B0213F1C6177B6E3A9D5E650E079F0663B3A9144
Malicious:	false
Preview:	hh..r.i.cur;.}F..o...........NN[..\|.Bs.)<..h..&E...x..cJ~..+.E.."0.JY.X.D....&.ye....8..}.L[.....9...r...@=N...KE...o.D.T.{.._^..p.).c.....].M.AP..a.f.q..].R.l}.............!..E..s<!..\|3.IPn;J..C.Y...q...9..r...Ch._.p...h.....Q..... .....Fo.u.0/...m...].....2O...............O(nA.R .j.Q..&.i..._.r..]A..C0..]9....Mm........t..~(...Cw.GO...dP.......rA....ve.N..?..N...PV....e.N.m.~].4.8......D...^.O".L.j.xh...._...mil......I.....`.'...4.3%+.\...V..%.NL5g].>.?.V*...I.$....$._X..9O.W.P..-[..?v.t...I...,4X..0x.... ....z..lE{l...U..-....;0...9..^...y5..L7_.8...........O.....~.......k..$..1/..T.vW,.p$.D..\|.1......r.f.e..G.....a...ytM....M#..C..dP-ee..e(..`w......R.M.....`.d..FH.T..g........w.(5...T.k./....B..(.3A..&.y2...5....8..Q....2.JXv.~...{.......Hy'W.v.O,i.L%M9q.ta.mOk......s........M....3.!.0.V.....3.%6.5]...J..C.&.C.dU....0.1q...Z..h......G...wI.?.m......(..........@....7.KHsO0:I>.#Xm.t.d...i..I.Z...<..9.1.@.....2KD.....v..&....#

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\cversions.2.db.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.156286131979613
Encrypted:	false
SSDEEP:	192:1Sp+O32AZSwHOgMJv8uBvj8DDwP+F6DulRtaKDl+6BO+XI:TAZSwHkd8udj8DsP+9lmawCtI
MD5:	AE3A88D3CEDCFF5F389B2B00D7C8F3C4
SHA1:	CB7B07C83314FF1D460C040A72594043A4991055
SHA-256:	6A403D653EF4951DBEC216D1F3BF0E3CC4F5075035ED41482D08646EF61DADF9
SHA-512:	A5ADAA336AE5EA92B1EEBD0022D5A5C5E205E678620D46C9825843EF19299A78634BD9990190553EE62D2C69447EC8A83FE8BD39157B3149C0B6723FD7B4545A
Malicious:	false
Preview:	.~.Z...Y...X&....9f......AD.D..N...D...........pd......o5G.7T.q..R6..V#x. 4..f...)].]'.SX....ED.@....../o49._:.....m.J..i.D.i...[.nT.'G.PN.p..#...y.2.Ruoe"Z.&/..G.f#.K...B..o....R.c.#=..@4<.\..2.....`..'.A.j@...v...t....\|![>............Zj3Q....b.g.g\|.V^l.c.....u.D..w...... -...V...J...c>k.U.rB..P.............>. `....)..c..1...x\1...y.qf)J.i.f..........].6..w-.KK.w...I..>@.....1-...([t.........3.$.QZ../.\|.g.5...<l&.f;.D@....g.;..<.r.c._.C._....!g......Tk.(........Fv5..;z..s.......k.._.i.[..?..........e..h.x.Q.v.......C?vc...ON.....Q.-..O...VZ...sk. v..0w..+H..7:...s........t.T.....f...Ns.gs.1......./?#....g!.A&......J.......le(.q.(...V.V.s.\|.>.E.#..F..:d.(.Na..\|G.?G.......T.........;?..e.....M....A...T.S..n._.......T@.9...>!.....2.._ %...;~q.I.Q\S....D...".kzsaH..C....-.NW..6H.oYuc.pA.2].s....mQ2.U...}...0D......8{;..H..........]..>P6.Q..~.y.x..E.,.....=.$....=.=..;......6OG_...9G..!.]..&...@\|@.W..:...J..4...L...NV..h.....?.f.c.e......+

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\dmrc.idx.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	715928
Entropy (8bit):	5.408265624823874
Encrypted:	false
SSDEEP:	6144:PoxaCEDSZISsLW8PVvgjbdJlnZEhgKN86uhQk1wvTCOUjB5w:AwCtIv1gnlZEhgCluhQ1LCDjB5w
MD5:	7EF78B6DF4A0E9F497B60E6F6D57DAD3
SHA1:	8C1E37D788258E3DF503590FE63CE03F52B05F0E
SHA-256:	54DE883B7794AC824E36B8D63E85A362FED63E5E1C36BA0287BAF584834D3997
SHA-512:	96CE500C11EAF3A54EF59E606CBC68B7BD91D2AA7FE09BECABBFEF027D180E96691BF9D3621A7AED5AC9936CAA6B9568B91AC968011F125C98347008AC93360A
Malicious:	false
Preview:	......\|..7..^...i{..-.yP.VG1..7......5.qZr..w;......c.v6p...S.a.M.......E..i.A......s.T..1.L._}.....`!l......s<c.v(.nh b~..\|<cP..@:...i.Z,.(6.f..G.J..yV.".:...7....-1z.D....g...O.8o..K..(~G.^.....N&.....r...J^...E.!NO....N......:..o..8.5...,..1.Z.Uz.K.....(....F..,B.@q,!.v....%.......:....Q..IY.1......`a./..a..);.`..0n.&c.a<..A2....a.v.^.6,e..w0=..i`Y..b...I^..e......W.5.......w.........hB5..7o...?..c.....G~k.y....7..-...A5<[...B..d.....}}.ou.c.....L.....q.<.w.o..u3../Z.{/....H}.N5.zX[...?T.y.3....T..z....B...Z8.w..a./.... V...cd.....i..k,.n`.=\.e.O).u.To.F.}..\|..z/.9..........d....v..`..*..9]../..Y...K..C2..1...~!R^.A.,.pIR.%>.My.......".!.z....Ev.1.W.tYDvn.,g7.`...A....wqJ.q.>..8.....3.N.r.A....d]\|R..D.N.....]....x...D.J.c.^.g\.hzv%.j=+..:..+j......,...{.7..7[.KPN_N...#W2.th....;.}....V...G.^.....\|.s...A~2...D../.M...$.\|.'. ...g{..8.}/[.e..0..m.#wh...?...~.GpOO..#D?...s..N....I...a%..3.Jr;...AQG.T...o...WS.B.c?N.K..Q.lI...U.Y.../....S.

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\OneSettings\ASAP_CloudPolicy.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	2504
Entropy (8bit):	7.918198122033097
Encrypted:	false
SSDEEP:	48:ic0Cebx8Wi0NdpnVdEeeamcabh7e93C3x6hGSmA48oUdBf:i6eHdN2cmhC90x6KA48dBf
MD5:	7A6699971FDB5B379BC044CE77564B42
SHA1:	DD1344834DA64095B738159188CDF77258760C66
SHA-256:	D31AF8E57E882F3D0A18086D69FE19AA2988322B76D16C975155026747B60F5D
SHA-512:	DCBC06431418E5D96FA8F5FEEA6A7779C3E366F580554F330753101C0DE32600578A2D7A8E381D5CE76DCC5F4525AB39B54D17557DBA3110360A4DE3C7CC2A81
Malicious:	false
Preview:	#.1...w.,..../q.{.....n....4c.N........@...!....;3...Aw.`....>kc..lE..]C\.Ph.b.\8..s....T.f!...CV1...o.#.&A?...mN..-.. ...8...$...?..K."....T\|...j....s.G.....3.5...Xt .F...X(u.#..".w.p}h.q.._...g.]......,v.1....X..!..~...K.kG..5...h.WC.I..R[.....n..w{.{fa.S;0...k...gjP.:.j~$.q.p..N.H1-}#;$.......v.)......vz .j..q/.... .l..K.+.........>wK}.]-.K.H..nA.I....D.R......a.O....w....<ka..@.Aw.$......D..m...eN...Y.d?.x`.u0..z...F9.7..M^g.~.w..p..>x.6{..>U....1.8.W.Q.'We#L....W...%......Y..t..m..).#..x._u\|5.d......H'..$y.zjl........xT.N?.....H...l.N+G.......k.......#q.kQ..d]..r....,........a5...{g.4>U.E......N.....t..)H<. ....v.....A.w..G..}..Q.Oq........+hj.i..)b.B..........S.GE.:m"...Oq...n..0.#v......U.......2..W.P.....;.0;../.k...:.=..\w....?...r....w>.n........\|~..K}.?n.j....7.....4.F..jB(...Cq...dU...H..a@...B.l......#9.*..g.}3+R....W..d.....w..Lc.M.,.Z....9.0......0..lH..&..v.9.#...E..v.].1p.5.Sp3.,'.l.1d.u3..j.E,...7..Nq....B........(:w_..x...

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\OneSettings\CTAC.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	89720
Entropy (8bit):	6.488262063707883
Encrypted:	false
SSDEEP:	1536:UE4kSTjmlUNRVnr72m9tkqxNzopiiVVLyP6ABciMDJ9iEgX/2+0wShIg80tWP:UE4kSTjmlUNjnr72m9tkqxNzopiiVJyR
MD5:	87F1234E8378D3839E8F69E107398898
SHA1:	E2310BBCB4BDDCA5BE5CB4A91511E30DD0FAD2C0
SHA-256:	454630F172AAF9A88C78BD64C31730D13DAFCCD1CF1E5327D96D37F780B5693B
SHA-512:	4CCE6CCDE6FE7596D842E590379049DA59B96B11B652FEBF13C3AD7B22E266A264D3161705F766020E0DE9410F40EEF9AABAB4FFA33D11DF043C66B20DCBF77F
Malicious:	false
Preview:	.......t.C/.........As<'."...t..N$..h...\...f....)........t.MK..Bpk......g;.y.tc+..+MD".v).C.....H.r{..^..?...1`.d....-n...P.......\|.4..L\..M..,V..o>UExE8.6.fm....a\|V..~.v.O........ I+.{.+.$}S-....(;.....7.=a4x......T..h(..uR..vK..M.....-y..l....@:. ..3.......o...XJL...N.qs.D0..7..".y$.V.4H.9.....P%...n9..</..5Y.~Ft.2.....\..(..C..O...Qt...G..}i.=........\|B.}.$...<..z....r._).....$..J..-. \|....G..M.k.V.....R,y....V..q..d...c.nl........W..7....Ce.I..<.q...r..4..U0h.i....%.lK{.W....C.F.....`.}.....(.AX#.8.._8.#2..6.-F.LC...oF....=.k..`1..m...D{=.......l.....H..,2..L...g.Ra,..Q.7.M$V.S..G..Mu..0\.9N.-.w5.Dd7.<..p^....L."7.......\|{/..a ..iC..O0K.....^,~SGkw.k.9w......F..NQ;...}......=.\.../.....w.=Dc.5.H..YJ..@../......&..)...._1.....W.G.x.M.O....?D.3.?kSN......_..}.......w.z...$i!..;K.@.......6s.."R..rG.CSz..W......I..@.....P.^.1&a.0....V...+.$..../cHf....T...x.e"3.3y.&k..H...Py...x.~......m......6 oze...\|.v...5.... .Po(x..H...>

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\OneSettings\CortanaUWP.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	616
Entropy (8bit):	7.552342209610216
Encrypted:	false
SSDEEP:	12:EI3p3/DwCPD/NXpGr1lyS8nJ3+p662P4s4UrnHgMqdYxRKeVFVu+xe0:t3DzRwrUU6FP4s4UrHgMqdYxFVuk
MD5:	BD2742422BF13D5E4E9CF15573EC3190
SHA1:	43079401CF088D80BCE4181C2C466E51CA4F4ECC
SHA-256:	C00B06233FA248D01F806DDC01202E4E6B8C93A94BC5870A9B3C4F0861E558F7
SHA-512:	6F12E8B64FBF85FE5F9A25B51039E29FB046E50EC5C98D75FA371BFFEC33F4727EF3B8380FD59122DA3FAB029436142B41F708B9F6CDCB1225DC6E347ECC67B8
Malicious:	false
Preview:	.Q.z......._..G...j3..2...F%J.0Gs..\h..b4#Ug.w..P.L...@...B.dn?..i.X-.a.$g....e...'..+...3..[.....s..b.i~H_..}.{..N...T....j>.....u,....E....G=.z ..q...<.'..!.(.a7L...C..2..H`..........`e3.'....[..H....W..+..j...;R...Y..~......:/.h?..Mz-....y..&..............-+MEDUSA...................$.\...x.P!.q;3.v...{....U.Z-ix6.`.........b.c..?.Cw..h..3....2.(....,Z&.*....i}.?I&\|.KZJ.W7\..'..c.\|X......`+%`....(..d....}....@P..../6$a._nAD.0.I.N...Q!...Vp.....xN.}.}...0......L.h.@E.....T..0..k.9D\.;..g...P.u.F.r....Y;H.(...@.I{.&.w0].H.z....da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\OneSettings\DirectXDbVersion.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	408
Entropy (8bit):	7.2288254134349215
Encrypted:	false
SSDEEP:	12:LGU9QMAT6MS/kcb2Aczl7NvWUPcSRtxe0:LB9Kkk4+l7NvRx
MD5:	5491D35F8018855E54C0415DB20C53CA
SHA1:	FD55008442C354DF4F3D1EABD5152A880F99AAB6
SHA-256:	D420C48936C4310A2917D365249EF5954E03A37B7BEECDF9AAC7101DABAE1ECC
SHA-512:	F430394A9EA2BC1CE1940384B4B1D6116623EF2EAFD7D953A39D955E19A73E24F74AA7AD9D11CBF82D55530A9299B0662D9D1AA558FD1DD2327F1DCD8924AA08
Malicious:	false
Preview:	.........0.B..S.gz.....'.....oX...Y.y}.E......X.?R..Y..5..MEDUSA..3................p.S.$.n.T.'....V......... t.7..~g.V..X..z=.....%..6.&@.8....Q...Y.@.!......~.x.S.x(.R..k.;..3.........$........=].NDq^.......s]r.{-c...19.M.....I........t.c.j..o.6..._@._...-..\|.....US.....h..@n.x;.ZJ..{~.K....xJ.C.:.. ..4...%.*./...~..u.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\OneSettings\FeatureConfig.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	21080
Entropy (8bit):	6.88165038584591
Encrypted:	false
SSDEEP:	384:MGwlzDReydDDhJkfefO4XPrZlCHzydmtCW:MhvVBXPYJH
MD5:	1A2D390108FF2F491879C7E88DFE99E1
SHA1:	ABE32C12FF779D06F8B31625B8C8ED20ED272887
SHA-256:	DBFD381CE544640F0405F511DD11D5618BC5084841F74B92EB5E4254EBA75854
SHA-512:	EF2379F70B6E4D21AB9FCDCAED49CBB22C021D4916E50885176F964ADC35B5D9E131EC8ECF67ADC4001AA98CB9B6E8425E961676598F8654324166AFA878A672
Malicious:	false
Preview:	. .\|.Y..?$..Y..w.K5.cv......mI.....,....m.E....\..3...LP..3.4O.u.h....{..d./c.].Wg.~...c..5.....]...c....J...q.Il^V..h..mC.AY".?...c.!..k.X.2...)..'..H.. b.&..X...)..[..R.].'....3..c...%7.a..&.v...8..e..y.S.}wR.7!..m..>...Fi.P..i..B'..0#...A."..{...b..."........E.G5..2..-.#..>.WK.....Yd.uH.)r.....q7.a.$/R^/..B...Z..[y^........W.!h+. ...uwi...C..QZ....[...9."{4N..8=......>..A..1%:..g...P.v.u_u...Se\| E...\|...8.h..Y.(.{..I....)..+!..o.5+W.E./..~.9.?.Ex.......t.,..!.&.F..D..U..A.bm..=...vY.V..".0&..R#+^.1x..Y.-/..$b8.)Q....G.../......`..7..C.Y.....;......\.%..UK.Yt....2....<..<{Z.....S....^....X.#..#......X..m..,2.c..S.l..o..\|."P....$^]&....]....?.1.8!.......s...^-\|.......Z.Y.>n.q.$..z..7.~^!MD.@..\|..6...[9..k.....+.6i<7........[rwL...~.g......F...0T.b2z...d)..P>..i..b@..F.....$.ap.#.(...8..^\|`.....B...z.......B.(c.....k......[.N...h&`.(.N\...c.Pk.7...m@...w...d..j....:!&b.$;..@.S./Q./..;b.WUf.+..........^."..FRm.....I..9+..l..C.6

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\OneSettings\SCCInstallService.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	840
Entropy (8bit):	7.680666693866463
Encrypted:	false
SSDEEP:	12:/BMEWPzLH5/0bupJql2aAyOolAGhfG8Y+ccEcbhlkWfnB6ULPyxe0:Z6Pzr5/GRGyOkA2f1dsmwGBZg
MD5:	3113A7B90B8CC2A5EE97F4DA6CEDFEEF
SHA1:	62851F8677C0F29369D240A5D01D23145E51A3D7
SHA-256:	C38B05C3A77F6974622561B275C62A55B0092910DEABDCE85090C7F2B39177F5
SHA-512:	2EF14C3BD2794C00E21A967991BD106938732719C5D4937B068BBD0BD036C29E5D668DAB2E3DAE54173B75CE311D8475959DB77FA5AC6A29FE217B960F27DB10
Malicious:	false
Preview:	..'....h.!..2.[...w...B..h.-..=\|k..[...G...p.q...p....9...9mk=.j.vD.X...0YN.../....uM..6.f}<Xu`f..,._.C8m\|..:..\&..@Y.)g.-..j.bEt..h.\Ds.............p..HK\|.W...v..n7.U.p.neP.>...7.R\|..;"r.L.....<..K...`...s...r...?...m.........zydLXO...[..i.T..C.&c..P.....,.Oi........(...@.E>.."....`.wL....B.f...^v..,..t.W.9.8;.....K.....k........y...?1.Yp.1..Kg....S...Uhv(....'7h...c.......v..c..f..b.y..$v[.e\|cI5.Y.hk.7M..xZc...1.x.S./.*?.-6...C...+.d<...8.}..V].0...G..Jz.[.$......MEDUSA....................V..........Ow-..f;E_..E..&kf\.w.....<l...K......4.0......g..........h.}S.J.txB..8.Ye..r.....].....l....W]r..~.#.p..j].....t...b.>........U..n.#..zb:...r..A......p..[.v[=. ..Sm........x)......Q.+.4.W..k.Y...h$r.M..7.....'.E....O...).u.gN.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\OneSettings\StorageGroveler.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	760
Entropy (8bit):	7.632043861358042
Encrypted:	false
SSDEEP:	12:m1KMZ33MrYfs1D7kbecjnsILbvuwn30NO0WUhXPptiwWprE5V9XQbYChLEW8hOJ/:mcCuYfs1DYDjs4b/3mhBtiwOE5V9XUjJ
MD5:	9DD7862CA59A898362265D3270168C81
SHA1:	195DBC2F88D44873FFC319D1587D5F1EED35347F
SHA-256:	185C2C5CB53C9FF22DBB87F07193B042117C8EAEEDAF24371F5E3FCE4918B79F
SHA-512:	751CA7D5D8596977047F94A7AEA9FAF2448860D6FEDCB341EAF9DC43D4DC9F10A0DEFBCFF2E8ADC820F2F3826E822B0AD365BCEA6590DB05ABEF8CFF97B39C75
Malicious:	false
Preview:	i.zM...,.\..A<.IuV.Sr........I.....yo.......vN.OkD...WR...O....>..f,.O....>..:ev..:`.[./.yE.[..`.\r..Yo.B.QF...-...m....[.....V....Q./)~..i.E.l..bsk..i.eH.Y...,}.{..v......0.M.)K.....zBr..........H,..F!..wB.Y<b...7...._-.<&@..~....4,C.q...>.f....S.M'.M..(s.......Z...w..\|.....>.9..0k.d...K.$..>.\|.72.....F..zh.T....."c#RfA{j..h...rs.{.2_.%.!..e..(..#n.i)....d..... ..........6....q..n...\|.p..!MEDUSA..................M..XAn...=.`.._v.f.9..]eL.G......9...r..].m....x.>...@o...y...4.v...NI.........M..]...Xom.9.sWQ.u..;!W.9".C...@J..t.4.!.W!..f..3.@O...sfK..5,.LC.u.F.E./.}S......5.P2..##.e$....*4........X..F....?.h..0...\..:8....Nu..0X.J)UZ\W.B.I...%0..mS.&...da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\OneSettings\config.json.MEDUSA (copy)

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	6040
Entropy (8bit):	7.969803370375307
Encrypted:	false
SSDEEP:	96:ELRnQrw+zI0FXE79FcUFyr21CA6IE5M91jrNY9UkBtLQ+p99WV2RPGCm5njxPxK7:ELRQrw+z35YzyrSQj5c1jWnnLQVU2tPM
MD5:	8CBBB6599D5E1C72A50F4BE662EE2C53
SHA1:	88ACCECBE44F629F85C57A538031500916F73285
SHA-256:	A1E37131710A00672BE492C8C485770F45963AFF7EB98D1B86265EA7FDC3B76C
SHA-512:	3C56FB0EC5400DC8F9D521AEA1F890B64610E173577FA8C0F7C658386C78AC02A733E26C915E544CD809B28F3E123727BCA3621C92382E5A30C9C98B6A2B34AD
Malicious:	false
Preview:	...b...l....D....c..z:...3...N_.;..K... .@y1).......-z.]sY......I.1.4.u.z..Y..I\|I.$I....\....#.=.].<.T.....4......."$@A9.....~.....~.T.N.Br0..~.a..f.........C..].2...$.M.Ff.K{.nIf..#>.t..A.uwq....x....Cz.......n..l.P...u.[....[.(...@[...S..-.h.K..Z......R..FD...GR...>c.r......(....Q.SpL...q&.U6h.....\|...\.pQ.\|..B....[r.+N..7...".v..lR.....`.d...:.k.n.&.!...:K..".ug.a,8!.y..)...f.<.Qv.B.c.x..{.....Z... ..%T........v!..o..,Ln:.@..{.$...=.....$"A.kq...a.)...H.B:.#.j...._...Uz.(K..%.=...x.e<.G..FE.).....A........p..k.l...l...o.6o}.0...7......../..4/\x..w..Bt...D.uk..3E.....NQ!\..N..c.\...u.E.o.th..N.E.."=d..i....a.-y\|....NA...aer,.,....8..;...p.L.Z..])3..#..5..?X][...x..V..A..{.].zNa.g:."V......".O`h.\|.n.E..G/J.....7_fE.<.._..X..G.P.p(....F..q.U....FYR-.........g..6.<.@80Ot.b....X....G...I..l...b]d.......x..i.5:.r.l(.*%..O.t.......oFu..zB.6KZ..pO>....< ..OZ.......C.P..E...........).O..WP..R.m..".O.b@5.$57../....+... ..@.

C:\ProgramData\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\.curlrc

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	360
Entropy (8bit):	7.182495355368452
Encrypted:	false
SSDEEP:	6:A35GosCCmJ4oOIZhwnYbZRXCjnEdl74nB8SqSfwIWFwLJ83bgf0i5z7W2iD0:A35GCCm6oOohwngkEdl74nBTxwP5HMxV
MD5:	763B1FCC924532FB0392D888C03AB601
SHA1:	45ABD5F0234F71A2F9790D0CB892CDCADFECACB7
SHA-256:	2FAE8E36F1128223C5B899DFA6E8AE3A4DA7FE710837083FD685F1386E0D8806
SHA-512:	CA5A5A6301FF5B11C4A66F67171356380A7F50D37E00250304599D13E81C63C8712F99982A3D6619C54C082A23556584358C627F572B7DA88C07136C076F48AD
Malicious:	false
Preview:	i.{.b.s'0.V..MEDUSA.....................yQ....).L@1....O6(&j..HQh.\.....z.D.%..r.}..$..=.....r.(....P].m....J.......Z. ..b..b.o.Gto.:.F.....8\f.Q...(.~.])...^....cVuX.7Y.....$i..K..-}..i...N.A.....m.......\|.C.p......O...3..s.W...fi...`..:......Yg(.....t..',.b.....jdX.."....+..xc.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Adobe\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Adobe\ARM\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft OneDrive\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft OneDrive\setup\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	376
Entropy (8bit):	7.08892343541266
Encrypted:	false
SSDEEP:	6:6Cklm/tEn7uxe2JW1615NzRLAOVizXf04ED1vbyi6k58RfAQBWj5z7W2iD0:PklWtE0Y167jLAOVov2jyiJ8RfTUxe0
MD5:	B419F3AB7A3D752B34DAAD23295E123E
SHA1:	F94D1F260C0387AF8E35096BBE97F3C35E77E33B
SHA-256:	32037BC628C2FD6C991B2968455B3191EB1C7EB87300DFD154B7EB44CE4CF8E1
SHA-512:	372642060C64CE78C2993454DF70F8C613956B4819910D766FF877E5B73792BF1DFE53B2F4BFD22CA7659D12AF5ABA78E1187FDF5F93CB8F7514220AC7A85463
Malicious:	false
Preview:	.1.1P.d=`.15A.~.K..#..\..../i.MEDUSA....................d..Mk.iO...`...40.z..j.2...Fp..$`u)..A.2......}6..C..`:&N5..~x.)6.BP...\&..@C.W..%...S%..}.l.."...s..<....;........\|..'...Q...3.&.......n.Q..[.-.z.s.k..`L...zG....L6.s....'P.X.0..@.......\....q....a.N...x...v^X........v...N..........7..... .da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\AppV\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\AppV\Setup\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\ClickToRun\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	2328
Entropy (8bit):	7.897933110971015
Encrypted:	false
SSDEEP:	48:2duqpTwyYZnvNEPPm6JU1HpYVrYM6ls8Cx:2du2T2NvNEPPm6i1SrYML
MD5:	AD213137F745D9E092CFEA007E6B685A
SHA1:	1822D9584955EA64B77464A3C4175E4B0635BF25
SHA-256:	5400AC3EDE93C9455FCBD320EF551DA41245C18BAB22134A63CB46197F3F0A4C
SHA-512:	DC55162697553A9436518274812B41BC295755EAD7C40C852C1494ED31563EC842674B20E7CB6BA07AC00F9DA9F88710210E7481D2A42449B1230B845141B230
Malicious:	false
Preview:	^..:u.@VG;_%..1D..`..Z#.E...r.%>!..aT(6..........JO.u/.....c}=....e...)....G..m.P.~..tQ.}.9J4..y..S...1.c#!wQqi....-..".wA.....f..T..U.....\|...0...OG;....@.e.c.....nBa..d.4....w_..e.....s__....rA....#..q..\|Q.[..x...m.7.H;.......lfB]e.B.e..H.9aG.4....v.}.....Oc.a.....^..z..U...V;A..H.........y...Qz. .fH.\|SU>Y&]...-..bJ....../.i+>._.._r..I....'..Pa..=.....~..~..R.7..$!2..a.(._ .W%.U...h...b...rn}...".1.kjE..L.T.`../...4^....!.Q_.e.b..!7.M.....M...=.-..".)f....=].{oG.v/..\|}.Q....Z....V...Q.1.%....a... V...ajzK..z.{N.@.\|.$.MP.#ar....'.......{.lK..E].g(...'.-..m......T._...3....l...?j4.<.:g..5VG.;..dp..`.....4.......`.I.......T.0.T.....+..o>__..$'.NS...>-t.......z.z.5..(.-...b...=...p2........"....Gk.L...kkL....k...j.....+....8..N..{W.E..@[;....D&6...Z.c.O5....e..Q....S..(o.?.....[H.....E..KP......b..S`..3\|8.J....`........o2...e.._HH.Xc.....w.g4..G.2z.bn.../.j?..[...A}l....d"....E.....CV.8.....\.b+%..Y..a.9.b...!......4.2..h..P.o.}..\|b...:...8tR.

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.1.xml

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	1736
Entropy (8bit):	7.867950719745794
Encrypted:	false
SSDEEP:	24:3zI+5J+at9c6RNVtlLJYmAnv3S7sT2ECMF0w0yjfRke2aodl5kLHpuUnS:jg/OVb9YmEvC7rB401yNkeR8y1u+S
MD5:	B2A40D7ABF1493BDA94F1662D500E13E
SHA1:	00A61B48AEDC43889EE9C35E4E7173A265F42134
SHA-256:	A79CF11CD465AED0AE958D8CDDA47ACDC2D5C28D44687C7BF3A4BCAFCE822743
SHA-512:	17AD2128B2F008348B0BB5BECE9F8225DC4786B382F84D936FF8CE35AB26850BAF35BC79D6B8DDA60BA6940D05D189CC341CC8C108D24A453C72AD1C54AA8D39
Malicious:	false
Preview:	...9:h.i..V...C2....8.d_.o.%...p.."Ab.t.'f....2.-,..N.V(mv....q.VB..K..A.^....;.nG.f........u...2.5^.lQS.....K....{j;.h.[.G..u0.....zi.V...V.P.jm....T...[F...Y...PV.4x..._.b.\..:yF.zmL.I.F.. ..,.c?.4.....4w.(R2jy)0..9.%.&H.b....Qcf577.....zI.=......N..3.!..).j.iI.X.d.P........'..aO:..'@......fB....J.I...M.s..\|..}...K..L..^.A....>..r....-.....6M.v.cX..Q.$Oo8.Z.......D..L..@v..C..F6.W!.......oL}..;....Lb.x..O..b.,..=...<...}.BW4c.IA\|S".f.....Z..uZ}....~&..W(H..W.A./_..m........3,....,...sf?.q....\|._....,]7..3..+..Z.[C4r9dg{.....r.v.j4za..9..#...D..r,?4..{...HO<.@9&.%.b.".c.q....0...[[.Q7P.(.....lW..n =kYk.=j.L...f..6....o..j8K..d.........jJ.^"N.F.f..<sS.`v.S.0N-.}..q}:#....i.........E."..b..b,j.A..d.??I....@x...!.....P.[....5..~..6...^Azp....+.;cf>..i....Eq}..k5....<.io....P].n.)....[.Y_.G._...n.A'7)/d...q.x...n.&).5.U..o.=.....?.<p....4.\.Y,..<..].C..z(r\..2M<.n.s..C^J.tno.=...,.....=Q..h.......V.#8d\|....S...:...../........Fk!...p?

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1736
Entropy (8bit):	7.878009812272706
Encrypted:	false
SSDEEP:	48:bl7RznZHS/3BMdId4QskprYI91/LIIBTmIhCO+2NM:R9N8KdIvBYEXbh1i
MD5:	0E8AAA5A9A83029F72905FCE701856DB
SHA1:	C65AA704ADBBF72E0647615FB2CB8D054EEE7FE6
SHA-256:	B32F3BC4D94BE8CE0FA349F11E4CE2E4A906FDAFFDA3A120593B1DD4F26B801D
SHA-512:	CE286E17DD333B8ADB525A0DE12294F70FEB33536EFC70E16E04588B311184BC25D6E89EC9624CEEE2A938F9AA6BC4E095CE8D36DBDFECA78210AF83D165092E
Malicious:	false
Preview:	.5J.C.o...W.....w..J..u.Nr...".m.1.}R.......l.?r.7.~. m..?.\....#...u{>..#.}...Az...LCK....9^..d..PD.....2..Wv.KV.....^......"..].X...5.m._..&.....s...;OZ..)~.K.....C.D_\|z..3.qy...y...2j..p....N..-B...J.V DwR....M[...$.l.~A."6..vP.i..Q.ze0.fM.VzT.ZD.on...%`.+......+~.,...`...7._bO.......uX..:"=...l.....5...............$@f8...e.1v..:..u...T%p]..H...z..&.{VF..".\|..&.6$f....b.G&7...a.=e....J..H...Z....7...a......e..3^.e..p.....k..R....rla...?.\.g..#..q g..M...$l.vz..4.r.5l.[.a."....L..>....Z.`.)..........j...9.r......#r.M..S....j..8R.~.y......5'>... .+."!.j...,G.... .u..B....e.>.'..Wp@#p.y...4..l!;......./.....a\.:.vY=m....L<f......_6_..T.....].2.h.R.PV.~...p.J'...>;.........J..Q[-........F.8K.G26^6..4.....).....b...L.].vO.1.tN.N.-.............@...T[.P..L....V.S7...._..!._...Q6=c.A.hM7>rA.0...<o......W3E.....<......6Q....pE~.>!.....u].S_..+.P...,B#G!..-..7a.f.s...W.o.....s.............&.#.R5..83^.b........XN....IM.... 1i.Z \|%e

C:\ProgramData\Microsoft\ClickToRun\MachineData\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\ClickToRun\UserData\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Crypto\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Crypto\DSS\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Crypto\Keys\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Crypto\PCPKSP\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Crypto\RSA\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Crypto\SystemKeys\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\DRM\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\DRM\Server\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Device Stage\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Device Stage\Device\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Device Stage\Task\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\DeviceSync\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1940328
Entropy (8bit):	4.988874488400142
Encrypted:	false
SSDEEP:	6144:92cbBrbKzK7Li695AD1okJmV8FYcyQqdufypthsy0vJlBm+gJ:9Nb1mOvbHARtJG7cyQqyOsy0xlgtJ
MD5:	BE1955B31F7CF77DE1D1EBA61FF10EB4
SHA1:	1AFBF3CF544A24BD9388F894DB6D1F8C3A4220BC
SHA-256:	8D01268EFB03495221CBAD521DFCD6F911042480E3F1D9F6398A902387025F38
SHA-512:	624120545F15B4EA22C8EBB75923829D1FB34804E6FB6BF50C1891DDEDFE120E8DE69B9F35C5165EA317C85E514EB3826255594BF5FBF9E1193ED6EA8B766F85
Malicious:	false
Preview:	..\|.5I....t3._./X..V../....... '.Jm...r..j..".....5...1.ob:.g...K..W.?f."u^...>....5J..x;.V....QWoR.p82.x.H.>.J=_H.K=Y.$....p..zz.....jM..o.....x.-..;.44r..F......$.....:.._`.?G..[...T.K......(..M..N.....M.I...&..iY(.x.....T..k0.....X.i.V.... .......4Y7.j..g....L;\|p@F......).'...a..=.q.d.....? ....x.......+F......{8..t......7.....7..\|R{..)...L=...}5...9C..v{.b.Z......Z.I..(.M...oK..g.(OpEKb...X...........m.7......Z..T...^.@.Zo.5A..U.........0.....<..q..._7D.1...K.DGZ{..<].q..........U.2g..O...@e..o.8,.<0r6..h....U...y(..<f,.....L9........).7EbA.N.G[......:p(@.{.t.7..#.PD.l..J.1.(.q.w.D...+9..xAJ....Wc.E._.B..C)...........].5Ms... .....&.......rC..\|.Y..\|..h6...4..L.%5....aw9....}..P...Y....Y.....e.Zm......v.H0]y8...r.<F..l...}..`....9%%....q.2G.b...\|..........8A...,Z.c..@.\....M...r......<..)Q..}...`....A]3.4.e x.$jCT.Y.ZiT-S?EY>j;9.H70}a..).8.>.k.2..Ual{R. ..0Q...,.]..i.\Rx..q<*.~...c.9..T...s........BW..8....;$.Zz2W7..9...NNm0...

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	112408
Entropy (8bit):	6.599121797729821
Encrypted:	false
SSDEEP:	768:mNWvdS+hH6u4tc3BFtHfUzGUyhduiUJkmXTPk6xDBgJSEB0MF3xPSrZjDT8tXBcz:iW16VtIdU3y7z8r4oDBgAEB73wtrDPL
MD5:	E987C99AC066A700807C0BF2425A3FB3
SHA1:	864D88CA061CB77A9D00A1CC14E1D8282174A22A
SHA-256:	7D78CC36945658C88456312332154DEA52B09CDC835E2E05014829DCF626F162
SHA-512:	71B21D40263A9DDD12DAF0D6EC1F2EA4023FD47CFC5C71FA0BC32381277159D04F31B6DBC2783DCADB26485FF85442885ACFFBE4EEA6D62E8541246E251E3121
Malicious:	false
Preview:	c../...A.u...3..>z'...&.)^P..<n..?C@=.}...\|...$.........2}S......f....zn.........KhF5....Ysf.......w...f...h..z.gu...7.:..h..@k"../...;MM.....ah..Tt...~.....=...d.<.......].(&}%u.l6..n...1..p=.J._A...3\.s9.\|Y...6...<.@.>..]..4..CG....v.<.."....,.%...O<...?....D..g..Z".gK.......Z/..o.....Q..i......7K..{.F.5[.......=^.....t3.-.r..x.-..Qq...w...\,/......M..l.yv....".Q.Nx:..}=u...0gr.p.k.yA.....w.z...Y....W....iB.9...SV..).. >.....[.D.9o.0.T..s.7+..Iw.KB\.zpXi..\|..~..Z.C..J"_.f-w.6.;..q.N7..!...(...oiG..A.%..G.._..>>....}/...dj.3}...=.._g....B.....'0$jl..Y>.t. ..............\|..........H.B..\|.P.>......<0....I....N./V_.o.]$....=..9j....@.....^Km............~... .o...N...WA.y..yg..?....K..A.aJ..%..U..(..1..p...G....a..{...`..a[...{Y.4..gL....DcNro........9....;...p?@.C/E.%..e.......x3j......Tz....8.y..@.#.D.-8....+.1.,\S...7....;.w.\....t.[...<]...ej...bI..a.F.#...?.....i.1.o........&..(..}..). `G....'...-$y....`QN.U+..u....z...2i. =.:.

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	112280
Entropy (8bit):	6.594595007156978
Encrypted:	false
SSDEEP:	1536:XGAX42WC6VtQyBhU3y7XC4c48vWEB738FCOr6A79D:1WCitjECzC4Z8vWi6COr6ARD
MD5:	1825AC5F4D795620BC7CD259DBBD94C5
SHA1:	5D7289577C4D45938BBF95C7CBE7CEEFD58A7A37
SHA-256:	4EE51B448922F7BFA4F1FF0E0221C7C22C1E3144E266838EB04A014DBD77BDF0
SHA-512:	6B8ABC0A92887FBB720A22F371DADDCE14A8D35BD80A1C85AB98480DEA6E61CE25E6926B1A139FC76CF74D9A1EB82E81A8EBD5B3FFFCAFF92AE1FF7F402385F9
Malicious:	false
Preview:	.au..%...q..-N.A.)aJ..ts....?....6O.j..k..d....@...e-~.u.Q.2Q..%}.B..@........\..6x.X.R2..+Sz..0..)XgCxT....w}...s..t...XX\..u..O.`c..!..ze.-../d.......mA...................bDr..A...Zc.Gt".. .....'..L.[u.?\h'.._1..2...EL.........f.XA....e.@.RN...>P...P;.2..3.\R.jP.s.%..I....?.Y.s.......YCb.9.......1 .Q.....;..>=..Dl.x#.......\..7n..../-dZ...<6P..S...).p.\|~A..NW`@)...C.O....M.<x3...+...;aq.E..Ph..\|v...j.D4....j.I[a.j...5..N...LK...$......\|.E......+.R\Qi..=7V....Qx...sj...e.q........eIN.jZI..i......V.@...........F.\|..lJ...I....`........6.k...=.{....].nl..d..4...Ah..a..s~...RD.s<.l74.....c,;....^....MR.k..n.4..yj.....}]..}0.t7..2..&.14./8........4_W6...V@5......r....<Y.v...2S..............m.9.&...9...D/..b........e3i;.W....\.LN+..N5MM..d.....;Ku..K..s`>...P./.c...nN&)...{....k\...V.mN...i....p.....h?.!K/.c~;..a_.p...d.X.\u.A..wd....,]....NK....r...........5S.K=.....T.xs....&s...o...QrjF.Jd.L..+.".V..%@..C.{.V7....(.9..0.."...V.Sz!...m.5!JZ...e.\|.8...

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	3080
Entropy (8bit):	7.9264929146952765
Encrypted:	false
SSDEEP:	48:Nk+GO6vBNiaAVXAZ1G1NZJgzV/E5eXYAr5DbQCS7l0pZgI8qXgSXxMl3WrgE/P4v:NrGLZbGqC8Fr5DbPU0Hdr8
MD5:	1EBCEE57C557906059A86E3A0C453D4F
SHA1:	11810F5EF95C63689858F20160FBF3B870BE3BD1
SHA-256:	F570DEE80BAF12DFBEBBBE7EAAAEAF20F78C859E9FD21CF1586FEFC46964BB08
SHA-512:	6B635DB87B18E6D1429E6ACD94FBE5286018C9F3732D0D36B88E17DEEC8E8442269F63D0E1A62F36130D0B0D6CF0EABB0419D66164BBB47CC4F31BC12B2C31E3
Malicious:	false
Preview:	QX..hM./X)....MT...c....^mUFW._Y......1&IS....'f.XWn..i....K. .6Y6..H.TF..V.D"...w.h.M..s.%..%>......T-.J.(x.I.u...\..`~....!....T.$....V../.^..e......^p.........l...DT.ikK]...K&.0.3D[N ..._w.`}.`6.YQsZ.e+]..KI.....3M..(..I..........1..Dx.[}..xE...x....F..O......zyA.%.O.y...as.y.:.`i.qY'..+..,. ...H=m..Y+..i7...Hp.kk......._y......Ot..?.t.Ef....4.......n,;...b..,........p....r.l.&.\Y}..0.B...R.]...W.o;..LH`....%.....g....s.1.z_`.......N..W....z&!.p..j.l....!^._..f.]....E.@Zr.g..m.`o2.H83.N..Q`PJ......l.6...qf.F.8.%R.%..j.....!...n...&.O....-0>.TE:f.@%.....lH.W..B....M>X.. ..h^.RC....u~bL...n.t\..+2......w.B7J................\i6..@..y=......t...f..x.[.`D.....7..+.D....7;.&.........\``.J....}..`......I..).).A......7;..u.$.......K.....YE....fNw.....ZUn/..Y.KY.XZRY.P.[.@....2.a....u#......%WE.(s[.....f......m)a64.?}...9j...H..........y ...".S.P..-.!Z.....>.......'!:./.X~BX.%....-.....0>L..3..).:..A..&q.!:.s5P.oR...2...R3.S._..1(m..

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	2149304
Entropy (8bit):	4.928421951550829
Encrypted:	false
SSDEEP:	6144:CEDLBq0sSPiFLL1v0RPfmn4V175nHxndlY:CuBqZh+RPbVB5nHxnfY
MD5:	F9A4A47C729902A4A42353810CE96050
SHA1:	0EBE6008F77CA08C1527AE198639FC9573E3B0B4
SHA-256:	94058D3375CC5472E35DDD60F8F43C09C1D8ACECD706CA2485FF6279144DE4F5
SHA-512:	7657A003077D75AB80D5B97F118B0802C8C68ABE894856677CBB6D63DDAA7E2E03CAB98C1A7DF6808742F5284D1E83BC06FF108849921F18E8FABB325947449D
Malicious:	false
Preview:	`..}.[.Q.0..C!...4..}.W.]<:2!Z.L/...'.. QN..JW..X\.v...r%...u\.iF.s.[.[.rQ.../..d0....3L!..].....1..j....@..3O_....f......q.....~?..C.-x?...O../.O./l.j?I...Y.D#..7..9......./)..7.....D..R.[.."/..AC.........xO_..hu....X..o:w.G...XaN.x.}....dP.s...q. ....".......-.`7[}...f.~..?..v..l..t..$..D4.0v...i.a...6"!...X.....'.6.Q...+...T..Yr@.+%...5..-l.0]..k.VG..N..L.X.)......R.w.........q..h.v...........~Es8.x...~.....0.T...1.qX..n@...kx..[.....+.tO-. .B..s.)....d.....`..........8..d...j.q.I.,...=..Vf...T...9...hIX;..I.^...b...i.....:.7!.......*.d...p...l.%f...c.f......;+S..T.>...6...j.si.r6d.^2....w.{..0_{}W...:0...S~?....G.gp.q..}5..n.jCD...48.e%.FZ......_.t...e.U...I...."........~m!.< .?D..Y}.#.ezY.WB.....`._F=eN.....f...F:y.....@bt..$.)....L.Ic.=D.H..w...n........4..oR.s....=.c.%.0.w...Y$..z.z.B....,........x.u.....Jr}.F..v...\|l[EP.k..!.}-.TC......LD...[I.cX.....U..N......G..:...>T#X......../.3.D...........<}.7.'.....1..#..:.[....G..-5...>./.....

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	392
Entropy (8bit):	7.196916071914694
Encrypted:	false
SSDEEP:	12:1FtsF47/63eKVADWK8wwPw8aw5+gHuxe0:7zO3PiK/wCwBwc
MD5:	D158235C5B622DE2044B22966FA6B985
SHA1:	FD2AC3242C105F94E127C0C7E71212897BB2A477
SHA-256:	69370BD9BD0A990957E32442509AFD08487D5B3732EF2AD2A3A7891DEF0ED9F8
SHA-512:	A59928F22AD801D5E9A3A2777F715D4BB74056295062E0545D204B7D1652932F5D0F13AE9BF61F817B79C478DC615BD2C81D3EF901816A90FBFD28720439F31E
Malicious:	false
Preview:	..7..D.......)G...v4.J..q.QW..^...._6.<..D...!.2MEDUSA..)...................'t.-....I..p..........o...L.l..7..&.....F&.d.).\...9...@.=o.....Fo.J...6.a.7...+I......p.xU.&......[:....QX..Y...b.,..z.\.S.....Y..t.!......x;..pt.QL....._UK....(.H.P$..<...{w...`6%u..j.$U...`..ac...A......&N.P.G......=:...B0W's....*,.z%.$].da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\Diagnosis\ETLLogs\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\ETLLogs\Autologger\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\EventStore.db

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	106840
Entropy (8bit):	7.461548670633903
Encrypted:	false
SSDEEP:	1536:jxefKlU2GDjRLwovv+/wxJKtdsa5ehA4n8/NH5LBrbwf1We:wfKm9P1wU+/wHKtdsF9Mwt
MD5:	DBE1ED6B9F402950924D17D8BD76CA56
SHA1:	E50D20C61205A249B09B2BCC78EC0C4E066D6A5A
SHA-256:	8B7B0A4A96D2E166DA0F07E5CD16C8560AB2EB404C1615594E3BB084D923FFDF
SHA-512:	21FCED630ED8C502D2355A860795FB9F69956F93606AE7DBA70D89BB2F3DFE7DD137345285B5A32ECCF75A8E2CE16AB9BAB18F319CBF7D9E2D61D912CA44F168
Malicious:	false
Preview:	.d.5C....7....K..D....."j4!%...tIl."...RA.....lM.....(.......K..~jGmc.V..1y..t..-ZoH1..m.8.e..N..k.f.b......xc..G....Y.}.p.._-o..d.tF...b\a..w.Z.../.?}d.c.m.7..-..@.g..;....~....cX..........2.3{..j...w.c...{.....g.9C...k.....".T.v......'.....$....06.G.,....ON.............LB....5!..b_.V.n6..oQ.....DJ...u!.\|...I...5..iK....%..7......z.[..%2.#f].P.$Om[_....2f..7.i~3.5G.@....}..@#HUS....:.eYNK.i.7;_Q.]b..r.#..G.....G.g...g..S~.f(.9...6'bS.......~D~...Y.L..o...%8e)L.m.r.W....t.).....B...Lz.c7.u.0...............;9..OU..q..><."F5c.Q....B..I..h).1..=..................[..o..p..6...r*&.c...X..h4a......{51.".....a./p.z%v........nK.#Z].G..Q.;..d$......w...A.._j...t....$.Cjq.MW.Q.C......A..G.....X.-y+.[c.w.ru>.x......OU..B..3.....cux.2..b..o.s.Q%...S.k..'..2.%.'.~..........8:.H.....u..#`.N.....[.P...E..T..(lGpV!..7.......`0......o......]8...d....{.....)..P.If.B....U.\|..B.M.q.....1......5.u..Uo..&..X^.gs}....L......fb..y .n.[A..V...+...5.`.Pf...-...

C:\ProgramData\Microsoft\Diagnosis\EventTranscript\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\FeedbackHub\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	33112
Entropy (8bit):	3.982698603812187
Encrypted:	false
SSDEEP:	384:TJzbVzRoFl7i84W+yN6cga8kC9HzAxy8kC9HzAxrb:TJz5Ryn4Wj6cga5CUy5CUrb
MD5:	E1A0F68C4EB757DBCA6568CEBAF56798
SHA1:	37E98C927E664E07FAB169CD053C27F4DF5074C2
SHA-256:	60E8DCEF9649A5F70693EC77F2133D3F69D1FD2F094E6B640FD145BC6BF7089D
SHA-512:	9FE472D46E2454EA273DCB5E4BC37CA56C442C8A724CCDFD24388F91188BC4A6A687F022BBCE7F813C66261952C1AF2A87D13AAA221EA4DB439F1955C6F3605F
Malicious:	false
Preview:	.H...x.....zl.j..])1p.9.~.^........P...q@.O.O....n........H...0....../s.i}..%.....]...J.hO@....h..u.f..$s.-.n.A;..1...OR`..D....S..m..~E.2.S.#.~.......l.o.#..:y<..0...5.W.u...F`.....Cdt..]^M...E.3..-....Ve......!.b.ng...Q....>#...:i`A..e).F.H......Y..2...Q.S....7.u...c.v.......+z.Wc.Qv^.-.....<l.......k....0...\....n.._p.mY.Ps...5....2..bX.....O..R+..._..O.i.C.z....F.%1!.T.1..D.r.re......".l......\|..C.g.P..W.J....3...j:.K.M....`..F.E:.w..[.V..m....J9.....x.,.x....r'T....{.Y.....@......~Z....[....(..(u..e......%M..;.........~...F...........#..G.V...o2.....0.p...../).fM.........WP.e.m.....b.,....,....p/W..Y.Q.d...L..x.kMe......D98......~.....X..b.....J_.1./....C..5......s..S...).h...D.....).l..\WH>..lA..W.......X...%{......L.QGV9......;h.S{.juq.....OP:T-<h...G%..Y.W."......[.....&H2.^.v{..../.^.t....GJ3 .nCE<...+'.h.zP.#.MGS.....e...YB.....d.^h!.ao..H....}...V.)...0;.....@........._.x..G..{....^.../.

C:\ProgramData\Microsoft\Diagnosis\Sideload\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\Siufloc\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\SoftLanding\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\Temp\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\TenantStorage\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	29016
Entropy (8bit):	6.130064221912058
Encrypted:	false
SSDEEP:	384:rADczdPyZ3YODkzn0DZil9nK6dZEnwywNIKADkJxGeGM4B4:rAgGDQSil/dZEFwPADyGeGM4q
MD5:	7DF52117E9CB6FA50C7A0205AE644896
SHA1:	47E4213187064CA8A11B5EE62BC8A2E3AEC6D5D4
SHA-256:	6D64CEAEEFD053621358F58FD252927500802AFE5DBC0C5A7E1D1A62E0A27674
SHA-512:	7833C7FA7888BD816D2D07EA0E1A447162116F34B9490A19B9B89F1F11D63311416CDDA1CCEEE98CAC384F1C8B1B24B1987E8332995159D6DF7DAB81AE46B920
Malicious:	false
Preview:	.!#...-.Fg...n}.. >.%X..}I9..$..9...GA.<O.6=DLU.Lp.j.A.uo...?&.Oe)...m. .^..0.B.@9.N=.5....#>.......]89.....Z...;h:.nL.26..0.b.S<...j......9A...s.,iw.3...O.,...A..S...$........L... .m..;..Edq~LI.t.ZJ...X...Hy`6..>M...i.....~..i...<.(HL...iy..I2T.....4%..:a.\.a6w./....bo...~C.b....U..aOY..{R..O.j.....S..y....Y...d..\|3.Qa..Ir.n.B.%H..+......0R.p}+.\|p]j.......EeI-.Y...../B...T._.0.j...w..[.T).......dJ.Y.cm..!I.[Ae.~\|.A...J......l...R#/$.......v]t8...%R.m.btb.@...1.9 ..=u......v.:.......$.l......Uv.y..8B..u........0.....v{.dO..+.Un..-.r...v.+..W?c1....e..(./.g.......n{.....4'..Z.n/....Z......P.....].v...7...1..a.._...;A..o.4.Q/.FeX...1.....\|...?V.@.... ...J.b6..n...$e.a...&M8...k..\|..,?.rWO........<....Z..>B.l.5... ...D.B.Y.t.+z....6D.>......W3OG..P..."..].^.e...e.u.......=.$...]._.1%.../m.u*5.^J#..z.k..@AF...p_b..h.....h.6%~.H.?7....I..W..uN..I....!W.0..~..f..t.e{.ov...^.6..".,.n.^.w....I.U...=...n.....Ss..D.`...3F.!P.GDh.....?A.C

C:\ProgramData\Microsoft\Diagnosis\osver.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	360
Entropy (8bit):	7.066643238752098
Encrypted:	false
SSDEEP:	6:mPy6Y2s9KYpxJM9mfKgV9NKTQs0pfahm0i9DrsuBLJUoJlp/G5z7W2iD0:uY2s8YpxiKJ9NM3EP9D5/l2xe0
MD5:	0741BA2FEF8282A685677D2371283D52
SHA1:	15A0F385A4160726C7072F583D6E57D11757526A
SHA-256:	D3E1AC8E51174EB1D14BE7D559F3F9E68832D01A877FEE593B1F2A8B79625982
SHA-512:	F596DFFC97CB2844FE39601F982CE75A1F20F6CD69466507B2F72CAB23E493B3E9B3AE54D496B4B6C998E8EB1F596C7B133CE6FFC722F3CEC2B23F7E47CC89FA
Malicious:	false
Preview:	o..}.RU....O..&MEDUSA...................V.J..o..a."...5..r.-.[......Z? ."?P..)...7...*^P>1......b..Q.,D;..A...w...w4...M.A.....[..C......<.x...x!.J..Y.....-.6.<%)f..a..._.9.8.Ei-..Q.f..^.r....[...).. ....4)......o........A..Z..qT6...].GLwU.l......arm..D89..s}d..O..+.m8..".&...N.+(...da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\DiagnosticLogCSP\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\DiagnosticLogCSP\Channels\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\DiagnosticLogCSP\DeviceStateData\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\EdgeUpdate\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\EdgeUpdate\Log\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	365016
Entropy (8bit):	5.467710099379457
Encrypted:	false
SSDEEP:	6144:lnXVy6zScwyPxTqul5ZthY5METmRLu17Yq331rnj3q6d6p/:t5n6Jx8
MD5:	4D1DD247EF48DD58C82B5008243816EA
SHA1:	1F5CBE7E71A1C9525C936AA0389B0648E3E30A58
SHA-256:	BCA221BB7E77A21A2AF7539F3CAAC25AE2326F9C883F506A5E4CDBF42F5180A3
SHA-512:	95EFBB5C5C6B8186235ACD30102C887F86ABCA1C24B8BD05B7F66D9511BDCEB44AAD00B874FDD169F00F7EBD2DA6965C309A41402E5F0643FEBEA6B8512E6B7C
Malicious:	false
Preview:	..(..X'.&.....8....B.._.V...(.)Q.t@&.T...].......k......m.........t@..a.S...}.....2..F.Vg._=.....g..d....../..P.Cj..SL...];..A...I.......\X..w..{...!.....q...{..........XD.e.!...PO.#.{......^.# ..P.c..c>N.E....HJ......_.kw....<....w.N/.C...(g.:F.....xU#U..7....sR.X..."..l..0......d.....%M....Q.nv..uV_.-.^..Z..Z.. ...x.=.....5.......e..'.$...<..kv.FG(U-\|.Xs....9..E..?.!...br.M.?..w].U.}.....k=..p.?,S.:...P....... }...z>0jd...(o^.&...`...W.d.x...6..H.....m!.j....:..D....r.....}..~......@2a...)$'#..M......b../..?...\8..{......@_..W...".-.7..ZHCt!F...1..q'".@\|..CL..#s...8.H.m....[c...j....~..1..?.qv!.t. `:.~.1>.f...46......b.j....B.i..ZRP.R/....f..Ogz.W;<...<]...w.M.U...)..g..ZNj...$.. .S3.R,Cc!.Y;8......V.....G........r.f.$.... ....[.HZzPv1p.{.l..Z.gUDj..i.....g~:..G.^.q.......e.$...j.s../83.. ..G....d....uC.w...<.2Q...7...5..b@.m.,..\|85.#...mTC..E..K..rg...(v.C..t....X*I..n.@.....T..s9..C...@.f.N..}f.u3..=...~B..&.v`-..7H.5..\|..kM.@.i..

C:\ProgramData\Microsoft\IdentityCRL\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\IdentityCRL\INT\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	13320
Entropy (8bit):	6.944127318420755
Encrypted:	false
SSDEEP:	192:O+WwxWHzeJhSzbM/v72ENtY53LZC7UBIYmt1/u/fSy51mcxilLKjNIsK6iVyu5Bx:JEHzWubMMNZJBIYmt/y5me5XiVbBx
MD5:	ECFA879C31EDE51ED2178A6D43EF72E7
SHA1:	B866A93880A13EED453CDD4A0781BA68E6BF3FD5
SHA-256:	38B9910246171E3184976159092DC0657EE63A88ACDE18FDEA4B0B127632B651
SHA-512:	81A17C72EB5FDA15FC2891E4EFE333CB728746E93644C06AB9BC517F38D5B8FCC5FB65689B3387AFA3781CECADF126CB684D6E1189918D76FF104E012422CBE9
Malicious:	false
Preview:	#.oj..j9}..F..I.I..........[..../.......^.w........Sn.9.....LT5.M..'9_...BjH.\.......m.u.tC..h..6...~^4(...1&.K.J.<.... .;......&x......4......\|.#..#tS.....t.....b...05L..\9....^7. ..2.....=Z...46....j...\|....8(.!.K.i....So.`..&..0.....=^...]83Q..U.5.........M...6.:.....].a...tFV.qe.....Az..RT.7.&7R.... ...Hf.>..J.....U[..W4:..\|.i..(...p..B.h...u...x.~.p..hZ[...V.g..w..H....O&..@z....B..'W0...?.{..'.R....A......-..07.k#n.Bs.!....Z`.yA.t..QvO.4}..&..4...l...-.QO.p.j....H....N.... l%U.Z....."X..t...z.)&.&:...}.S..d...RE#..Q.....-..~.0....[].V...$M.S=7...h......R...UM...~.C.J....@J.....\|.}..:...i.o......&.E.=.D.@;&...!...;#!..?.S.].qc1..Fm1.{...\|05.....u.......\|r.....`G.x:........!..w".....x.....k..Df$..!bB.Q....\|]^.%L..c........v...5...f..(.7.Fo..\|..M.u.PoHa.I.hy(...%].......A!...iF.nq5.H-.f.M.p.E.t..<.H8ph......\|.<..l....T.S....7..Yrs.h....ETF....:..1\|d.e..\.!........%..)x....jj.G.=..C.p.:.wE.VZ.cw$.._..c.=.1.H.J..l4.$T

C:\ProgramData\Microsoft\IdentityCRL\production\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	14600
Entropy (8bit):	7.060077474086633
Encrypted:	false
SSDEEP:	192:4xx3Uy9vbKKSHKsQ3OfY3LZC7U/IwKZ1bSvHSm5128Z1gKmoj1vBQIpf+1PXbFlt:fy9vuzH0ZJ/IwKZzm51j9f+NKFKbh1
MD5:	37B6195CCC11F63469C5BFBA3A7A81D9
SHA1:	50E6D39FD1AA6EE4C4FACD44D61C9DCA39709040
SHA-256:	5C4C7A070470FFA8E3A32295C0E739E73DB68449A955B84E71DD71F715D9895A
SHA-512:	AFE8FE8B0487E77F69996931FFAE787F9EBD6AC72258DEA05F7B9D5A59279F1B7F7B8020A38327D7575AA65BB22E7D34FB727EA41FE7592EA5898772F85D4B52
Malicious:	false
Preview:	#X......q...\|.-&zL.h".....zk..\..u...,.^.........\KF..Bc-.G.^s9j.%.v..oU.C.h.....RS.....mn....rv..%Ic.Ca.:8..8...'."...V.....Yd.#. ..$.N))...r.... (.....g..UY....{[.../u.t....t..M..!.7..P(K.G`..Iu....K. .ME..5.X!..;...3..&..c:..$.2p......4.),.;....>o..d..;...b.W...>3m..>...`.~P .,.D..-.d.S...=....Z..w..W.q...N...(&v.`$.QI......t.\#..H..M.Q,.l.....Y.I6.y...}.../O....?dA.EJ$..`.....Hq....?..;.`4Cs..r...r.:.<...h.".....X...<.%.....S..QV....)..<U..s.n.....X..g$..]..KR...-2....v`x.ea..z.e..0..B...{h-...s......HC..v]H.$.9.Q......'p....1W).eb..=.n{E..M..u....!H..r........Z......gzV....%o....a..^.%...7onV..........\..0K.[...q.....FN.w..I.A{+.b..-z"l!...AE..ob...........)h.qf.x&.;..:)...Th. R3...w..4......d.6`...$..@74R(..9..&.-........9...1.p/..Ypo..5#)Qb$..FT.w.k<....x.,N...844........qL......5[>xxGDRn.e..a......YR$.R..>...... .1......F..[.=.'8....,.....5...N_..\..<..e.C......P..uI!.q.C\|%...xu.....l0.J$..`.vw+...y.0.....Le.RT...........Ln....

C:\ProgramData\Microsoft\MF\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\MF\Active.GRL

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	15320
Entropy (8bit):	6.485949561629572
Encrypted:	false
SSDEEP:	192:fa8NJtMSERMrws3SR9FBaVhRjuQEar/hbSRIMLCJR5y9KJw0AOFeu:NJt0s3SR9FBChRAUh2RIMLc5pLN
MD5:	FA79ACA98ABF4887DFED634C67F6BE98
SHA1:	DFF311B0121FEC3222528D4DF8A69DFBFD003AE0
SHA-256:	E334A8A5C16395454B76BD438D128284DFDBEB145007EC5609B151E28EC51F51
SHA-512:	E07079E007397D6EBEFCA7312BD6C8181C07582C0503D182BA5141D4021D91DF6BD17D33FA99ED46E6C618AAE3EA31ACC9D25969DD1F4C82C95F243FC1B1333C
Malicious:	false
Preview:	......=.3.k......L.L.....L>....W.N.....F...F...........0=..aIL/./.,..l.P..g...C..C.SU;.Z..f..R...'#)t...D.!.n.....Um.....t(....RL.....ZR.'.A-A!...\|...l.C.. S..[......MlN.N+t..k.=4..m+...A.^..661..@#.?...)..[e......a.qsP.k./...N...<..4LK.."b...:.......\.qZU.z.E-`.t@".I..2.... ...2(%....w....s..U.N..m.....(..`.S.u............d?.-#.m`...^......."U.XW.......&O.%....+..F.1.ua..q.Ux.....W3.p6e..f'.T.2....F.d.b.:.{...q..'>...l.l..\|...Q1......k...v.W.5..B=....v.X.N..Y7.kvk>..v+...+../......R@.-......+..<$.<..vn../.........0\|j.{....._...Y_.dw.\|..#..y...].;.....!..%.....N~....I......y....!..K.!..7..2..R!..]p........T..I.F .e..j.,..z....Yf_.Ro...Q...2. ...se....q..zl.m..G...9..e.g1.....T..."dmO.[..e..Z..e.....rG ..TD.l&.-.X...d..i/..`M..I..?.q?............u..O.....2.....!......X.cK.....8....2....o.#..7....+..4V....0t.....j\[..C....(....#....}..6?.......=:.L..r.\6".A.... X...-.S.......{J;..a...z).....^..D.....S..Uv5..V...\|F.k...X....

C:\ProgramData\Microsoft\MF\Pending.GRL

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	15320
Entropy (8bit):	6.4805675865147
Encrypted:	false
SSDEEP:	192:O4Do87LjdiKSg+nR+vhRjuQEar/hbSRlJlXkstAj1u8:To4LjdiZg+MhRAUh2RCzj1u8
MD5:	67AAD1F42870602E503A8A8DB9EC2C61
SHA1:	07A44CA1DE24C66DBE24C8397057AA458CC0C344
SHA-256:	CA8ABC6B0452BD5CD00D64E54D4BADB3B8374A26A29B9CB9EE5C601C5B106F2A
SHA-512:	C9338CECBD5787F9CEFE6826AD1A80B0051AACF8483DA48B40BF3D2E691F66D4CDAD5DD7B710E9112CFB31AC6742BB1E93BBB6C130A50FFC3B7610C467826D9E
Malicious:	false
Preview:	...\...L/.z).}.....k....z4..n....V...F..#.........^F"Bg.!.\.'K....{..)6@&.&.......Ii_&.".&.){zl\..X.....-.2.A..cn..e.4...xi..snF.~.........4.....w.q..`Y..Y.yC'.a......$..da...J.&ka....iz..c......~.@.;...fnd..]O.Sa....o..L.\<a....Y.S.<...g4i?._.~R.,h\oH....K.5...9.Y..J.._Kk.`ie..Yti;u.?..A..l.I....#V....Q[H..q..KF...;.nS ....p...f...&.@........Rt.W%.%".9."99......M..x..)..!....yu7.~p..J.U._.ACSY.G.V%.LO)x......J.v........4;..2..J`.5.yh..lNQ..e......'.....x...O.....}=.hr=....".%.e....T9..=M.A.D...9...H..fl.^r$..KE....lS\&..Tw.(.uS..hk.Y..Qx...a#....Y..\....[.._^Q.d@.<.....&....<t.. ..1.3......te....(....t..\...:...A...\|.T}.J......:.i.x.T..s.6...L(.....:.7....#...K....#:l..;_.j...q7.\...".2.Jy4..Y.Z.V~.'.d%.,]b..d7eV..~R.sb@.A\|.....S"..i3.F.{...Q ..{..L.<.w........0...zJ...Oa..G.pE...d0.\|.....p.........5V......&..c"aY..f{h..S29(o.N...D.A`5.....6.$M%.6..s...5B.....J+....p......-U9.o...;3..Z.....+.r..I}...w.G....V...Ph..]...Y.........}..>.Uw`...

C:\ProgramData\Microsoft\MapData\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\NetFramework\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Network\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Network\Connections\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Network\Downloader\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	8536
Entropy (8bit):	7.958740374594894
Encrypted:	false
SSDEEP:	192:L1DXx4qHBAT2I3+0e1DXx4qHBAT2I3+0iK1:L1xXAT2n1xXAT2o
MD5:	A6484EF468B0306DC77D3228769120B4
SHA1:	C5E60624E6062E6C9F631869E165FDDFBA21A969
SHA-256:	9D522F7562517167315A58D7E5454ADBEC3735D3E8260C2E41FCC9975B4D8709
SHA-512:	CB986E41855EB773A0FEC45B118BE9A196CE997AD676BFC8D8D1CA8A4F6230D06B514AA307955EED55C0DAEE14ECEA218FAF92D1C51E7FD0BFD435AB386679E5
Malicious:	false
Preview:	..66.........V..c.EB.....(.UpA...~)._./D..C..$.......5q.=:.....rwW..<yd....U..U..\|n.....hz..,i....B...?.....!.n.N...o.\.&...U.%.j`.....e..A.....>k....C.v...o..+..O...?.2..z.."..hJ5h%.-....le9.F..m.3j....n.N..\|..z....Z.$.^.e..Vy..w.d....s..[...n..}a...qZ.T.<.....OI}..4....Ev........O....%/...e=.x4R..P.E.........F.<....};.......+{.o(...S...8.by&..>....+.P>.@\|...i.i~.......w.......;.]?{+.....0q...Bh...s.....rVC...6..y....M..p...v.X...1."....F..5.(Ek.A.U..oJub...^.....F..........e.).]...yzx0.L...G...6l....eugq].0..T..Q..`........=...a._..(ArG5...6..s...Z.l..V.V...5..WV....\6...Ir.a.d;.5.M,5..z.Z_.P..]a..../B...I.EF.....9.;.+h.bP...E.%..A...goD....N[...;H..C.p...H...p.)..@..5..[\.-..8..#.{.i6.6.......k.&.r..q..8.l..Gc..+4V..F..}..D5..M.r'...a..H..e..\.)......lu.......HS..S.)..R.}.cq.....f......:.....n.....g....h,...Q......?. 8<.n.+...^i...PR.).B,.L<..v.6L.......$D..\+7..G3..ZG.zV.V\|K...1J....9.XaGg..o...:..tC#._.....E..S.8F.<vV.....%.

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	0.5741854036849038
Encrypted:	false
SSDEEP:	1536:5b7nm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1Ztak:RXC9lHmutpJyiRDeJ/aUKrDgnmG
MD5:	7A78E3DB27AF4436CF6EA62FB4ABDDFB
SHA1:	3F297206EB60882E61F3CE66658A3CE41372B099
SHA-256:	12617A66D5C91E02B4AA7A84C3C394A022F127F355658B0FD416E856C05B1F7F
SHA-512:	FE16D9037845565C4A28F8AD0DB21611B6B79CF44C49D57DAD033340576097A9360224033DF795D3AED5E84C3A2796D4F6B926FC64775332529BD866EF2426B7
Malicious:	false
Preview:	r.Ci.a<....U....A..;.&0.z&3....\|..Pm-?.z.=...c...._..~..J....lkXZ..Q.....?+..c.s...y.3..4..,.....AMU.-.u]?:_......)...=t.....-!...E..;.H...%?.z.(.L...a...N.~.U.x..t...g+8....>.....k\...H..o~0\|[%.....d...L.XMRZ.Y?......y...^.L..<.L...z...!.8...M...ce.c..9`W..v.J....]M.8&%....?.p%:x.....XF..A.y...^.1...M...\....W.'d....bv.$.<Qz...?.....k.(.cBG,.......;q@.v....-o\....y..E\.".).u.M....D....m.P2.{..4.7._...y;.8}..8)........Z.-KW..\|.. ..5.+,..l.d..@(...pZ.n......w..........C.e..t......R..%......=.D#.].$H.Vd.J........@.8.%...2Y.{O2F.j.h6I...q6.r....OF$..3^.M_a..3.W..0MJ.s...M..A...=.....e\..g........U.g.$G...z.A/ .2.?e..RQr..Q.K..4P...@...5.h.Dzc]x...7\D.._...............T.N..".F....=r.s.eTx.....q..JnLr..e..._...i]...s...g...A.^.......U.&C.......r.......r.#.U.....>DzM...TI.8...u?q...r.hn..-.6...y.]&o..v..k..8..^.).....'....R.q..@^.....T....@E..)....q..w...D.;.1e..X 3@.....8..+f..'...O..N?.....B.. =.O-...k.}........q3.y....b.am..!./._

C:\ProgramData\Microsoft\Network\Downloader\edb00001.log

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	1.562769224049361
Encrypted:	false
SSDEEP:	3072:6LtxnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsXYsJoR:SNooCEYhgYEL0InkR
MD5:	3F3EA3F30D2BB40759548BE980BC0C22
SHA1:	4F4EC2AF37315890142C24F44DFD0016A8FCE826
SHA-256:	DB8353149737F521BDC4560DBA68C35EFF4FAEE835822308999AABA0C8839089
SHA-512:	09BF78F8515E8A502C84B3BD62779188275F9418673DDA547E1C881E4847CE65B3A45E559CDB1D80780B434ECD55BA4004A0D11E7F59CD824B1FEE39B524DED1
Malicious:	false
Preview:	.CL..3$".dyn..Z2O@..>..)...-<.z{.\|T......qJV..>.Tu[..+......7..h>.6........T...,.3.I.....y#0....!....s...J..0. .f....i1.j6.i......_.:.>b....e...w.J..).f,S~.<....b%JsY.\|.u.....k. .V...(...[g.....P.Xa...'O....Cm...v.E..<..xi..b.'1.....I."S.Fr.B....&.H...#'o\|....\|3m..?..........N.cN.xg........F....\|L.c.=.$...B...P.bC.H...B.........FD....`......"f#).#...X...x(.GAJ......UN...OB..>..~l........)..x4...p...2...?P..k/.9GTD..qU...kDw)e..te.l..D._.U^F..........x[.i.1..".5.x.# ..i.qX+v..a]........zf.U...Rp..C..}.^.DG...i..X..=....-.y=......F#6.}...4..d3.Q..F#....pp..G..U......sL1...@...2/K...yL.lX.....$.....Np...x.$..F^O.k-B!.-r3..:u.u..T..xh.......s`.c.p....2o..8..k..q..K}YNn."S.1.J..?x.....X.>AC.-...~@.H...BdI.......$nC.W.+ .k.........@nKX...K.....k..*-=C^=a..o0..{..yI5.T.t5..........r.....4....0....S.../..s..d.........h.H.D...Tu,.u.{...J..].<..%..h.O.\.....)...[9..\b.u..5b.KW..0#.l.'........H...9.....K.YB.5..l......M..s$.WY.....TX0.h.a...=.\|8...O....F..>.

C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	0.1079003759840901
Encrypted:	false
SSDEEP:	192:S/Xx/4nvizBryZOpus/Bs/Xx/4nvizBryZOpus/Bm:SvOnvityZOwsKvOnvityZOwsw
MD5:	AA4C54D19565477D5F3E804F8482CB4A
SHA1:	012B6DA0133BDE3C83ACAFCAC06350337E1C1C04
SHA-256:	86516AA8834C3E3A8E433FBEEF257C19594F2C6BF7CA43BF9A2B3BFD8A57C8B5
SHA-512:	626750E7DFF934D1D0FA1C9846CC6BADC44CBF456F2C978BEE98601498D9CE7299C4A4CDE6A0B2BB8AFF923DAE1A20CD4397F63F3D683C5A5F8A7DC383CB7F2C
Malicious:	false
Preview:	....L1....#....p{2....u=.H..$.l...0.&+...GM..R.....n.%/.....<7..$.J!.0...... ....qW.6../..7...I..b....#^u..r...n?....-d.Y.{...U...,...3i.~.....%..G....G.$.y/..\`.....s`{.$.A....`t.\|..:vC.T..c.2NbJ%u.Uw....R....v.I......YQ~4..V...C..mE...84...].0.....3".......:.(.$..../7R.f.......w9{W.....a.X...t.2P#f.ih...5....-..AM.H,....(...W#..$.P.n}!..7..A&.]u$.^r.I..K2C.6.....H.;.S0.j....g..nz d&H%..y.........)E....1n....L......Z4.n...F..w......s.T..Fq....Kio$......>L...^....7.w...a. ..h.)..B.0..5.a........?....<XK^.....+...E {4.j.1..<..$&?E.8h.S..GkM......r..m#.g...S...@...g.Y.%..q...l.s+L>.o....O..$...t..A..pC..x..~.A...."...{5d)..w....5..l-....:.Tn.....r^.<@:.....0L....z.dh.....?......H.OSH..E.p...h....?_.=..\Cj..:9.....H............M../.....X~.@m........y.o."q<.....8.D.H".3,...g....K.QO..o.....,.Y.mv~F.4....Oo...%q...c.:.....J..^..C....A.h..X...O.&..O.. o?..bb.".Q..........o.&....s..Q..W.V.{..X.N..3.*....._.......3._

C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	0.10792275591905623
Encrypted:	false
SSDEEP:	192:xmBT5jK8f4qL2ewcnIKLmBT5jK8f4qL2ewcnIKhS:xmBTVzf4qRwkpLmBTVzf4qRwkphS
MD5:	125633E5013C73956AB8258F80DD5057
SHA1:	3F54A0673A72B175B6D502EBCA24CD1156053594
SHA-256:	FB892D3FFB8440D45FB7E3C033C05C6880DFC15C6DFEA032BDD9A5DEC8C2BD9C
SHA-512:	ECE890AB4EC0215FFA9ECC25AB073FDBE70CE793B2FB7FA1C1279A07654F2DAA2EA5DC90E7C504215EB6518C4E63EE5E9B7D8896BC680B9BB00CB8A93B6681E9
Malicious:	false
Preview:	.R=.<h.1e3..........93...I.\...Y..D.Z.=....o..z%.<..b.>.l\.diP.bX...[]jTn...s.l..M..s.!q..\|{.&Zv.(..".?.!~....b(.L...:..8..E.uR>.z\..x...aW.P..%,.%..."?. !]..E.O...5F....f.....[asS..%.......^.2.sz..[.[.:.......O5./.9vh.....V...Kk.N7.BA.2R.T~4V3P....t;.0R......./....3.%6....fF...:.......'......5.q.......[..C...L....9....+..Dd.1.3.m.j......s..^..Sr..b.....{.....n...;.dB#.17!...H....qr.R....Y1$..X.:3...d4.k7m.0}&O.++.t>..U8.\.....fg.RZ!>..Hz@..k..n.\|?.(i/9...C....'..jvn.k..5..<o.7...,ug.b...R.......5f'H.k....z..K.m..]#.T+.J..Y<.....z....6.....&fI.iT......!..H.j..$..R...... .....}..{2H.P.P..... ..)......r.G..>q.N.l3..A.-..Np.<...R...O.i...........q?,C.32jq+..j.S...x..4.inc-DS.G0!.1M..H/.u.q....:"G./.....a.....2Jd.~w...S.L....._tkZ.)o..9.......=\N,.H.O.kQ...X..........c..t....B_q'jP.:...X......,gs3e..4.p...........I.EP.....mAO..:P.)8N..Y^...J.....a...n.p'b.;r..b..j.z.T_.O..]..ZD...L..\|}<...A...~..$.\|.{.:../A.NR..+D...K.1.....'.P$.

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	0.1079564239582651
Encrypted:	false
SSDEEP:	192:JCVNzh70dISwc1Qn2cpGmCVNzh70dISwc1Qn2cpG33H0:4VBZ060VBZ06I0
MD5:	AC90CF7520E0B61C6B085B6BE2BAB9F5
SHA1:	DDE56729AEBC629053BEDCF6021CA526B2503C8A
SHA-256:	A1A9F56DBAE3FFF2ABB3BF761E8DDCDF19CF0C8705F1156B109AB599CBAD96DF
SHA-512:	3D6E7A386CE3115394D8CC93B424B33521447B1D71E94EABD0CB3586EE5EE456D6D7CC85721B30E5F61F67B3172BE105BD923DD9A23DADED31BD88606F96E7BC
Malicious:	false
Preview:	'.-...).C~..p.3.#P..!.;X.(....C.=......B..v.0.k.M.....R(..C K&..a...m..Z...%.{..\=.+.:.....g....^.Rdp.a.p...W...j~l].T....e....k...X..I"...s..L0.....{rf..>1...4C....{.....dc:..Kc.m#.%..b..V.T.B...@:..6.Q..o.w..T.Je..,..M.bS+Fg.F...V............A+.....I...#MC....(.Um.......e......RE.#..q..K,x.R.oBNk.....q...r\.Y.t...gp........T.m-B...o..-...T..x.U..[...i.>....l.J..S..J.].Z^..$.~..7.&.........~.....&UQl....4...=}...M.'P)....p_.U..o...}=...f....T.\|..HF..TTG.....`..Z.;rc.q.n..;...AErW.....E-......j.3.WH.(..J-.......sF`CS...u..#..T.2_.....!...%.xBo..ST.E..6...l$#pB.R...p....OY/...f..g@V......_1a.b.(......Xm..).3..Yl.Q.D)b...<.?.a8.z.+.r.j..&}..Af8\.........k.....]...!..R.C..N.R..x.?....m1.?..^..'.3..>e.....g.v..v.....W#l_9t,.....X..Ox.\.hi..n.0..pg.:.OQm.?.b...B.......'..6W.F..e.......&.1R..v..rd.l4C.y]:...L.~\|U3.,......F.....(N;.v.`..Z.0.......%C.....c.s..Wx,.R..%.v..w..Ic..].........@D..).wm.ob?.......v..Z... 2...{...q."j,...v!...."N..Mwg.

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1311064
Entropy (8bit):	0.8041203563907666
Encrypted:	false
SSDEEP:	1536:G8SB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSD9:tazaNvFv8V2UW/DLzN/w4wZi/Zf2a
MD5:	4C869888E5D387D39BAB1AF332A9139C
SHA1:	C7EC66F4C284E2522414040C937757AB99B8341D
SHA-256:	135ED9F79B741221C41E854BF852D87376750DFDC45E5F202787A47BCC56D189
SHA-512:	36053BF435C41309D94FBB0678901BD8B86DE512DF1701ED203C252929809226B01869F656DBB4DCCEFB5BFC21A180FF514881770B7B0C1DF0D23AD3BEEC6803
Malicious:	false
Preview:	..9q<I....%-.`j1x.....6.p.%...9...&...f/..\`9..`Ho)..'...]x....+..._Ji.U'..k.&...,.....D.F.0../Q.^O...8F_.6..ms.VPM.j....s.t.{c..$V.S)H...!.....8Lk.`.8..\|r....'6..<k...Bz-...#.wU3..w...0..OD.........Pj....w.m%..=3..jyT....A....IwU....b.......j...7=..dO..KW&Z.....p....o_.G.W:^...&..Z.........X..k.I{...NST_..8..R.. .\..e..X..$...&Xf...N....Q.....}p.....>v.k&.....ay...".......].....m..,.$.h8.km.QW.?..).......<.Xj.V...........H&C0.ms..%..."PwP(0...Xm......Z.W..^s.b..)..VOS...r24$.">....Z..@....8.....b....y.!...q.z...;.....x; .....Q.{.l.....Y.........9.]Mmq.`.P.g.3......n...\y..R.>..^.c.F.h.mw..;Q..\|..s...0..(.X.t...D......o\|.e./...."b.`h....A8k.B.^?MD.s....y_-.ub.X..............Ci.%.T.8y..)..Ew..)..,....Z...ag.;.GO.K....tl.8.....?N....d...>..^..<.j...G..&s...``i...7.....K.0..B..........>....z.@.4zX.&H...A..dF..36:+..nV...a&....<6T...2<..Td.....8J...,.0...!....":f..M.*..._.0.....T.......C...H.b........c..].A..9..)...s......L......@l.2..G.

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.051595206376848
Encrypted:	false
SSDEEP:	192:ZzJC0SpMNzhk7Ib4SJNmLL3HaRUgp3e6be2hQJqWHUJy9xz7G:jC09z6h4KzHaRA6/hEqWHUJyr3G
MD5:	69C01714C96FC1F1617D2D18B161A87F
SHA1:	D9286A2A000656207175C25D5C6EF30D64D9BF30
SHA-256:	EDEE8F2D6955D5CC9123873179A4B4B5AC33C813676DAFEDCA0B7D0548C79C81
SHA-512:	280A2BD9C61B04FE4D23CB6032B791F914DF09C1A73FB9ABA809E3ADA8BD350C3367CFB7214FF4C33A202FAD29988D833D2A3C57F5881DCB8401D124CD4B1422
Malicious:	false
Preview:	.X}..j..h.GO.p.s..d8.L..E...v...'f.......O0...N.7.e.6....`..\....k..zJ.P'.;...z...<..5.Q%..+.B..A.d...!.,.[:......&.c...#.....l..7.....v..DP.i\u...Q.!....^..B.ui...k..-U.=.... ..n.............E.L.e...e..U...@E.%F.J..$.fXG\q2Mu...t...+-.....aG8'.H.h.8-.M7j.m+..{.D. ....mn.R.:1.....N...=..+..DO.<..@..%.......g...BS...Jba.r........@..S.......u.. ....@..p.A-^......R!i.b.tN9.Q.W...U'.#g..z(.fV}wW....7.8.u......1...^..6!.........p..x{...Fv#/.i}.y...cG....M`..f.,.....Ut2.a.....X....rrF..H.BKp..Tkl,...^..K......l....(.......NIy....$uw..W{..x.j95.(.@.,.S...F...m.Q{.0...p.v....I4.2?u.Q.,#.{.G5s..\|C.w.7F.-5....NP.x...P......W!..k......[..gZ ....qM....J..~..Xi..z.n!..\.}....h]z.+y.j...........?f...tB..E...x.v..b.....!.o$_...C...])2..D.L{.m.....[....c..M..}B...&..{..k.$.....^...*e..3&.Q.~.).GS.b..d...A...$^.0...E..U/mU.v..V..'2\|....>.X.]H'u.T-.+N..!..,T"...E4/,B.;...<'..U=6.#_.b.....2=....T.v&.....h.......O9....nL.0..C.V......N.R....sa....=....

C:\ProgramData\Microsoft\Office\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Provisioning\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Provisioning\AssetCache\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Search\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Search\Data\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Search\Data\Applications\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	16777560
Entropy (8bit):	2.1020966094637386
Encrypted:	false
SSDEEP:	98304:kLwrVEFGi+KLAFicQ8ZEHjem+xJRlkwNU3le:+mKLAFicQ8ZEHjem+fRlyle
MD5:	F914AA67B21DF5449A21B25DE0F935C2
SHA1:	13072239C77F428C173D29D4AAFB472891327D9F
SHA-256:	DFA39A6EC8FDF2A1B03D71338E3580AE26F245601B56CB3DEAA67981185B3877
SHA-512:	88D8522841BD4830DB6AA5AD92ECBD90A156826801B38791213F8A202B3920338579F1B710E691A90135D945B9C10A48684B6C4BBBB36D4FFA81C030A44D1E10
Malicious:	false
Preview:	.l\|l......'r.....k.. ..${.m.;.@:..).k...\|....>.....+I7..iu.B.9..].gd....._.1A........&....:..3Z.N...n<..V......"H.......dx....c.c.....e+.@..(._.z...)2......U.+.+....xn....C.."s.<`y.[.j.......{.........BP5.\|{......._#.;.r.6*S....,.<)....j.Nv.Ylg~..[..#..>Y.a.8u.[..81Z\|~....r.P{.X\|.&v\|u.C.5J..e.S.....r}L.FqH.M..m.}.{.J..H.._.z....DA.....5:$.d..6.:.+......T9...+<...#,.U.....lK.>\|4/......K\.....r@.U...M.....Lq..g....E.X.....h....k.>4...:}.Bb.=.n.MN.$.....f.o7..]k..ov.6.p.hiV..H-.....b....B.4....2cM.....5$........<7...^RU.e..`....u......e2&.@.....}.a..u87.......]^.t.O.:G..D,...7...m.b.VG...5s..jb(LUW,@.gB.mX.Pe.5......x.o..v..V..o....B.<V.z..E..mm..W..`...R..L.&V..E.Jr.)AD6.U.s...sa....UpX_.j.....$...&..^.......uX.r...o..."cIO^.uh.....Tg..:EN.......I;.....'..(z..-.L...hf...T....s..4...3~..I........EjH..t....A.!.l.Y..\.B?k..v....\4..B&...".W.W.]....6./J.i(...(.......Q').........V..G./.6..?..<-..Pn.,.-....x.i...A.B..t..$..]P......?w}._0.Fp.

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.jfm

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.0910813977701945
Encrypted:	false
SSDEEP:	192:P7QWjMJ6jTk/bmyxBV4t2h65Ka99Xcvwjt5CEvcUIPw:P75jMJMwmyz7Qn8vStLEUL
MD5:	1B715434834627C5B8AD40371C2FF822
SHA1:	97B17EDAC153EE376CEBFEB092E86D4B53F39295
SHA-256:	BF487F33D3F0A8BE795AF75B97F1A5451434B6094B40CBCEEC274EA20B8B0A28
SHA-512:	7313427D45A144B541216E3110E8E02D15C2802CAE3B3845E6586997EE37B41ECE57C1D9DB0475E0356068428235450AD7B67C2F2C2BC64CADD9B9E385D69E7B
Malicious:	false
Preview:	...B......+..)..P.. .k..$2..t.h...M...."h..R.x>..........W.c[..s...II..b...h.%<..L\..S6.J....r.4....v.K...O........C..;,...q.9.q...g.W..%..+.2.o,...B..{of....3..r...$..c...9Q...W.N:.7."...}.]W+.d..Th.)<......#.......a/..6.s...t._..........p.Qr..j]"....a....v..i"..#.b.7s.?..Y8.e.k.%.9...6 .v.=G.%8.mYB.6a.~...^...._.....iN.......$xdl.....Vb.e.XZ......>U.N.1.g.S.=.. ..s.......8p.o....;o...FT..."B....(..f:~W.....!u-..#..j...c^._9F. ....0'....?....L...:.vUTz.d?..>.(..w..o.....P.@...zT......b.r....aU%.&.2...."....bhDb.Xj..o....j..i......,.p.1..^F...E.A_...&.........w.^...r9......%U.j.0.1#z...OI....A'.p.mr....8..:.,%@...v....A....i..!..#..{...]...,R&mjm.,o..b.L...}[.?g..'.....0.o7..\|.A(.y..1K0R.)K..`o..qy.F....z...n4...0..a{....W.e....f..3$7....{..S..j.b..L...........\|..MH..5.hu........t..P.......v}.=1.Z-....-8...m@%...".....B..f..........c...n.<!.m........4....L63;+.h.O.t.......1..;F....e...~k..-.Fd\.S...\|..\|....j.Q.Si..#.{._.....\|..m.SB.*.a....]

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	8536
Entropy (8bit):	7.957042790531482
Encrypted:	false
SSDEEP:	192:oVnqREwDIfQVsqkpN5i+UZEWYopVnqREwDIfQVsqkpN5i+UZEWYW:oyD2QHeN5iFxpyD2QHeN5iFL
MD5:	9C14AD70FF0068CBEDCA7A18029E32B8
SHA1:	F0572C4ACEF6C7855BEF213BC8CF223E568F6324
SHA-256:	1E0B1FDCFD482B541990A3E3E6C5995604A11A97A3B0E2F464D3A1EB0FC7776F
SHA-512:	E6BBFCE23F99D899711DB4AFDAEE7DEC21736138F65BF8814D617A4D891AD38FC56BAC653572F4CA0E86A72499DFACD6B075F1A2CEEB759381EABA48D14AC155
Malicious:	false
Preview:	..Z..V.....<.7/.......z".e.....w....R..]..uq..<...W..'w.%.Z.L..:...E>...aU..S[....]s%..sn-.....?fxf<.1y....m.l.h%...]..7........x...&.[k[.%.m.y...Rvey.\|.C.........n..BORkr`&Z....n......N....a.B...Kl.Rl......@4).q.2..'S..$.z&.\|..nsP.....l...p......&9..3.n^.C..&].e"...d.1+...N....<F......!u.....i.1{I..V.GP`...z...7a.~6o..pk...../w....u>...qV.p...q.Q..5....O.>3W`....].7"..z.\|...iSo.//1.!. e].o5D..J..s=.)...g..E\|.pJ...Z.....`]#....}/t1..@..<..0<S.].ax......... ...B..9.fP.}...ec..o>..$..n.".....X.OgwD/....5.v$5.@.~.T..F.........O.a1.....2>.2....I>..}..?...Y...b.M..5IOuShwhg_;......+.%.m......k..,).5.4Zl.....#.F.......d....<xO..6....O..g..e....%Q...i.....wx.Lpy.`>zrv.w.56..?..B.v.[......1.........a;\|./.U.}.......3....kC7..v.7.>..~.....c.,...w.#.$dz..$5.$.FNd.....M.T..Hc...-._..\|.t.fw..J..Q4.x%T@c..A._..J.....8RFP;...Y`..D.]...I.c.4..$.w..h...=..n..M..e.W.Wi=..cA.......MoH7....-PC....5..9 ../.i.K....jF+...(. ...\......E'.bJ}8....G.M~..e.^......

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1048920
Entropy (8bit):	0.21482524716535992
Encrypted:	false
SSDEEP:	384:MIVhuNStxJ5xF/82V5sUh50P8J3Ffp10L/VL1Bl+4gMbVb:MIVhznxF/1V5sUh50PCFn0NL1O4t
MD5:	107EBA6DAF4A36A42701F9AEE2077367
SHA1:	BB8A36A06401EEEB2BDC5C2867A4EF10CF3529CE
SHA-256:	64BF73F133EFCCC479BD1F09DBE9BD8C88980CB8BD771FF45F1A342CCBEB11EC
SHA-512:	BC8243D7C3D579827DD96270B65D8A7B933D2F9E9F87DDB2138E09891AA093C1FC13013708A21EA7A4206BC48A47628F34EE9CDF272170E18FA10D50E632C799
Malicious:	false
Preview:	..b.?.n.{.........g....:...\....Ur}....>...!.....k.Z...m+........B..F......&L~...5...6.g.X.>.\|g..ID@~./N..g.-K1...m.s.nJZ...d%.2...._1e.%...=^....Z..~.I@.d.8<.!...tq.....}c..U....h<.2=H..%....#......CJ64...!...p.H......I.=c.d..<Q..n.9.`T...l60..../.\xp=g..3...B.~.;...9.....es.]...Ik1.....Sz...^.J+...<............'.K.\|.5k..0...#.n^DJ..._(.....4...G..n..3.Z.\|{....)[..7D...^P^.D..g...f,._ ...4.....9'..a'\S..w0..\.C..b((.Lu.~i......Yr..]......../..d5.....0.Ym.K.s&..3,2>.`k......o._O.p...G-\|.....KF..R".....iZ0_..9..\...8B ..l..[.'..y..U&........Q.F.~..<(.;. ^..B.....9.....o......_..M.AC...H.N..U~...........8h......~;t..o..)......r..<....j.V.k....q...eV.....8l[.7.i..<..C.!= J.J.aPM.../.w.l.\M.iw...2...D.Hr.l.5..v..$&...Iq.....l..v8..V.qB.o....Wp....e.y.y..u.....L.b.x.P{.<x...x.6#..cxe.......O...I.....6 ......./^w....Z.>El.^y./F.s.M....(..0.X.U.0.s..Dk.\|k......0,........P.jw....gEA........@...6.y.P.'d...+..~..{...M.....5...

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00011.jtx

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1048920
Entropy (8bit):	4.131958928945475
Encrypted:	false
SSDEEP:	12288:AKVjathnDnytIy6L60k/akmsGvZc0qkhXDd72Fm962p7ISW7rzG:A9jrhpyk66DW7rK
MD5:	3DC26C586C845B5E5E19DD798BC6FAF4
SHA1:	977287E6464CD19AF37198AAD3703D83DF6C40B5
SHA-256:	76B39D7410CD73CCF22E1429E81ED563938E2C23D35035D3A979FC4547553694
SHA-512:	2B35225DF20776B184940C0F540E3DE4422333ED6CAF89A2DA21C7CDD851E74CA138F225E82AF7EFD73B5307FE73F481EACFE006FA97AE1466D1E24CC49DD35E
Malicious:	false
Preview:	}.[......V.!.........3Z..fK./.:.M.7..k......L.c.F.....7].9..i.Z.p.M.v....&6C.n..d.AC.".....`9.<..i...\|.9...;u..7'R...K........4T\..z..p..S,$Q...[..a5..QoA*.r0.Pz..C.~^...P.rf..........b.>.._~.......D....}...F..93kG.........Y+.S.....c{]..,...>..4,x5.BP......y..~.o7..fS:...X...R..n".u.,d...2O&Y.>s.2..[.!:T^.M.a..Te..(..f.h;..-...[.g".e.d..............X.J...X94......b.Q,.=j....3...:.l...o0...j.E..0..0.6.yn.A.V.+I.(..b...$......YnQ4hd.P.1G..%@.../...P...z..o...).d........>'..Q.Ng`...6O..M.J>o.q`\|o.u....n.0L2 ....PD.....P&...dC..$.......Z'X>...b...y...h..M..._.l.F3..E4WG1...1].T<v.7..!i.@z.Q.....n.w..%...X.\|.nkV9..]d..8......M......Fo....y..W....2.LIY..t.6....y..;Tt.. ..w.Ji4@:..m6..}.6p/...\|.'K..<7d.Q_#..K..eBkWflN...-..;.0... 9.....#.%.I.....{j{.. ....4.{.o.H..sMx..!i...y..B6z..$..h.>....gz..T..?..J..'.pL..L..=.#..#.M.Q.O..#Nq.7.....^.V....(...d.0..y..,..^e...Et.N....N<.......g...y.jj5......k:l..S-.`F,....p. 3.}..\...<...r......z.}.)$J...0.

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00012.jtx

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1048920
Entropy (8bit):	4.620902962550584
Encrypted:	false
SSDEEP:	24576:TldktDH4q5xXT3j9NxXPI/ZooK3xXUrcUtINyhzCFQMOiaws7SQxX:TldKDH4q5xXT3j9NxXPI/ZooK3xXUrc+
MD5:	93D9A5DD52D613EA6F6B3C8E3D09B96E
SHA1:	6B152F2E2FDFD8E10996C1FEA3818AE38EC6D720
SHA-256:	801AB5C226754109D2D6F8AD0E2A8FD07AE9B16D08AC2DCA401E34F857F836C3
SHA-512:	BBAE3F99EA0AF222A883D79FF8300009F877AD760F869A1B27404D1458E1A165596C0664C7CC3800ED3C6590892B695E1373384AF1F2A3F4D5FBF3D4FB7BE49D
Malicious:	false
Preview:	-.......FY.q...6b...K;..T).u.v.ve.c........{{u.G.4L..bvW&P.h.i.S...w.....3.....0.$Z"...P:....gE.d.5.3.kM2..>v.>.Y...T...=.R...>..P....F.\|l%..`..].X.?.n.n!9P.e.SN"..)...6.r.......8^.,.K...c+.P-.0>.o.E...E..(..?...{.....X\.....w.z..3=.6z....-.zc..P.........n..m.t..^..w.l.p..5.}.d...5c./E=BM.#.=..JY8..B.e.?-y.)T..-.$.`.V...b.G. ..Ul...w.Z.Q/".R>..M.I...#.m).0.M.......3iv..U.T....>iN....`...J_.x.`U..N.G?....`.....rDD..s.d.1';%.. ..\..d..h.)Sn..9~..E./.......U.BIk.R.Z$N.QhH.^....O.......W.Tq..Gf.l]x.....,}?.^F.j.D..........m....@1....P:....\..X..SM.a.........,..^CBHz.mQ..,-...2~.2?..0.[U.<.&=.6..+nQ..i.R...C.\."..(\|.u..0.......y....p..e.......>I3_a.Wy#_..kc*.v..O.uk..1+v$.u.}.U3..U.D../..b..K.`.M?.f....}.U..I...%P..E..+.. SE...f...8.1pl.c}.......S.....ku9V...R.So.....0...m.........vx.X........,X....z\|.h.3.?.+J^.5-.8&Mry.i..X/..ovIE....;..u.t.......q.(A..&<.M..y...3....[.s....Y'].c.....R'..2.h.Y..."Y.Y.."9... ..I.:.........i...G.k...K...

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00013.jtx

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1048920
Entropy (8bit):	4.177294637400534
Encrypted:	false
SSDEEP:	12288:XhoWRrRTCEda74xOPcVyzQJGn0NqLIhDuRG7Q9aHE5OjIFCP8h2hQ/PXa5OWjQWk:XhoWtRTHlEVj
MD5:	3C6A5DF3B185B56492291CB9B2A125A0
SHA1:	57F17ECBC6FD8EFB3D25108F52F7577366C56512
SHA-256:	FD9A8313F97AF07B0C6DDF5AF7F10CECC0A712C34C4807956132969818475AE0
SHA-512:	929A601276520ED25C880ABD3BE2D52FFDFC6B99B06F923CD14FC6A6C05D0F5930630580D21ADAB671C0D317326EB5A27440FC0330B2CFA4EDBBBDBEF7BB4E42
Malicious:	false
Preview:	6...It.....(X .f...KmC.[.ao;5`..,x..B.I..v.E."Y..<gHb.B...."...?=...$+.W.../....:.=..I..h....b.R0A.-.........;.s...%..1.b..?..9.......oo...]...W.d:S^M.FYB.D)B.OO[\.q._....7.B$.i.E.. .T.......H.T.........;.....p.4.{.'....K.H.gM}.D.L.=.."..........e..^ly..D7b.).y.....9.. \,...D"WV.V.9.........9)/.V....?....,.n2...Q>..{..Q...R...E...EY?)...('.Z...u.H,....B.,.l.^......}.dz......0>..8..D..<(?n.......n..x..2.5.......[....#.bR:}.5N.v@Y......c.A......Huf.....X.<..}~..2..?;.\.D2(........Zf....Z.........A`!'.........yj..]..]L....h..s......I.YE...}.p0.-../.>...5.I....4..B=...?....~.Ox^d.....8Tx.........3O...1S@.i.;.....VM(..]...#}e)C..)..a..+@.?..(..+..S....7..[G.o.......FA...31.. 1..../.QKR<@.....!(..p.u..2mclP#DxX+....5....ZPX....lR..w.:i..Sd...vWf(Ef.>.......S(.0...)\|.M........\......H...:..!J*..7.....i.7..w.....?..N.p......#.....y8\|.}.u..]....N...>"..B...aI9B,B..{..s..F%^m.s..N!....s.%.....G_.y....1DH}_wh5Y..U3O...Q.............a..X.v.p.D..k .

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	1048920
Entropy (8bit):	1.5197815564221362
Encrypted:	false
SSDEEP:	3072:uwqfVqzyyrFoOeHQ63tHAs0OyiS8L0D9EToxEizyZ3dNVj9Ta8lpk:Uc8wQuDZVmNSH
MD5:	E6E23A561DF91CA930F97A96011E4E16
SHA1:	9EF6B748FB9933D7E3DAEB9B8E181B9B1BAB46DF
SHA-256:	5C1D8552D23C2794FFDEF4FEB672ED734F6344C4B260FF0EFF03D2574AD7F77A
SHA-512:	FE4312A5DD48F292FED3B99552281AC340ECA19D7A7BC8509C6B545729759C247328E8FE8CF078283325F2528F5058F688C240BBD7BB9F1508555593892378CD
Malicious:	false
Preview:	.6B...I...g..W.....M'^.F.;.....N....$..,B/v...A......V.......N.U..6v4.".....a...<1.jd.I.!.9.p.(........FZ=.....{...:........8...5..o...J....-^.!e...RR?......O.][.z..]..!a..&..G..do.a2.0.S..Q.>.x._..E.J...9..{Q.e...q..&.L...vbz.\...HQ.5U..........4y.#..e......T.tn.a...[M..J\...2.#.%=..H....`..$.......e...\|...!.kC...cw.,..s&..e....j..[..f..@;D...%..2W..C.#n*]X.....x.S.h5s'w10...qx.......eU........L.G.-..B.@+....$.P.O...V./.y.v..&...J.=>)..n.....k.Xm..QVUD..\|..?!.tB,.r]-..G.[. .p...,.cbk9Rf..^...FMX....SXS....j.7.....:..'7.K.Ew..Z ....9...!M&L.(.oM....TB.C.0..-.36.C`.f(.....5D...ed....Fh...M..JV.".Q..U.~G.N...9c...V....T....v..b...a.L.Mt..4..2.K....n..P...E..MF.T_.1.............%.r...z.\..~Q.h.....G..M%Cn;.i.......... V...h4].2s\|.k.L.....H.....B.9T...4sj..H~~..8i}?B %^sr...L..^.)..q.aJ.7.U..&....wd.......<.wk4-p.`....n.....W. .%........s..^5..^q.7..S......=.iD.GWO...w..%.ptgi...i........v..R.O.JN...9....,`'.C.$9G.>.........U..._].4..C...B

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	164184
Entropy (8bit):	3.04176129617769
Encrypted:	false
SSDEEP:	768:hEndBNOeQkaY0EndBNOeQkaYcOeQkaYcOeQkaYcOeQkaYcOeQkaYcOeQkaYcOeQ8:hyWeQ5yWeQweQweQweQweQweQweQweQN
MD5:	B9B013C16D6811CCB4AD3012697BC0FA
SHA1:	1266556CFBC68C80465CC251C0B885B6BECEB21F
SHA-256:	D64B4022B6A0FA591638A8FF4851335DF95BB938AB7581499E4587798B014003
SHA-512:	9F28F44A0A1B462721E76AE2B246762F39B99BDA799098150C598CD21422B22479261EACF358F42EE68A8207CE2A4CBB848EEBA5669A268BF674EF3E18DC3C6E
Malicious:	false
Preview:	W.mp./N....V.u.....N..a...7p$.;....._...O.1...fXW.N.Y.........;.......p...o.[........MV/#a._.....\|p.nQJ....<.3.x.4?l...D.u..{.e:a...zY.TNE]A.}.<..?.R..h....6fX.e....k.qn-.g.X6. ...,`.%.`.....%K?.\|.v.?.MjY..........6......N.....2.....F&.f..n......E.._...S;.....g-\|,\..`?/..@2z8.(..ZaGM....n/...J._....+..g...M....f.{.". ./j...GTw.#...FPJ..%.......Xq....j9.w@X...heT.r......u_.xv{B.F0..a1.S"..Z..h...I..!#.......o.&q..w.b..d.><,M......^3.7q.!)...J$H8.g.....BdCG%...m0....2FmU.....g..P.I....,...... R.`..%........R..I..p....69.......c~.t{...T......e.O.P.7#=........o.....U.5(..S..q-.....#08....O:.Gf3.0..AiR'..FA.Bk$b....5//.......JC`.X....]u)...<.....]...Y.`~......O./y.G...1..K.d^M...Anc..........@.......G.b.\.....;k...].X.N.....f".R....P.X:5.b......d.......w`..0G%....^..mL?.F93.o=.......^.(..4...#.Q...b...j.....q...LO.....>...8..c.../.V........SZ...)aq......+P.x\|3.(..VhYMPZ....},..f..g.!a.'....n.x..V.._......G.2..]*Ls!.J9...g..Z.U....x.z.

C:\ProgramData\Microsoft\Search\Data\Temp\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Settings\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Settings\Accounts\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\SmsRouter\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\SmsRouter\MessageStore\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	196952
Entropy (8bit):	3.4403224804068233
Encrypted:	false
SSDEEP:	1536:y2a3zShM9KKAJXMT3sh3sUShzNNU/YiyDFqflt5E3sh3sh3sh3stu:S6M9KJWT8h6z4h3E888Au
MD5:	4E944B51EE775258F93DD00AF19B3D25
SHA1:	D3557C6411BAC30977E008A52DBD03E5471BCCFB
SHA-256:	66B415C361D8D50F6E642D3D1DA272B86B23213F18655F1DC3189A11834FBE97
SHA-512:	DB1DAECFE21E7FC714CAB27BBD00443A312A0D51674947084FCF4128F8A3D8C82C902E4EEC9DCC5B05804E1BE219AC88DF73304AB3BCA1C1511B6AC48BF9F643
Malicious:	false
Preview:	#.H."..@x.y~\|.Np#.L.uD<..q .W.w..DT...1R{..@..F..~b..vX.?x...P..UlH.Y..Uv.;.............&:.iB.o\|tP...;....a.f.....L.?...F-. ...j..i.^<........l........a.].j.nk...$t..... _.,..o.J.oLh......e..3..G......xX>.....:.E.=\./"..'.wS.....Pg.\$J.<.....?...,..,I.M,..V.f.q.o__..K.U#.1..~R.r........0..V..[v.C....F.\EU..jK.?F.<.m...9...Z..O...f...(U......w].P.....QG.....T..e....P..GM8k...WI(..RIA........v.}$....\|.f..O..%..u..jb../.<..G.Hv+}....j....)...}...y.....b..jF..w[...MC.jO.4..!H.p.T1W.i.G......nu..c. ..A#K..p.>......}&.."E..M.:0N=g.....V?l.aiaO.{..b.o^.N.. <..f+9[..o.......r...@.c.I.n... .\.q.9...3...K!~.cs...9..H.d..Lw...l.D...I......./.tj..5.J...H9y....5.>q.P...5Dycm......v..;a%.Y.]M3..O....0u...8l...Z.n\|~4.I....F....f.z{..,....R...D..i..'._..da....h..b.\..,.4E.-.=.z....^.g.FD..v...w....i..._..?.l..Y.~j....q9..Z.u.Vr.I@.CEw..s..o..i.kb@._...Hd*..Q.1x$..,mK..D..>..!#&sm....$...z...+......VMu&W.o...n.w....yX.......}s......k..7...".Wn.i`..

C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.046244321366311
Encrypted:	false
SSDEEP:	192:ojqSaQ3vFxhakSKZnu8Dz3ZZZ8m4AJiP7akxhDRyHKGcleJIwyPHeNAUL6v:3Sa2vnR/nx3Z8/4u7fxNRyjYlkLG
MD5:	405E4A6155978DB990E91192C4D6D6D5
SHA1:	58EB58917F5AB9710E834FFDEB9D0729CCFCF141
SHA-256:	657501FEBFDC2B874B2B72E8821059EB9FF3391EE25F930B388EA805E0442A1C
SHA-512:	A0F23D1F731E6829F3A811EBF751919353FA45675338EDDA84F05351AB0DD61D10EF8DEF5F2701C42CF0D1F1F0578218E332A5325E1D20DA67BCFAD0896EE5A8
Malicious:	false
Preview:	.O.......J..[.\|R..S.........-K.G.1........D~[.x...4A.!.=..9@3.:-3..Db..UY.;.K.."...#S.?....8.d.s..4.[.BZ"..h]{'.b..8A1\|I.m;Z...u....]@........p\=..)....J.o..2....".0.O?...}.@.\.}...d......5:v............=.'d.c..@.>.E.._...<.n7.$./.p.o5.....e..........'...D..wbH..nf.k....7C...<]$.d6..rU......5(.{'P..rbC....&....d.1..y...R..N.xCN.[.....$..K8.E.uJV..R...z.6...j,.a..........d.).g.F..%I..T.p.......{......".\|A%....s.J.....2.L.5-2.[G.!Pt.n..,.+..(3.D/..!i..>...z.....'.F...K.....fy.....F...2fY........f...t.....+..z.[.ih.].z@s%KG.Q@.....V}v.Cu....1'.....d/..k....I.\|rAm~.v..\|l..h.e.'...........B,D..do7.....]..f.r....=?}..X....N&u...d.iM...#..&]#^E.._?.u'..m.......M..]=g...;!9.~....d.P..O.s.UT..B.0..Peb.H.X)...(H]..-...Q.B...T..g9....!.4.......Jo.......w!A.g...\|.@T.v.-..2..a...\|.nGkG.`B...0...W..W.....Y.&....{..J.I.'.g...{;.P....H>Z.~..w..o...N..0.+.N.q..nb...*..."<y..\o2..[..4..:..."..[[M. .j..wMR..!....9...b.x..#a..>}..8e.~.Z...8s.o...(Cvv..tn..

C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	8536
Entropy (8bit):	7.951878072967586
Encrypted:	false
SSDEEP:	192:TwtDmMmwN48VhG6CkNjzP9jsgW7WTUoewtDmMmwN48VhG6CkNjzP9jsgW7WTUoKk:6N48Vw6CyFjswxN48Vw6CyFjswl
MD5:	A543400512449FDC1F9E6D824364C540
SHA1:	5627591467B7AE1F7BB237CC54184268DA74D8B3
SHA-256:	37918C299AC08E59AB685C80AF883D1B92A8AD2BB75C5C9349A5504F62B9FDFE
SHA-512:	9FE8D8E568B1F34CC54CB366F28944838807BAC79E849640920C357298946189CB4B84B64AF33369E8E280343F91562F5062EBFB831B68564728DD73EB257A86
Malicious:	false
Preview:	.n..9.I.LD.f.+.6..~.4..N..6k..Q..>$..(>Qk....\|..[...0.....Cxf....V.Bf.!7.Q.x..(..m......DE\7..S .%p.'C........\..W...P.V5..c..4....-.P...).';..\C...$z.3._..W...H.._..NuDZ...,.i...G...Y....~~%...#v........O...w..\|.!.....:8.......kUX.pR..m.G...4.$.VO..Y}....V.6...m..a....Ff?R.....0C..A3.7B..\|.E..j.[..Y...h..K..U..X...1x..V.....k..U..f(."...f=IJ..D.z...gi..%E.S.L .....=1p...[....Y...h.TD.4.#.....3.y..J_.....N..cA?.T.M.v.9./B...8...(..{A.O..ja.Z....u..X....q"}pW....Wx.............3.a%...rN3.(.......k.I..21...u..^.4.m.BE>A:^............v............Ac/]...)ax.....Iq6#....9....J..W..2.n^.R.b..W......r...m....R....A.;..P....w;....,.W=........;......-.~..h..k..\|.......Ng....u.9mA...j$..ne~z.p........I.p..4P..RM......}&%.^.......v...K.....M:.&..M.I4.0(Yr....)RG....%............mw..8.E&5.SX.H...`2....3...72v8...&..T.w:wp%.\|..4Vtn^..z=.4E........Q....m..3@.]C.q....'...t.[...U..t.Me..M..Ep.x......@1.... wF.,..._Y.OA.i8d....Fl...`F5..\/I.5.>.Uz.s.G...

C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.448800696205545
Encrypted:	false
SSDEEP:	768:2BNk58j8DKaxuiF4CLHUxuiF4CLHUxuiF4CLHrY:o+5E8RxSg0xSg0xSgE
MD5:	85242B8E4A784701879F8D1DA6C82163
SHA1:	D87BA1E44BD63E0E979028A7E153502046006ACD
SHA-256:	66B9A7C08E2CEF35E35D2CF32A920A5D0F4A3ECF4CA441CD692D22930F5E7CD8
SHA-512:	F3BF1F959656C7C9D6E3337C3B950B021CC2A1ED36F87D746D0049A07B34145C6E0CC34EBC93407085274F6C6C0BF4D438E6CF59CC5129A04EE9F6A72B21E6DC
Malicious:	false
Preview:	}..7.....A....^.."./.L........8Cw.$..J.J.........9a..$.=.......Y....3..!.:<.....7...........sz>.u.QJ..R..$7.LN...0....\|.C.pE...n.v=.:)...L.\piW7.&.....BB.nsvZ.!d;...:.K.:(...Ln.....MN....d<..Yu..kX....#.....E.r/.C.'<..RiZQ.z.L..\.W...Kq}.T..O.....F1.[.-?.e.Z...b......m..1UK..+..-.4x.Y..@X.a.@}....r.l....t,.........i@$...7E4.g.K..m6uP..HHa.h....I......2.Y..I`j.W.9: ...I...j-.R..~S...>.%o}.0.........x...R0..Sh.....5Y...49.u.....U.Y...sN,.D.........K.PY...O2..iKv..g.>....k.\|.`.J...S.-......O.G...^...c.g...k..a...+&....+.b..G.W......C........(...2)......UR3+.s....C.......kX.....5d.j\.....1..lF;}.#..7...B(sZ.G.l..AD.u..O&6...(.S..c.-]....gD.K.m&....].\|!.... m..2....P....W.\|8i....J.GvIp.u.x.[...o.Bf=.F.}........)...P.tp)yA(...\...+..Kd.."!d..!....^zj.Hd.:F.....Y.2...w.;G`......[..d.@_..o.^..Ym......U<..Ti........w...=aN.lX.<r.....wa2l.98.t..#pb...5.X...`.w3..9.\?2-..+Q.s.\|.b..I[X.e....2............j.e:@.j.#.F.....M.0.ES.k..d.....1..H4...\.

C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	5.226236910527177
Encrypted:	false
SSDEEP:	768:FnPCoD2sTR1dYXQoRmoDopGw44ESQleoAnJro3xHFclyd6KZN+y0uL7:R52qR1dSRRtDulgSQllwIFcPkN+y08
MD5:	06F8DD7DF176E6369EA85E166084A512
SHA1:	7F6981E940F1525E31DE3B0625F16BC40AD58F70
SHA-256:	FAD18DF8F539B40FD18C0C69C5383734CB2AFCD5688BD91588E1B7EF18FEA80E
SHA-512:	D5155F6CD580F60E69EFFFC48CB31EE5598FBFC6A1C79CEB835C96408FFC1FBFE8268C83DBA88E2A372C76A0DF823C036D01B149B1FE3290CCDEA5555FB5E13A
Malicious:	false
Preview:	...Y.....+.V..0.su.T .......lR.e.W....\...R....#..X..S.....Al...Y.9`.w..t...fu.........=..z..T.o..f.x}e...a.}..?...{_+v..G0.......g=..E..R.,.l...e..M.......O..ZG..x.....S....FK...s(..I..o......lOL.(...HUP.^G...8.....dA5O..z.....^{...oh.?t-..V.:=.j.z...l........\.E.W.L.9..80#.q?..C..me.+....vM.. 8.J.2.49F1;..A..3.U.....W...>.My..~0.........1....z....w... ....BJ.s...7C<yDb.q..=7.m;.(..... .D..kk.#..6w..]I;..n..G.Z.....&N....W..8r^.g.LG..G&K.sN.E,2.".\|....`.4...8O/.).z0...)..o....c.uOTe.]....5..'..D.'........H......O...@.,..J.....]$H..);FEzq.-;.'..C...a....D.uL...w....+f..q..^.<k..D....A..(..@g..\|iUO.6Y..f...............m.H..V.]... J......,...G.....,....5.[....'-7DD.p..-.....)....J ..t....H..,{.....i......tn.+l.~.5D.'.<"?..>.....0...l.\|Y../..VxZK.<..>...).t..Q..bj^....Q..tN.A#..0....L..X6.w%.'.'G.-...BO........(......v..)bO..3.....Y.zz.pjY.,....O..3.5.."....}..J.~.b. ....@C...a....!.G9........:...q.....<....8x.R....4......4[.>P...s...c.8T....

C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.618605710494084
Encrypted:	false
SSDEEP:	384:ggHzOZc0W0HBauuTd8anCAkZ48A8anCAkZ48A8anCAkZ48A8anCAkZ4N:zAc0WPdWAkgWAkgWAkgWAkA
MD5:	9F8E94D7D6689AE91552B9A666D721AF
SHA1:	E6A596B62383039A1B8CC5B2B5F6BA7CEDF351C6
SHA-256:	344746657DAA739AB117C3C0B43B1CBD7EF06BAB6DE8C544DC365C0A3C9B24DE
SHA-512:	0DB23E00051AC2CF9C45BDAB43AC89A045559368366B6BF2842E5EB5D93DD45C3D4870504C6834718797BB2A6B2227D0699D89EE28C03A30572E690D2ECF185D
Malicious:	false
Preview:	.b.MC.....Q.X.j...S.;..T.....BA...E.$y...0.U....c..>.K..[...e.6..n..m...m..+$.AA...Q..........&<.@......&.1.....z^.....<G.w6TL.....v7.....k....q\..k.T&=?..0.c...f....:W!!.d!.KG..U......#.e....].....c.......>......B....:..m.!.....x..!..R.!.q....h.!+.z5T~).....7..k..g..n.5=n...V\.z.....NwD.R~..#"..D.0.RS..;GZ........7.T>.......f.zv......G..y..u.E..<..Q.-l3._......'Q..J. ..Rs.#c.g..V..k..K.3(Z...q...&....Y.*{...$Tj..%.._..D:4U.O.B6&.r...%........d.J.].,...N.;...}.bD.N.......n.g.p..S...d~`.z9y<..Cf...Q.t~.F....Uo.#..T...bWb..I...w..v/....3{j....Q...d....... I...KDER)..!s.CC....Mr.D..E.E....`...7..R...v....l....=..g.....yp.....\|.....>C_..q...^.U... .@;.:l....hT...t..n...nC,\.....C.#.dIp.T.{.....Ow.....v..0z0.....6.l..x.c..{bz..V..L>..J..Kn.F0;.X^.3..}.b.J<....J...(...-.#.......u.e:.t.p...,P...eb..,#}.n_]<a...\|......p_..H.;..kk.A.,..`q.....VR...[..........;.G..(..>15s#..Xnb`1<..r..8.v...b.q..@.W_V..m...m.u.t....@._.a...$y.I....M.g.F+....3.O..^...r.

C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00003.log

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.5442078972632367
Encrypted:	false
SSDEEP:	384:d9P+3E5vvPLyNNFrWExvxdDm7X19MgEuuA0SCcVtTAroToupCAkDuzEAC+K8hf:v+3M/SrWEJnm5HFuUCigAkifFFhf
MD5:	A75D75896FB3825E0A625E1CDF0917F0
SHA1:	FA661DA1A51B5138AABB293D71255BDD8893D3C1
SHA-256:	0218C926EA6965CC5396A03D213CD9BD270505760C8ECDF6408682B573DD2268
SHA-512:	9707962BA39803D494ADE0AAF76FD557181B02BD791829BB4571AE67B1920DFEE45ED8A03E59FC8F9B8F0BB1CBE2318F650E5824A8B4FF4C08BF61773F8A4354
Malicious:	false
Preview:	...m..&.5[....Y.j........S...]...\|E...ix..h..L.YQ........L......<..?.....9...S.~.p....I......X...P..db..K]t.L.vJ.....;.bLU ...O...YU...g+.@..l...<...Mv$..z..0../RAQ,./..7.p7......{...s....b...".5.(..dT..'.H....,.......y..zU.H^..%_s...vi.}.r3.......O7FUy"A..L..m...a....HL...c..V.........ub.M....C.LL_....U.... /.8..6.. jL.....z ...M.+..>.Y........-.9..3.F.1J.}.Q(.5......d..{.]......4....7............2..V\|d....<cxm`:..xJ....U.?d..@k....w2Ly..y.?..L=..T.\...y.3.. ..]g...@.&{....A....5......:.B.-N.....B...s.2.Y.(...9..7.I..l>Y'....y..J.HE..y'.7B.fI].\.._{....r......u..$\|^@..g.Y.4o.~.:.CE.?.@...O.Q..5...A..c.I....{\..-...%......]/.-..?wT.mo.......C.....A.9.....^.OsD.`.....%I.....]..".....3...).5..Q..6S....ar.l79..[.......}..ED.......2..A.......Vv1..N.~.4f..[t...=x.G\.a....8p..\|.O:..T.q\|.IOT.me..uJ}?...I.....VOk.v...8.).&.H.5....>..>.^&'.a:..3r.u.[..M.J~...J6....c...@.P.f.[.....@X...!..Z.......%...~.d. ..44...(K[..6....i....\|BVC....S...

C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.3963557990656703
Encrypted:	false
SSDEEP:	384:8rXqINDmIarXqINDmIarXqINDmIarXqINDmIarXqINDmIg:8rXLNaTrXLNaTrXLNaTrXLNaTrXLNaV
MD5:	83867094D265F1E3FC9FD67FECE0079C
SHA1:	C2C33D6DA24A5AE474EC615DD636551F060E103D
SHA-256:	ED941A69A8CFB49EA9E7D7FAF851D36D5F68699A7F77D87D76D422CE53777AA9
SHA-512:	73C2A43FDAE90B0F5625B12A2D2917B3A013C0575851E36C7AF28D4C8683C03E980669A80BA084F693831D5874A70CCED2839D56180644DFF07A193004B7881E
Malicious:	false
Preview:	^,.i$...G.I.....h.C.(I.O..K6...l...@...J1.... &..3.M.VY..&...!..=.I.....u..$\..~...8...!.E.....b..A...nP,..v..... ...9.cHP./3q.$.1...........jY.zs...u..6..UX.m.8.....0..7./Y.'.7......&$......4.>.x...).K...[.c....S..<.D.]0.-f.....>.....G.-h....LI!.<.g..svZ..}.+......@..\|.....-.i.t}...t[.-o...@.>M.........E.fB..........U+.....aY..F..~....%)..;%!.q..g.. .......E...+;.....!..9...?[..C65.:.6.......E.'`.....\#V..F.Q.mUu.........%......&r..$f]...:.XbGv..a...}.....+T.a..6...vu...G.~?...D..9.....vu.....k...kOM{.E..d...Q..4..ua.....8....a....w;..[DL........G...0#1..s....W.n.Kf.Z.R..~....\.SJ...}w.AO......Q..<...zJS..$Hr[..{.......0F...I.YP.YB...T..T.nn...f...+.0..C......N{a.......(.c.[...ui.8.... cfcpw...>s1<.3l....[...5Wz.t0.<.g..t.H.\...07...t...j.z{i4..8..5?..j)..x.......4Y ..@..]...l...N.&...]..UO..yy.&.^[.....mm...dX.._/...O...?.W.I.pTc..`.8M!..%../K..E..n..F....._sr....;4..yIOA...tu\|.e@.w..n.E...+.OX....k....V.@.5x....u2.c.{..u.

C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.40479341955545
Encrypted:	false
SSDEEP:	384:BJqrT813bjMm7JqrT813bjMm7JqrT813bjMm7JqrT813bjMm7JqrT813bjMmh:aTS3MRTS3MRTS3MRTS3MRTS3Me
MD5:	CD5FF861F17EBB652E156422CA8CDAD6
SHA1:	A640FC5452E91B5FDFE31222753BA0A2E1BAE2C3
SHA-256:	EF89A27F049AF480E1AD7801DD07AD7F96342689B3151BD8DF4BC0D86EA41A08
SHA-512:	F60274DEF16707C8966659E83690FF4AE8897E9954420D8FEB827F5CAA6D988337B7F7B2730836754D4A92CD1414E0B802F5B0875F1934F1C3F80746C70AB76D
Malicious:	false
Preview:	.a..s...J...z....R..%....."L.O.:CL-......4.u..{.N...^.k.)M/Z{`95B..k...&._..5.j.e.J{V.........z.$.U.K.6+..,+.H.Yoz.v9.r@.........W.S.5.~.tb....u.,.o.)...b^u.8....vq&.4OE.bG..Q...6.]..R..........=...w.v.}...D/..~3.1..;...^&p.q ..Hg.(...cb6.A.........t.....HM....z..;.r.Z..0................qf....\.a..Q@6e..BS..UOLL...)uc.6....R.F........ .3.E...!.&...8.E.Y..?.P.\|.A.U.R"F.........n...<o.....am..gi..:.b.`p....4...I.K.{j.....I....D...8.F...M"..J.>4.Rq.....G!.s!&<M....b....jB?...81.6"..&qU.._.h}..../.w.F...&h.h..@..4_.....A...(7..0.;..&.....gX...=M.#"\x.C./). x..+.y....{K..G.E..Q...4..2..Ij..0.....?>.>....U.G.8...).0.g..m.^.=...v$.......C.}...(6..O......K@3....I... .p..^._...%...L.?.b'Q..J...B..n.."L...yL..:,e..w~..X..9#.Y.Yf6.O$.qJ....g.A.2X.t.%..oX;\,.\.Lky"... .U...Z...J.g.......NN.4..j..bm.x...2O.~.2.....R..q~...;.>k .y....crL;...&>.F...8...'cJ.X.=.!d .@....j(.4.q.e.Z....56w....U...........D..u...y.m&....d.1....F......0?.0..E.QA..f.F@j.Y

C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	65880
Entropy (8bit):	3.398941454373217
Encrypted:	false
SSDEEP:	768:VHBFrk6HBFrk6HBFrk6HBFrk6HBFrkl94:VHbFHbFHbFHbFHbE94
MD5:	F1E651073D1DABCDFA3EF61E8A6C98F4
SHA1:	C29E0F53EFD59E0A3E4B15AA0BAB7513195F6B42
SHA-256:	360E95187F03C8B72C2A215F8F3B400622A487C53CE0B4BDF072F8FD284729E7
SHA-512:	B4AA647D993647C089C9D36F3114FCB327D00C689D729A68A69179C805BDE87B069E6B135FFABD698368FB1A40D19C0F5B8BB86525A3161289B26549F23FA199
Malicious:	false
Preview:	_..y.nC_Z.^.\..3k.O.c.R.:..`.#..L...xM`...t.c...._...\|n/_...`..V.-lw3i..Y]./.;..EA v.,.9<#4.3.O..\{D.T...Z&$Xj.;D.4.A..6..}`...L.w+./.^....Oqu.H...k.........fQ..A.qo...,.$..l..u.Ck'9Y\.>x{G.n........(.}.?.n........A.IWB.1.hT.+s....0..M..!E.t....../..'p.J?kF....Li.byef....5.zhUP.......@...v}."....!~.\|5t..d...[x.!..z.i..V.yS+^p.."G.B.lt....#R....#...@..+....z.i......u[@...y......l...[.'d...........$.k.. ..EL9e.$]....,!.j.B...`..V.#"k>..R...o....vD.J>L.:......... .W...Y.....'...}V....~J...&..Py..I...a{.j,....Y.IOh...3..a\J.L.qC..{..0L...h.).m..%2..=........a...J....l...UM..M6-...zC.D..FTIt.z.A..f.&F.X.s2.A<.-......L.Dto.Q.b.9..9...i..gXJ3~y,..@..i.^q...w.Z.Ao.?.9...1Hl,j......?..`..$.1..1$.66.D.....);.......Q\>..-.....;....\|~......-..>bl.U..........'. ...U#w.({q....hH!.\T..Rf..L.......=.L..!"d...X.\Gf...X..Z..\....K$j.D.*......8B.J.~(.....r...I.o......\|..5...P..._...p..G..'.8...%.~.'.]...p/...v..>B]..r}......E....#47....i~.:6.eM......&$.."5

C:\ProgramData\Microsoft\Spectrum\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Speech_OneCore\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Storage Health\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\UEV\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\UEV\InboxTemplates\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\UEV\Scripts\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\UEV\Templates\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\User Account Pictures\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	602520
Entropy (8bit):	3.077710085003342
Encrypted:	false
SSDEEP:	3072:kJ7B/B/B/B/B/B/B/B/Bmqi0k4562ZK8ro4KWE5I2XB/B/B/B/B/B/B/B/BV:+u0X62xkWET
MD5:	22044DDB13D444FBEEED854BF1EB194C
SHA1:	B54E730E2C374D7051A2D88C2E44364A6AC86FED
SHA-256:	2D54BD842FB9EE2FEC36D564E884F3DAACA70EA4A560070F2CF45D37F04595DD
SHA-512:	1948305455968AA30674E74E1394F1B2F1FFB04840F1BE564729D4BB93276EA47870E03FBF84F31CC066274FBAE6F059F2531D539B1994C83858AF0CE671687A
Malicious:	false
Preview:	~...S...y..\m..ky.Vt..........\|.3;..V...<.(...P.$~..+f..H.P...;t.4.d..........]j...$..P5.9.....{.\.._h.U.7RBk..5..#..u.6..!...fe;.aV.h.NVO...j...g.Z....v..^....$..j..o..z....u]Td.SX.[@...9.....Ll..rGAK........m...../...T}...T...}..No.j0..RR....E.q..c&m.WW{kG.....e....'9....+......%..i.r.Q. ..o.j`~_[.r.3]...Qu...n...)OL.O...3.......?%...^...>..F..5.C'....D...J0......t:(.x.dG.-........qG.H.....4.w..$......P..^.J`v.v.....fp....pz.P...;].>.y.:.I2...Z~n..X.P..]TR.....?...8..}=9._.:..{.hI.`.v.)=...........)].".R..!..6.DX.]..Xc.S%y.P..?...L8..}.....c.b..b8...&&....~... ../....hJq.1..r.q.{..cr.+..H.<m!.>`\|..(.....".^.W.=.E..L..-...f..us..aQ..t.!.uQ.;.....;%...ht~Y..,...\|;..3=.=....DJ>.Z.{.% .7.:...F.\c..\).....{...].^u.:..&.:z&z.VX.E....~..FI....I.~.s.dBJ...d.......7....h...\.. ....}e.n....P..\...9vQ.....q2.FU...:.._C".Cr".v....`.z:`..9....w1...-.r4E\L.kh70.X8o.....B.=C@..3T.g.....}..Y\......5.;...Uf....c...H.u.Q....K`gQ..m.....:.'w....e.f.

C:\ProgramData\Microsoft\User Account Pictures\guest.png

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	6408
Entropy (8bit):	7.967541665109367
Encrypted:	false
SSDEEP:	96:aKyc/z7WGs53JxLQR2fmy/F/NJuCkFO+52rpVRgYZQYd5yZap03P2cknG:tzls533O2f7noTQrpVnZfd5yZT3P2u
MD5:	2D71118DB8986275E17AEE0C4ABC0E00
SHA1:	5417E5CD570BD3C706A8E169A5B340F16A598ABA
SHA-256:	8E99741C54A80560D5E8933636E3B024F8EFB90A356C0657A5EF6F2F12EA3FED
SHA-512:	3B0934C57742BC251DCFF9CA4C0593DA1B8A87AF4BF45DAF71F92132A0C9DB7B8D170C92FA360DF021ACCA760D380E16F2A06C5CB97999D4406F728E6AFCD2DD
Malicious:	false
Preview:	.f.^.W5.9JvR.z@.\..c.."d.E2...#..L.P&plt ...y..'".....[...~.....]...q....0G.......<..,Lo...G.. XLnS.E...V.[...">E.7-.........P.Z...#...7..._....^..Te.<Ga..aF.Q....n...9.~........2.Ko.P..........g...{7........M.!<<j.c;.-..t..w../..".}h ...0?..j.X._.H..0..y.....O....XJ,o.F7...[..E.....A....9..@R.q.5y..U).uNC.Y^....3.GZ.......s..J.PM.q a..+.Q...~....9..~.ipx.Q.m..i.v[..\|.1.9.-.6.(...d.cU.5r.'6/...w..x...2..L.....,........,wo..F..D.Z..i..9y+..".]....@@b.n...~..v^Dx...pQ..).....]gw..s.-v.k.y.F.,N..X\.h..sv."#..\|U.D9. ...cD.._GZj...j.......e....k.).[3....x?kz..........W..xx..x...V"...1)...,.)=...k.....+.R..7....F.9...9.U.~\..tLS.b.w.^..$...&....~.4>...0.\|....,4.a....!.Ti..Y.2).:.im..a..n.....DG^.C.+..L.g....n.p..zt$(^.....,.......N..\u...Q..w..T.V.#P.3\|...r~........zLV.hj...b.)gV.D..A....F?.".(Wx........^;q..j.B....J.2..UC...@......L".m..M:. FfN.......X..]..6Q.%:L......m^E.}...........i.......Z...8....`.D.N.y..As .&0...]y..._.M\|....

C:\ProgramData\Microsoft\User Account Pictures\user-192.png

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	2744
Entropy (8bit):	7.91677108389799
Encrypted:	false
SSDEEP:	48:h7VF0/ULqts/hDa4OOzUTeJOGIAUoLiWv87Uq9sp6q+8XQeiaM1y79r/8VpWkoP:i/ULcUDwf1APOWv87vNq+8XQeL8VpjK
MD5:	8C6E2E665E92FAE9862CB5B6AFFC3099
SHA1:	CB375D17D4B3578948DF957806CCB5DB5ECD2607
SHA-256:	1B53D9C10CF3C8572F529FB1BFA3F5A9461554ACC5B42E99D7118770849579C4
SHA-512:	C0F161C178D6E6BF9030D83EFE03A578B7E11D1E94C0CEFFFE9D462468D6562115BEDFBC5C4C76F57CE5C17A65BEC528B5127B2278C00055587299DB2AD938FD
Malicious:	false
Preview:	.g0.....~.y..u......#.6$.W..hvU......Wg0..J....D.u....3..]....$....$.\...Y..._V...@'....a...x........E...0....{j..D..W..t..t.9.c..TZ..T.v.;.-....... ...Q.5..e.B.XR.b..l...s.. .[x..)..eS.s.w.U..;~.(......![.....&f.....}.R.......c....X.......x&LR[80].#.B.F...s6hV&..aN..j....Y....:..H}.5.u.i!#C...<U!..:a[..P.0.L..y...^aiM.(....!h..%..8........J..._..;..@..iB....w.....r.).?}.....p.%.S.S^U.c?..^e.l...`hRA..A.....4.....?...V....}..9.VU.XS6.)#9......h.cGVHh...^X..v...@.m...w...x.&.....8z..u..#...=...2..P..H.ufW..l...!$g.....k>..`...0}.fS.d.HZ...%....\y\R..bp.z.2..!.m......C.0.4.....}q^.43.%....V..E.{>.(...../t?_.......L.OdG....2...F.sMU:.y.7..B.E.{K..r..E.Ru....."a.....p....&p\|.....x.....OwE......`.Q...\...>."Nt.C.$ .5....Jdz.[..9~.H...$..%6.....DmJ...E..=I......r.p.@..b..8z..A.....-N.B...+.x.3)..B....6O...s.?..e...S..e.l..h..]..z.Z...%h.(i..+..~u..W..DZ/...i......6p..n...6........1l...<0`.w.h.....'Y)UL..{@..N....._RZ.].....T.fS.*..S.2h[.p....

C:\ProgramData\Microsoft\User Account Pictures\user-32.png

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	792
Entropy (8bit):	7.665744250522034
Encrypted:	false
SSDEEP:	24:nujpEpuxyHM6Ei3eTIrbYhuWHDOprl6uYeTGNTy+w3g:nCOpR4i3ecHoVDOllNyLw3g
MD5:	08B58627223E87208E73EF35CDFD3465
SHA1:	9DCD417169ABC975D84983F3D59D7685923E33EF
SHA-256:	36F0B93BA37A5B6C7CCA9D9F8C49305BE37E13FCD086B99527766BA065D69CFF
SHA-512:	B185DC6385012A6A28ADE28E976529176B7D3A92009FF085D72918ABF769EA8BCDA06E824E3C7315084AD23DF4BEEBB692665F67EFB65BDB8992788569001F44
Malicious:	false
Preview:	..w.v..J.^j...9.6....kU.x(yO.........N..+.l=~l...j....I.Xv..4.s..N.\|..+...50...Cl.T....2\|.../...".>1.L.\|yr'.m..W..Q.Pa[}..un.*..f.......&...:Ky....W...)_..9..Y....xT...&d.&..]=...A...U.$\M..M!.3..=.d...8Y. .J..o.!.p0.....>.+......s...... +.d...\|...".j.{>..C.p.....Hj..,.3.^(.'xcc.....z:...........$.#d.}.........b..B.JS.....~ ..xlP.......Z...LD..e.<..$.jweTN\|H..G..%.v...o..z(...k....TQU.d..w.;~...km.}..h.T0.`....3.L.H...BMEDUSA......................T.i...N%G..N.....D."9/.t.M.C....o..................:.....N... .1....B..Y...tv. x.....ua.^u..t.....`...I.........v.0....7......V.../c..[..okg...a+-As...uJr.'4.4..BB...C..x.!N...."...I...)..V...Di...A......s.....x...w.........W..sJ.J...Y..da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\User Account Pictures\user-40.png

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.695057434420166
Encrypted:	false
SSDEEP:	12:zTN2czQiIELCb2289biE6c7l63ezxSGv6+ZHudB2RUUjyHp8+Ci3UctHkefmJQRh:bkN228R9RZ632SG9Rm2xjEibefiU4ccg
MD5:	735BBCA40B519EADAC89D371E54A1715
SHA1:	211FEC65E85736FF85973DE723863575DEA3484D
SHA-256:	97CC21D02A4DDFA8FF018D3AF42D65BD65E70C5AE62EB22DC64F15F14A735F14
SHA-512:	E3C482824776A64BD56E5C3647BE59A7E60D50201D03FEC415983CC47F224D18670099395A929DFFF9D30EAD213B1C2CE49701EABD03B7ECC7A49988C6CA5540
Malicious:	false
Preview:	g........+.p.Y<.j.$......M ..K.{...}.rb.<#.=zYV7[Z`G.n.=....2..(d...W.H..Q.z..u.u.E4.!Qrh.t^l.....D....0.....L...g..@..5.{&C..PRX..s.u.M.Cwv..........)..~9b....F.>a..>K.%NG-..q.W....h!.....7:x7a:a............<0.\.....Fw~%a....,...... .z.F....I.2.....9.S/m..rRN.._u.....v>.A....J..V.4J@j&.._.937.M..1.?8$..A...~.d...k....1...l.%.=.x....v...b...9...gaQ...q.o.z.Q.].;...._....w.....=.$........E.}..........QOS..%A..:.c`....(.Y.3..t....SK...y.V...e2...6..g.h./Q.O.\|.....I..[?M.....~..".e.D.s.7..MEDUSA..................4.I^.....9~.ZGA.....P2.$...L....K.......\d...7r.B....r)0.}.v.../.p0mA...GS.....w.7........P.....~..F.f<...A&:.+._...{../d.;........./..>..MF.pb...............D......\|..6U............)...g..F;x.Q......!.]c._~.t.....sl...>...o=Q.#..u?..Y..u...'..Tda23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\User Account Pictures\user-48.png

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	968
Entropy (8bit):	7.757775722645991
Encrypted:	false
SSDEEP:	24:sHSs5MY6IeQMwNEvMp3m/Rg9zLji4QTSF1POvPk:sH3VoQRNEv5Jezfit8
MD5:	9B85DE961C620D01C4D4E612D1DAA874
SHA1:	DF2A9D735C135C473FEE4F328D9EDDAA26B4AE15
SHA-256:	8B0F744A15CCA361B37473319EEEC8209BE6871935BC80DC1F6766ABCC997E90
SHA-512:	569A86B5C54709F4CACED06E83C55C628490B89A3F7DA2F013CA5CCE20239B3162A17F41B6E44D01DFBB8E8481E64F64622CAEA6E2A4CDBB454FE7C3434DFD5A
Malicious:	false
Preview:	O.n..a..V_.d...x...m.}...&)....V...X..V..W.+..\..}.l...;..p....&.........(.k..T.yx.P.b7'A.......rR..{.lkx.kvWU.Q5...q...\...L2R.....n....N...<a...\|/..B..........(... ..o.s.9D..d.......?.k;....wg.M..uX...t..1.Dho...:.'.,..I%.t.E@.........M.h....6.......\|1.~.N...ks.&...dd,.....(...+.! ....H.u.".....Y.+....Y.......N..H...b.wN.#\....Wg..0......I_....Q....q.:.iR......+........S.!...CX...G.!.........m..5......7..#.T.(0..7...^......}`...:,..:i.'.q}.R.....53..nI.P'......nB90.5X......R.....g.M...y.o...R...erld..6.1.K.z~..Z..K...s.$^%.>.a?}...f...rBT......-;..gd>..%.....2.F.F3..L.U ........MKQ.OMEDUSA..i..................'.Rz..62z..y.Z.o1...DB...Q15w..S..8.Xv...-l~.......@vEb..lT.C...D.0..N...n...y........+...I....l[.TU.[x&2.%..t)../........,<(..u.r*.S.Nh...e!...96},a.`./..K..j....]3 ]..4-p(.vh...z.....]M.. ..VC?....J..lh..BK...A}...6...z...........p..l.&tda23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	602520
Entropy (8bit):	3.0787065415454693
Encrypted:	false
SSDEEP:	6144:P+afafafafafafafaf99dtGDKFQlwV1afafafafafafafafadj:PfyyyyyyyF9dtINlwVQyyyyyyyyB
MD5:	8731C095E4AC39E3DD4DD8B2B2E04CF8
SHA1:	FF2F960604D81569731F02D61C9FCC085EEE42B0
SHA-256:	C9BEC4750A3C85042DDB8FA6B36A2B65430DC083D962BD6CDC291A19D732598B
SHA-512:	9B8FB01847DFDC94A79732349186591A89CC8C0C1FEACA84B0124037FFC88E27D24FCBE59267FD40F873C7EEC099867EEC77F4503C7A5256BF8ABEAE375D37DA
Malicious:	false
Preview:	oF../...._..xE...(..;{.P..Y.r....2.$...hW...r..<.k.0]..u..y..]....S./.,..oT..(.7.u..]{B.?I..iT_y.M..k.&bN...nS.............P.V....TT\.../.y....."kC.....I.@\|..[..0.Y/w=+rY4S/D..,.Q.cd..$CD....h8,E.5......B'.q.wZ>.i..$`/....(07....f%..Y.]E...]S).a..l.Y.4`..e7..Y...^.7..j..x..p...A...`6.$..']nF......z..qH......<..G1..$z".>.....~>5......ax&Cfh...V.~.`..............T.ds..ZN.4{%u).......g.~..q.:.}.....!4l}.o...!~Zb.#..`..P..~....).)..Y.....5....."...+~x...%.R.eA...`.:..........F...FX.'Z2R....\|...........G.E..9..B..n....\|....?..@y.......G.e...ua.Msg=r..zP#.6.D.....-Zd......1....k.,...h..<./c..X..T.!....P.../.......,p...].\|..,.C...3.B..sBB..f....lIp.0..&../Su.p.3.4......W.z...B.HY.^.G...I../4.J..Qg..K....->..,......V..Y..\........a...1..#...%0...W.pB....~.}.vT........c..<..7.A.k....'.pMa.=..A:....N..;#..!s....c.......v..Q....`...M.8........&[A.../.D).W....D...s.......LH..7..1=.g.{........!.......u=O..8....o..UFP.]C(.5.Xk..y..

C:\ProgramData\Microsoft\User Account Pictures\user.png

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	6408
Entropy (8bit):	7.97010759627894
Encrypted:	false
SSDEEP:	96:M8EeQidr4YvqNsR6fdDmdEpCMsysanzgz73UmeIBw/TNh2VRY1:zQidRvosRDEoHrn3UpI+bNv1
MD5:	31C399CCC04C3F7A0B704FF80E2C3C86
SHA1:	E21D0869014F75FE24326C6FA6D13566B48F7EB6
SHA-256:	E8421A6C4A3980E57422F56DFBEE3454F09A6E13B8AFDBA92CD6AC945F844FFC
SHA-512:	4E9552DF9B3A6CD0F24E52560857CD911C53923F19392C19A8020006BDB224BAB37B116DBE2E94511CC2B4D0B0213F1C6177B6E3A9D5E650E079F0663B3A9144
Malicious:	false
Preview:	hh..r.i.cur;.}F..o...........NN[..\|.Bs.)<..h..&E...x..cJ~..+.E.."0.JY.X.D....&.ye....8..}.L[.....9...r...@=N...KE...o.D.T.{.._^..p.).c.....].M.AP..a.f.q..].R.l}.............!..E..s<!..\|3.IPn;J..C.Y...q...9..r...Ch._.p...h.....Q..... .....Fo.u.0/...m...].....2O...............O(nA.R .j.Q..&.i..._.r..]A..C0..]9....Mm........t..~(...Cw.GO...dP.......rA....ve.N..?..N...PV....e.N.m.~].4.8......D...^.O".L.j.xh...._...mil......I.....`.'...4.3%+.\...V..%.NL5g].>.?.V*...I.$....$._X..9O.W.P..-[..?v.t...I...,4X..0x.... ....z..lE{l...U..-....;0...9..^...y5..L7_.8...........O.....~.......k..$..1/..T.vW,.p$.D..\|.1......r.f.e..G.....a...ytM....M#..C..dP-ee..e(..`w......R.M.....`.d..FH.T..g........w.(5...T.k./....B..(.3A..&.y2...5....8..Q....2.JXv.~...{.......Hy'W.v.O,i.L%M9q.ta.mOk......s........M....3.!.0.V.....3.%6.5]...J..C.&.C.dU....0.1q...Z..h......G...wI.?.m......(..........@....7.KHsO0:I>.#Xm.t.d...i..I.Z...<..9.1.@.....2KD.....v..&....#

C:\ProgramData\Microsoft\Vault\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\WDF\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\WinMSIPC\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\WinMSIPC\Server\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows Defender\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows NT\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows NT\MSFax\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows NT\MSScan\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\AppxProvisioning.xml

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	20632
Entropy (8bit):	7.013570234546262
Encrypted:	false
SSDEEP:	384:I/VjiVzZ5v6vkPNrNONUQPX40jLXqPT0/Ik98Qu:I/QVVkcPNrNONUQPX9q709lu
MD5:	A1C68249875F0B4BEA805D11ABE8E31E
SHA1:	6515953E5B778D22178632541EF280BF74D9D345
SHA-256:	AA6261E89D6B3D362054AA4962B6B3E5DD8393B754B9632731F7AA559BAA5C17
SHA-512:	96778E5BAC69310BDA5D7F743BBA587554172CE28639C440E553852BBF8DB0DF305EC3FE6BF11152B5D2022C35B4894A44EC228CD4E4F48AEF32EC43A051C51B
Malicious:	false
Preview:	=....-.."%O..3..<.%D.hr.!Q-b:h.-.t3....w.....{=S\|...x0..^.d.......z.?=...DCF%..h...s..9..eE......Cc.%#...T....(...V.%%H.X...N.......Y{h..b.>.6:x...bM.z[.f...Q=...4..!$.>.V..(....'..)..U.7..o.q...O....np...........1....... ./:-_..s.}..&.3e....{[F.I$....@...<....e.EN..M.~...~N...m....Y}..c...P..y.5.?K.Z.._>...vfm.C~>...v...h[..}..G..S..o.TE0...M....l@-}...\.\|....sr...............Nx...q..4..8...P..r~.>0....`...E...w.!(.\.r\|.........bi....(.@`K....Qb..f..(.q..GlD....#b..g..<.p..CB.V._........2.......19.X&-.%g..+d...X.h._......e..5..1Ng...Khmc..o7:.IP4\|.{....6X......... !f..u&..`...".....c1.%...$...d:yt.S`..O...V.sX.....,`.5...f.}./....s....r.z(......E..9._l.. .......he..'..`..kNZ2..H.....n,)....<...B=x..nVC.lB.......1._..+.CG..b.m\|.q.P...fQ3..i.....4.&......O.....5M..\kV......wM..i..Ht.P...M"...I\|...ew.n...Jk.dv.....Y..".&..^.+..G.q.\E..".T...C.....9!.U...6...Sy..Nu.G.3...F.yI.......$.v.8\|...5..*.....K.......HA.P......J D..`.

C:\ProgramData\Microsoft\Windows\Caches\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.156286131979613
Encrypted:	false
SSDEEP:	192:1Sp+O32AZSwHOgMJv8uBvj8DDwP+F6DulRtaKDl+6BO+XI:TAZSwHkd8udj8DsP+9lmawCtI
MD5:	AE3A88D3CEDCFF5F389B2B00D7C8F3C4
SHA1:	CB7B07C83314FF1D460C040A72594043A4991055
SHA-256:	6A403D653EF4951DBEC216D1F3BF0E3CC4F5075035ED41482D08646EF61DADF9
SHA-512:	A5ADAA336AE5EA92B1EEBD0022D5A5C5E205E678620D46C9825843EF19299A78634BD9990190553EE62D2C69447EC8A83FE8BD39157B3149C0B6723FD7B4545A
Malicious:	false
Preview:	.~.Z...Y...X&....9f......AD.D..N...D...........pd......o5G.7T.q..R6..V#x. 4..f...)].]'.SX....ED.@....../o49._:.....m.J..i.D.i...[.nT.'G.PN.p..#...y.2.Ruoe"Z.&/..G.f#.K...B..o....R.c.#=..@4<.\..2.....`..'.A.j@...v...t....\|![>............Zj3Q....b.g.g\|.V^l.c.....u.D..w...... -...V...J...c>k.U.rB..P.............>. `....)..c..1...x\1...y.qf)J.i.f..........].6..w-.KK.w...I..>@.....1-...([t.........3.$.QZ../.\|.g.5...<l&.f;.D@....g.;..<.r.c._.C._....!g......Tk.(........Fv5..;z..s.......k.._.i.[..?..........e..h.x.Q.v.......C?vc...ON.....Q.-..O...VZ...sk. v..0w..+H..7:...s........t.T.....f...Ns.gs.1......./?#....g!.A&......J.......le(.q.(...V.V.s.\|.>.E.#..F..:d.(.Na..\|G.?G.......T.........;?..e.....M....A...T.S..n._.......T@.9...>!.....2.._ %...;~q.I.Q\S....D...".kzsaH..C....-.NW..6H.oYuc.pA.2].s....mQ2.U...}...0D......8{;..H..........]..>P6.Q..~.y.x..E.,.....=.$....=.=..;......6OG_...9G..!.]..&...@\|@.W..:...J..4...L...NV..h.....?.f.c.e......+

C:\ProgramData\Microsoft\Windows\ClipSVC\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\KeyHolder\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\ClipSVC\Import\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\ClipSVC\Install\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\ClipSVC\Install\Apps\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\ClipSVC\Install\Migration\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	715928
Entropy (8bit):	5.408265624823874
Encrypted:	false
SSDEEP:	6144:PoxaCEDSZISsLW8PVvgjbdJlnZEhgKN86uhQk1wvTCOUjB5w:AwCtIv1gnlZEhgCluhQ1LCDjB5w
MD5:	7EF78B6DF4A0E9F497B60E6F6D57DAD3
SHA1:	8C1E37D788258E3DF503590FE63CE03F52B05F0E
SHA-256:	54DE883B7794AC824E36B8D63E85A362FED63E5E1C36BA0287BAF584834D3997
SHA-512:	96CE500C11EAF3A54EF59E606CBC68B7BD91D2AA7FE09BECABBFEF027D180E96691BF9D3621A7AED5AC9936CAA6B9568B91AC968011F125C98347008AC93360A
Malicious:	false
Preview:	......\|..7..^...i{..-.yP.VG1..7......5.qZr..w;......c.v6p...S.a.M.......E..i.A......s.T..1.L._}.....`!l......s<c.v(.nh b~..\|<cP..@:...i.Z,.(6.f..G.J..yV.".:...7....-1z.D....g...O.8o..K..(~G.^.....N&.....r...J^...E.!NO....N......:..o..8.5...,..1.Z.Uz.K.....(....F..,B.@q,!.v....%.......:....Q..IY.1......`a./..a..);.`..0n.&c.a<..A2....a.v.^.6,e..w0=..i`Y..b...I^..e......W.5.......w.........hB5..7o...?..c.....G~k.y....7..-...A5<[...B..d.....}}.ou.c.....L.....q.<.w.o..u3../Z.{/....H}.N5.zX[...?T.y.3....T..z....B...Z8.w..a./.... V...cd.....i..k,.n`.=\.e.O).u.To.F.}..\|..z/.9..........d....v..`..*..9]../..Y...K..C2..1...~!R^.A.,.pIR.%>.My.......".!.z....Ev.1.W.tYDvn.,g7.`...A....wqJ.q.>..8.....3.N.r.A....d]\|R..D.N.....]....x...D.J.c.^.g\.hzv%.j=+..:..+j......,...{.7..7[.KPN_N...#W2.th....;.}....V...G.^.....\|.s...A~2...D../.M...$.\|.'. ...g{..8.}/[.e..0..m.#wh...?...~.GpOO..#D?...s..N....I...a%..3.Jr;...AQG.T...o...WS.B.c?N.K..Q.lI...U.Y.../....S.

C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\GameExplorer\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\LfSvc\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\LfSvc\Cache\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\LfSvc\Geofence\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\OneSettings\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\OneSettings\ASAP_CloudPolicy.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	2504
Entropy (8bit):	7.918198122033097
Encrypted:	false
SSDEEP:	48:ic0Cebx8Wi0NdpnVdEeeamcabh7e93C3x6hGSmA48oUdBf:i6eHdN2cmhC90x6KA48dBf
MD5:	7A6699971FDB5B379BC044CE77564B42
SHA1:	DD1344834DA64095B738159188CDF77258760C66
SHA-256:	D31AF8E57E882F3D0A18086D69FE19AA2988322B76D16C975155026747B60F5D
SHA-512:	DCBC06431418E5D96FA8F5FEEA6A7779C3E366F580554F330753101C0DE32600578A2D7A8E381D5CE76DCC5F4525AB39B54D17557DBA3110360A4DE3C7CC2A81
Malicious:	false
Preview:	#.1...w.,..../q.{.....n....4c.N........@...!....;3...Aw.`....>kc..lE..]C\.Ph.b.\8..s....T.f!...CV1...o.#.&A?...mN..-.. ...8...$...?..K."....T\|...j....s.G.....3.5...Xt .F...X(u.#..".w.p}h.q.._...g.]......,v.1....X..!..~...K.kG..5...h.WC.I..R[.....n..w{.{fa.S;0...k...gjP.:.j~$.q.p..N.H1-}#;$.......v.)......vz .j..q/.... .l..K.+.........>wK}.]-.K.H..nA.I....D.R......a.O....w....<ka..@.Aw.$......D..m...eN...Y.d?.x`.u0..z...F9.7..M^g.~.w..p..>x.6{..>U....1.8.W.Q.'We#L....W...%......Y..t..m..).#..x._u\|5.d......H'..$y.zjl........xT.N?.....H...l.N+G.......k.......#q.kQ..d]..r....,........a5...{g.4>U.E......N.....t..)H<. ....v.....A.w..G..}..Q.Oq........+hj.i..)b.B..........S.GE.:m"...Oq...n..0.#v......U.......2..W.P.....;.0;../.k...:.=..\w....?...r....w>.n........\|~..K}.?n.j....7.....4.F..jB(...Cq...dU...H..a@...B.l......#9.*..g.}3+R....W..d.....w..Lc.M.,.Z....9.0......0..lH..&..v.9.#...E..v.].1p.5.Sp3.,'.l.1d.u3..j.E,...7..Nq....B........(:w_..x...

C:\ProgramData\Microsoft\Windows\OneSettings\CTAC.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	89720
Entropy (8bit):	6.488262063707883
Encrypted:	false
SSDEEP:	1536:UE4kSTjmlUNRVnr72m9tkqxNzopiiVVLyP6ABciMDJ9iEgX/2+0wShIg80tWP:UE4kSTjmlUNjnr72m9tkqxNzopiiVJyR
MD5:	87F1234E8378D3839E8F69E107398898
SHA1:	E2310BBCB4BDDCA5BE5CB4A91511E30DD0FAD2C0
SHA-256:	454630F172AAF9A88C78BD64C31730D13DAFCCD1CF1E5327D96D37F780B5693B
SHA-512:	4CCE6CCDE6FE7596D842E590379049DA59B96B11B652FEBF13C3AD7B22E266A264D3161705F766020E0DE9410F40EEF9AABAB4FFA33D11DF043C66B20DCBF77F
Malicious:	false
Preview:	.......t.C/.........As<'."...t..N$..h...\...f....)........t.MK..Bpk......g;.y.tc+..+MD".v).C.....H.r{..^..?...1`.d....-n...P.......\|.4..L\..M..,V..o>UExE8.6.fm....a\|V..~.v.O........ I+.{.+.$}S-....(;.....7.=a4x......T..h(..uR..vK..M.....-y..l....@:. ..3.......o...XJL...N.qs.D0..7..".y$.V.4H.9.....P%...n9..</..5Y.~Ft.2.....\..(..C..O...Qt...G..}i.=........\|B.}.$...<..z....r._).....$..J..-. \|....G..M.k.V.....R,y....V..q..d...c.nl........W..7....Ce.I..<.q...r..4..U0h.i....%.lK{.W....C.F.....`.}.....(.AX#.8.._8.#2..6.-F.LC...oF....=.k..`1..m...D{=.......l.....H..,2..L...g.Ra,..Q.7.M$V.S..G..Mu..0\.9N.-.w5.Dd7.<..p^....L."7.......\|{/..a ..iC..O0K.....^,~SGkw.k.9w......F..NQ;...}......=.\.../.....w.=Dc.5.H..YJ..@../......&..)...._1.....W.G.x.M.O....?D.3.?kSN......_..}.......w.z...$i!..;K.@.......6s.."R..rG.CSz..W......I..@.....P.^.1&a.0....V...+.$..../cHf....T...x.e"3.3y.&k..H...Py...x.~......m......6 oze...\|.v...5.... .Po(x..H...>

C:\ProgramData\Microsoft\Windows\OneSettings\CortanaUWP.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	616
Entropy (8bit):	7.552342209610216
Encrypted:	false
SSDEEP:	12:EI3p3/DwCPD/NXpGr1lyS8nJ3+p662P4s4UrnHgMqdYxRKeVFVu+xe0:t3DzRwrUU6FP4s4UrHgMqdYxFVuk
MD5:	BD2742422BF13D5E4E9CF15573EC3190
SHA1:	43079401CF088D80BCE4181C2C466E51CA4F4ECC
SHA-256:	C00B06233FA248D01F806DDC01202E4E6B8C93A94BC5870A9B3C4F0861E558F7
SHA-512:	6F12E8B64FBF85FE5F9A25B51039E29FB046E50EC5C98D75FA371BFFEC33F4727EF3B8380FD59122DA3FAB029436142B41F708B9F6CDCB1225DC6E347ECC67B8
Malicious:	false
Preview:	.Q.z......._..G...j3..2...F%J.0Gs..\h..b4#Ug.w..P.L...@...B.dn?..i.X-.a.$g....e...'..+...3..[.....s..b.i~H_..}.{..N...T....j>.....u,....E....G=.z ..q...<.'..!.(.a7L...C..2..H`..........`e3.'....[..H....W..+..j...;R...Y..~......:/.h?..Mz-....y..&..............-+MEDUSA...................$.\...x.P!.q;3.v...{....U.Z-ix6.`.........b.c..?.Cw..h..3....2.(....,Z&.*....i}.?I&\|.KZJ.W7\..'..c.\|X......`+%`....(..d....}....@P..../6$a._nAD.0.I.N...Q!...Vp.....xN.}.}...0......L.h.@E.....T..0..k.9D\.;..g...P.u.F.r....Y;H.(...@.I{.&.w0].H.z....da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\Windows\OneSettings\DirectXDbVersion.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	408
Entropy (8bit):	7.2288254134349215
Encrypted:	false
SSDEEP:	12:LGU9QMAT6MS/kcb2Aczl7NvWUPcSRtxe0:LB9Kkk4+l7NvRx
MD5:	5491D35F8018855E54C0415DB20C53CA
SHA1:	FD55008442C354DF4F3D1EABD5152A880F99AAB6
SHA-256:	D420C48936C4310A2917D365249EF5954E03A37B7BEECDF9AAC7101DABAE1ECC
SHA-512:	F430394A9EA2BC1CE1940384B4B1D6116623EF2EAFD7D953A39D955E19A73E24F74AA7AD9D11CBF82D55530A9299B0662D9D1AA558FD1DD2327F1DCD8924AA08
Malicious:	false
Preview:	.........0.B..S.gz.....'.....oX...Y.y}.E......X.?R..Y..5..MEDUSA..3................p.S.$.n.T.'....V......... t.7..~g.V..X..z=.....%..6.&@.8....Q...Y.@.!......~.x.S.x(.R..k.;..3.........$........=].NDq^.......s]r.{-c...19.M.....I........t.c.j..o.6..._@._...-..\|.....US.....h..@n.x;.ZJ..{~.K....xJ.C.:.. ..4...%.*./...~..u.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\Windows\OneSettings\FeatureConfig.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	21080
Entropy (8bit):	6.88165038584591
Encrypted:	false
SSDEEP:	384:MGwlzDReydDDhJkfefO4XPrZlCHzydmtCW:MhvVBXPYJH
MD5:	1A2D390108FF2F491879C7E88DFE99E1
SHA1:	ABE32C12FF779D06F8B31625B8C8ED20ED272887
SHA-256:	DBFD381CE544640F0405F511DD11D5618BC5084841F74B92EB5E4254EBA75854
SHA-512:	EF2379F70B6E4D21AB9FCDCAED49CBB22C021D4916E50885176F964ADC35B5D9E131EC8ECF67ADC4001AA98CB9B6E8425E961676598F8654324166AFA878A672
Malicious:	false
Preview:	. .\|.Y..?$..Y..w.K5.cv......mI.....,....m.E....\..3...LP..3.4O.u.h....{..d./c.].Wg.~...c..5.....]...c....J...q.Il^V..h..mC.AY".?...c.!..k.X.2...)..'..H.. b.&..X...)..[..R.].'....3..c...%7.a..&.v...8..e..y.S.}wR.7!..m..>...Fi.P..i..B'..0#...A."..{...b..."........E.G5..2..-.#..>.WK.....Yd.uH.)r.....q7.a.$/R^/..B...Z..[y^........W.!h+. ...uwi...C..QZ....[...9."{4N..8=......>..A..1%:..g...P.v.u_u...Se\| E...\|...8.h..Y.(.{..I....)..+!..o.5+W.E./..~.9.?.Ex.......t.,..!.&.F..D..U..A.bm..=...vY.V..".0&..R#+^.1x..Y.-/..$b8.)Q....G.../......`..7..C.Y.....;......\.%..UK.Yt....2....<..<{Z.....S....^....X.#..#......X..m..,2.c..S.l..o..\|."P....$^]&....]....?.1.8!.......s...^-\|.......Z.Y.>n.q.$..z..7.~^!MD.@..\|..6...[9..k.....+.6i<7........[rwL...~.g......F...0T.b2z...d)..P>..i..b@..F.....$.ap.#.(...8..^\|`.....B...z.......B.(c.....k......[.N...h&`.(.N\...c.Pk.7...m@...w...d..j....:!&b.$;..@.S./Q./..;b.WUf.+..........^."..FRm.....I..9+..l..C.6

C:\ProgramData\Microsoft\Windows\OneSettings\SCCInstallService.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	840
Entropy (8bit):	7.680666693866463
Encrypted:	false
SSDEEP:	12:/BMEWPzLH5/0bupJql2aAyOolAGhfG8Y+ccEcbhlkWfnB6ULPyxe0:Z6Pzr5/GRGyOkA2f1dsmwGBZg
MD5:	3113A7B90B8CC2A5EE97F4DA6CEDFEEF
SHA1:	62851F8677C0F29369D240A5D01D23145E51A3D7
SHA-256:	C38B05C3A77F6974622561B275C62A55B0092910DEABDCE85090C7F2B39177F5
SHA-512:	2EF14C3BD2794C00E21A967991BD106938732719C5D4937B068BBD0BD036C29E5D668DAB2E3DAE54173B75CE311D8475959DB77FA5AC6A29FE217B960F27DB10
Malicious:	false
Preview:	..'....h.!..2.[...w...B..h.-..=\|k..[...G...p.q...p....9...9mk=.j.vD.X...0YN.../....uM..6.f}<Xu`f..,._.C8m\|..:..\&..@Y.)g.-..j.bEt..h.\Ds.............p..HK\|.W...v..n7.U.p.neP.>...7.R\|..;"r.L.....<..K...`...s...r...?...m.........zydLXO...[..i.T..C.&c..P.....,.Oi........(...@.E>.."....`.wL....B.f...^v..,..t.W.9.8;.....K.....k........y...?1.Yp.1..Kg....S...Uhv(....'7h...c.......v..c..f..b.y..$v[.e\|cI5.Y.hk.7M..xZc...1.x.S./.*?.-6...C...+.d<...8.}..V].0...G..Jz.[.$......MEDUSA....................V..........Ow-..f;E_..E..&kf\.w.....<l...K......4.0......g..........h.}S.J.txB..8.Ye..r.....].....l....W]r..~.#.p..j].....t...b.>........U..n.#..zb:...r..A......p..[.v[=. ..Sm........x)......Q.+.4.W..k.Y...h$r.M..7.....'.E....O...).u.gN.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\Windows\OneSettings\StorageGroveler.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	760
Entropy (8bit):	7.632043861358042
Encrypted:	false
SSDEEP:	12:m1KMZ33MrYfs1D7kbecjnsILbvuwn30NO0WUhXPptiwWprE5V9XQbYChLEW8hOJ/:mcCuYfs1DYDjs4b/3mhBtiwOE5V9XUjJ
MD5:	9DD7862CA59A898362265D3270168C81
SHA1:	195DBC2F88D44873FFC319D1587D5F1EED35347F
SHA-256:	185C2C5CB53C9FF22DBB87F07193B042117C8EAEEDAF24371F5E3FCE4918B79F
SHA-512:	751CA7D5D8596977047F94A7AEA9FAF2448860D6FEDCB341EAF9DC43D4DC9F10A0DEFBCFF2E8ADC820F2F3826E822B0AD365BCEA6590DB05ABEF8CFF97B39C75
Malicious:	false
Preview:	i.zM...,.\..A<.IuV.Sr........I.....yo.......vN.OkD...WR...O....>..f,.O....>..:ev..:`.[./.yE.[..`.\r..Yo.B.QF...-...m....[.....V....Q./)~..i.E.l..bsk..i.eH.Y...,}.{..v......0.M.)K.....zBr..........H,..F!..wB.Y<b...7...._-.<&@..~....4,C.q...>.f....S.M'.M..(s.......Z...w..\|.....>.9..0k.d...K.$..>.\|.72.....F..zh.T....."c#RfA{j..h...rs.{.2_.%.!..e..(..#n.i)....d..... ..........6....q..n...\|.p..!MEDUSA..................M..XAn...=.`.._v.f.9..]eL.G......9...r..].m....x.>...@o...y...4.v...NI.........M..]...Xom.9.sWQ.u..;!W.9".C...@J..t.4.!.W!..f..3.@O...sfK..5,.LC.u.F.E./.}S......5.P2..##.e$....*4........X..F....?.h..0...\..:8....Nu..0X.J)UZ\W.B.I...%0..mS.&...da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\Windows\OneSettings\config.json

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	6040
Entropy (8bit):	7.969803370375307
Encrypted:	false
SSDEEP:	96:ELRnQrw+zI0FXE79FcUFyr21CA6IE5M91jrNY9UkBtLQ+p99WV2RPGCm5njxPxK7:ELRQrw+z35YzyrSQj5c1jWnnLQVU2tPM
MD5:	8CBBB6599D5E1C72A50F4BE662EE2C53
SHA1:	88ACCECBE44F629F85C57A538031500916F73285
SHA-256:	A1E37131710A00672BE492C8C485770F45963AFF7EB98D1B86265EA7FDC3B76C
SHA-512:	3C56FB0EC5400DC8F9D521AEA1F890B64610E173577FA8C0F7C658386C78AC02A733E26C915E544CD809B28F3E123727BCA3621C92382E5A30C9C98B6A2B34AD
Malicious:	false
Preview:	...b...l....D....c..z:...3...N_.;..K... .@y1).......-z.]sY......I.1.4.u.z..Y..I\|I.$I....\....#.=.].<.T.....4......."$@A9.....~.....~.T.N.Br0..~.a..f.........C..].2...$.M.Ff.K{.nIf..#>.t..A.uwq....x....Cz.......n..l.P...u.[....[.(...@[...S..-.h.K..Z......R..FD...GR...>c.r......(....Q.SpL...q&.U6h.....\|...\.pQ.\|..B....[r.+N..7...".v..lR.....`.d...:.k.n.&.!...:K..".ug.a,8!.y..)...f.<.Qv.B.c.x..{.....Z... ..%T........v!..o..,Ln:.@..{.$...=.....$"A.kq...a.)...H.B:.#.j...._...Uz.(K..%.=...x.e<.G..FE.).....A........p..k.l...l...o.6o}.0...7......../..4/\x..w..Bt...D.uk..3E.....NQ!\..N..c.\...u.E.o.th..N.E.."=d..i....a.-y\|....NA...aer,.,....8..;...p.L.Z..])3..#..5..?X][...x..V..A..{.].zNa.g:."V......".O`h.\|.n.E..G/J.....7_fE.<.._..X..G.P.p(....F..q.U....FYR-.........g..6.<.@80Ot.b....X....G...I..l...b]d.......x..i.5:.r.l(.*%..O.t.......oFu..zB.6KZ..pO>....< ..OZ.......C.P..E...........).O..WP..R.m..".O.b@5.$57../....+... ..@.

C:\ProgramData\Microsoft\Windows\RetailDemo\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\Ringtones\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\Sqm\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\Sqm\Upload\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\Start Menu\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	536
Entropy (8bit):	7.472197035078609
Encrypted:	false
SSDEEP:	12:7tSbUC7xmo5TNHQhGISMMjIHSHSlzogrkKZPkS/Ab9/bz+xe0:7tBkZxehBRMjIyWzoBKZPknJHk
MD5:	BE78696729EE22FF32ADA0DEA9352191
SHA1:	A2A47E5F216221C734642429A28BADDCA8737CFC
SHA-256:	7FBD236CB0566D2910B74AA4719C5AA617FD10809670E16E3F952B8C650CCF51
SHA-512:	6A9DE53CE9B8EF1B40EBE5964EB6678D009CA6CFD518D534F4F1948D3329455D4FFC42A4FC809DD815BCC52D8D6F9CC74B96D4531BEAE3D7EC950053D1E567C8
Malicious:	false
Preview:	Fl.Oy...&...)..m1m$.Z7.4.C7......./...}b.b....,..q....D._..I-#M.=.u]H.v.N)...`....D...._...z.9,...v......0....j&'...B.#...pW7y.5..Pd.]9.N..XHh.L]....O.Wo\....P.P"qM....\|....o.S..;v.D.}..MEDUSA....................E>.(6.T..c....N.S.If.......Hs.....g.7U<=tB.......v..Q..)7^.....e..........Vt..fJ...(.1....A.).. V.`.k.wZ}....8gbZh....-#@.B...i.$~.j.z .X.4?+TV.qC67.RVlZ(K......x"...?.z.[QJ......>.q..=..Yh.o..*C)b...<.Y.D..r..j.\....=...f.......H2.3..da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	760
Entropy (8bit):	7.66060652840931
Encrypted:	false
SSDEEP:	12:rM5i1srBBOL70WzKZdpkJAgTuO44TM6+gQEyDgw/506+sAF2/NvV/boMOcrotiJ0:rDIuX0C6LkqgyFSM5/zhAsAF2/3QcrqB
MD5:	DBFBF2F804520C9098EFA9B2C9977BE4
SHA1:	7D834895692AE4D9A3926B140B17177C62DAC760
SHA-256:	93C9DA6B3DA0F36BA5E5CF8BC42ADE9880C66122F249E9F5E9F22B7FB8ABB8F5
SHA-512:	E4921350E2AEECDAEBB112AA9ADF73BCD1CC7BF065ED9E7662A591444E9B620BEBEC74BEF183AFEF4EF3AAAB590BA12AA9761F14D4FF8F564FA3402824E9D8A5
Malicious:	false
Preview:	..!.....Z......^..Vi0T.\|.."........./A.2t...b(.#.;%'..S.$/.C.&].....m..Er.,.j.......T...:NM...M.N.."LcK.....PT..d\...v.HY..o....;.'6.l.n...F..hm.gNY..(...{....W.39%l.o......!.R...K.$.[oZ..O_L^.+......d..dD.RP&.K.1..3.C.M/.CR$................y[....Zs...t..T.H.\...mM.3$.Q..-.g.....Z....^.,DU6R..]Hb&......$...SY.(...b.+...#\.Y4.]....@...vz..].5.{..S..a....J!..v.o\t.Q.)...m.l....g....%5.U.Ty=..MEDUSA...................Hfx...6:+=......ha1......L....j...6...~DWF...;.d.'X...W\|..4]...:K.....%t>U.I....s...~....~T).up...{...\...l[.D.....+^....XM......nBfZ-.....C[[..x.....3mx7.....v.......C..)&(.,f.#.Z............\..H5.+6.....s...@C"D....2........#...O....da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	520
Entropy (8bit):	7.417676082216234
Encrypted:	false
SSDEEP:	12:AWQZ/tl2rDz1LmORQ6UiVC9vGCHTwO0tsuxe0:BQkDlFUGClLHUts0
MD5:	B0598EE953E0BF0E67F925A402FEF0DE
SHA1:	5E375BCDB9FB5224EC861E543E028B5D859B96E6
SHA-256:	64A13D6FC6CA4F2794A17FFC9ABE58DF47B298C06025F2054A2223EBBCEC5E23
SHA-512:	82628CAC6524553C2D436CBA225505362D7219705737D04D7A2264639FB73D2067CAA61245455FB82C30BF5F483B37501CA9636456A0B2EB3108477EAA55F062
Malicious:	false
Preview:	\|.aA.XHA......Ez.;....T......R...\|M..`..... .&Lf<F...G..VZ....>..<..'..r..!...Y6.N..B..wS8.c.W..wKz...i...Zy...y.y....CVa6.....p..a$s..9V;j=M+.g...#..~.....F..i..MEDUSA.........................:.....h".HK..=J.SL.-).e~..]FOb.e..41.....F......H........)\|..=I.kR.x.f...#=...@S%.2...........r.OQ7[d..t.q.5..<....wdT/.*.UT...(..[Z...^;.cd...n? y...DF...V.9.Ln...'2.iV.,!...f.d_.Q....2......n.....:.G$}.G../mr`..8..H.......J.da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\Microsoft\Windows\Templates\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\WER\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\WER\Temp\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\Windows\wfp\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Microsoft\WwanSvc\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Package Cache\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\Packages\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\SoftwareDistribution\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\USOShared\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\USOShared\Logs\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\USOShared\Logs\User\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\WindowsHolographicDevices\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\_curlrc

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	360
Entropy (8bit):	7.121151319148711
Encrypted:	false
SSDEEP:	6:/7HooklCuYnyuiDEkV4b9kONkbdh7PsTXkjdmp+J0At6Qh1f9eB5z7W2iD0:/73klCuYnyuhnb9kikBh4T0j1KI6Qhxi
MD5:	304E64B32ACD170C0B1388025B0B21C9
SHA1:	C55317FFDF99166138DECFF7B65F9508E58F6325
SHA-256:	624BAF4F4B98B4D7026F55FB65E6B0D06BF1940B94085E0754DDBDEAB5873B45
SHA-512:	33C5B765CE26560976E60D8A96DE226C89B495EFD9D6DA7FC887A85CCC1FEA7E5D00A79B5FC89E69DA90819D4A46601426183656589981F7AF460422953AD0F1
Malicious:	false
Preview:	...F..".X.&...2TMEDUSA..................,&.i....k.......p....1F...U.:~<&.Wk..l?.o.>..{. Z.A.......x.a....5..q....dI..G.\m...h....]bX.OPr..\E>.aGC..m..#.h.6.......3....]....w.l...]IQ..!>.n...~..(..v...D"...^..U].(..t.jP....gLO..9.N..Q.3R..*.oo......5...9...........q.i.Ln.D...........da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\ProgramData\dbg\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\regid.1991-06.com.microsoft\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	true
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\ProgramData\ssh\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\Users\Public\Desktop\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\Users\Public\Desktop\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	520
Entropy (8bit):	7.409343790736442
Encrypted:	false
SSDEEP:	12:v3hYe6qiyLYwZksDPWQZqVBBoMwTfGLHrfDazmwBdtxe0:vxYeBtZ9DPVIyMwDGLLfG9Bdx
MD5:	E8D1EA92A50BF9BBBAFD5330C707B4A2
SHA1:	0418880D0F8C95A576015A790FB704D292C82D0A
SHA-256:	9239C28422C55CBA34FC9383BB937E5EFB6757DBCB46145E323C87A6E3272AF9
SHA-512:	0144F4A8A69D72D22E41BC3A3C41BBA202024BD3ED11A52BC7DE81B85C01AB8D892F8491603CBF0B6BCA76D1A7CC39C586A25DB943AE71F7382BA2A828E40843
Malicious:	false
Preview:	W.\|...1.7...$?.f.6.......R.Q^H.u._.......N...Y.kA.}.J..3..c.4.......$:=.!.G.{/....C.1?.a....~..8......fQ0Z.h....u....Q.... ..s.............w[....<..9.O...~].&r...[....MEDUSA..................m..eH9u...d....~...mZ..r.Y..?.c\..5?.zG..b.t....#......^..Y.!.e..\|............>S.g...Jp..!<..P.lc..7.j(mt.L._-{0Gq~.C..U...d...e..^..J.3<*....\...R.9..;=..._.VNT<..gneW..2oK......N5..].l.#^..>.R{.....7.....+#.%R..k.Ks.>J.,q7.wH...A...F..8da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Users\Public\Documents\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\Users\Public\Documents\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	632
Entropy (8bit):	7.593201992792028
Encrypted:	false
SSDEEP:	12:bf2rAf2kWNW/WN6K2PIg6tVrD1oamJJhlOI41GiGJilEsuxe0:bfOAf2kWNWOTPgK6amLOXUJTs0
MD5:	87439D9EB195DBF96133F7579080F6A4
SHA1:	7A7350B9F469F49F8F003040906797C5897A8095
SHA-256:	84981B5F916A585B0A704F8B4C742AC15A22155BB41015F50823C5B03B643760
SHA-512:	09079B34DA136ABCC07E9829D0D7341BE58D2903B88F5BA3E96DB2BB969A8D147B48F55F7C002440851FB72872D8473644C74FED80C649A69CC25D723383137D
Malicious:	false
Preview:	.?$Sr..u.s..U...:..j.7u..e..04....G...5~..[...+.:.......`#..j.....6.-.d`.q.DrE...V{].Y3:{j:....I..I....]!.-.....,.b..7.uX.m.L.u.....{..D$H.E....lu..ZsO......YP .K.}..:HM.G.C..~@dQ.".......=.;...;.B....Q.UN"..:.....&......W]......_..]HZ..."....B...k.BVL).`...l]H.vT6..te..........MEDUSA..................Z....d1..R.?..I..G....T.nf+m..Xc......4.....>^....%.....Y.V....M/?tQ(...-....3h...&CYfq.w<...I..6..;z...$.!.I.\..V.A.m..0........P....[p.h..x..H...\-...Y.-.#....c...!b..]....B2....a=&...vGV.....Z..#`..;...nHm....}...IPQ..l~F[;#.....`UZ...da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Users\Public\Music\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\Users\Public\Music\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	728
Entropy (8bit):	7.60094468843169
Encrypted:	false
SSDEEP:	12:R3oFUPc7AK4E0McDYD5I7N++qvp9oV70a1Ek+nbBMjAmsXeaseJbFbM0xe0:R3oFH2rxr+9SWbBMjAzXFlVx
MD5:	5920729E412E2F000813BC036B0B423D
SHA1:	7C32663F50B077A23AF8D8D8B7670B3C298E9FFF
SHA-256:	73E03411F08AA43D7799E02B63EA30BC6ECEC08C7D9506110B7152ECF532CB97
SHA-512:	34B338BB79D6109FBED9834B1D75419822C17A9C2FA8441D8D0D47825118AA590A65E046216128CAB2AEF86DA2F93BF5AF7A99BBC59A49B53A0124E0F9006683
Malicious:	false
Preview:	1....I.i\|..}Y&[)..fd.pE..$.o.B....8a.."....039......?J..].W.......Ua.(...I#...zO;.._L...}......e+..q.e.?.[O\...0......./....x.....D4.9......:;.-......~..@..\|.is...G..u.,]0.[..J...01.i..u.1(.u.Jo.8M~.......a...A.s.j.N..x...cI9....1b+.]H.._ 7&.H..p-p..w.:............S...B../..Dj...JE.-%S...0..r...U.c?..C...,.....u.V....*.:..Z.p.E..(....N..m..$....:.......8.m.#i..#MEDUSA..\|...............w.q..Dt...2.'k.\..;k......_\|..P.f..Q73f.m....$l....o...,5TR..WY.99.4}Tr.=Y..LYu..-....N2._.qh..q...!eh..0(..%v...%W.".z...W....V.pY....([_.._.>...V.bpB..K.h,...m.......J...'.(....q..y~}p....L..;...4L.....(m.j<...$DO.~.IR ..:..N....v@.Ada23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Users\Public\Pictures\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\Users\Public\Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	728
Entropy (8bit):	7.546518604806694
Encrypted:	false
SSDEEP:	12:C9UDUIQ/5BimFcm515qF96TkRSEbuuIHfu76RI557Am5WHXqSakwAT2AbtUPQwu/:C/IQHim20PqF9CqpbWfLRI5TLvybtuQ/
MD5:	DA355E4701456505ED05EBF927340BDC
SHA1:	06BD7F4FE5E0408DDE7F3464774F22BBAC128E04
SHA-256:	07ED5A2A78E291D2CA38EFB1C25B1C76ED363E7359CB3CE89A95FEE3E0EA0269
SHA-512:	2DAAD1DB516BF665D15A25E793DAC8FE5A43A44CA66192D9968A96B3C0D7BD087F11285A26FE20F92283858993D2421D29ACF361E324FFDE2F11B24052012564
Malicious:	false
Preview:	.M...t..o.l.U...'.U?.......K&u..r...o #...'f.,y....3,.R..b.12.:.;"]....nV...Hn.3.`..Rh..7.u<q473.q.[.;~0."r.&$.]...gK.6...qp...9e.........:..6.{..M..'<..=.....V.;.!..@........$xL2.+/.).SbX#.W..af......I..M..N.h..p..U)....W...E..Z...p....+.....w.F.I..Dxl`7)..<(.n.@.z..........1:.n..B$.D......f..:.'.=.D&........w...U....H`Rh....mJ....s.,....N\.....`.`...MH\..Y....6ts.AMEDUSA..\|...................Mex......]...-]RX.g....My.!.y....\|..91..[E...F".U...!.Z.....E....&/.d..e....\..g6..t.5........" ......Q..H>.@.f..T....M..>)o..D..........M..;....}]&...~..H.."..t^.U..h.I..Sn~.@L...Hp./>2..b ...i.....' .\|......es..H.W9.?..c.`%.Z..p.5r..t..dVda23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

C:\Users\Public\Videos\!!!READ_ME_MEDUSA!!!.txt

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3993
Entropy (8bit):	5.163913440799862
Encrypted:	false
SSDEEP:	48:X2iCQD51O5/YbjJw6dBotRmaO6s0JIHobjpFRi7NsVWIluI00lSxvCif:oQN45/ECs502IbXo7NsVlsilSdLf
MD5:	059811161D1EB0B9C131D4CA58FB273E
SHA1:	137CDA40B70978A85F34AFCD3E8DEAC116CFE460
SHA-256:	E2CFABA956D1DA00E2F2AB03474876E7D88E5B746C5C38932AF32D6ABE85D90B
SHA-512:	73770F346044DA39220BBC0C47E271562D394F14B54F30391AF15F09DF9D7B0A90ADCC06745A5B3681C182EC1DB03998CBB6D1F100E81626EAE87CDDD6097FDD
Malicious:	false
Preview:	$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ ..$$$\ $$$ \|$$ _____\|$$ __$$\ $$ \| $$ \|$$ __$$\ $$ __$$\ ..$$$$\ $$$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$ / \__\|$$ / $$ \|..$$\$$\$$ $$ \|$$$$$\ $$ \| $$ \|$$ \| $$ \|\$$$$$$\ $$$$$$$$ \|..$$ \$$$ $$ \|$$ __\| $$ \| $$ \|$$ \| $$ \| \____$$\ $$ __$$ \|..$$ \|\$ /$$ \|$$ \| $$ \| $$ \|$$ \| $$ \|$$\ $$ \|$$ \| $$ \|..$$ \| \_/ $$ \|$$$$$$$$\ $$$$$$$ \|\$$$$$$ \|\$$$$$$ \|$$ \| $$ \|..\__\| \__\|\________\|\_______/ \______/ \______/ \__\| \__\|..-----------------------------[ Hello, EFI !!! ]--------------------------....Sorry to interrupt your busy business.....WHAT HAPPEND?..------------------------------------------------------------..1. We have PENETRATE your network and COPIED data...We have penetrated your entire network and researched all about your data...And we have copied terabytes of all your confidential data and uploaded to private storage...* You're running a highly valued business and your data was ver

C:\Users\Public\Videos\desktop.ini

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	data
Category:	dropped
Size (bytes):	728
Entropy (8bit):	7.642351904657977
Encrypted:	false
SSDEEP:	12:s5rwLJkUZMhQcRJUIkmvFQO4U/jg3NGdma+SFAOF5l7nsCGzO+pGJdt1G5yYxwcJ:s5rMyhHJU/mvsUrg3Mma+EBF5WCaO+9L
MD5:	7F418944E4B74426FF531726F22F42CD
SHA1:	F998B47E4FA72E562DC47E31718FC14F870697FA
SHA-256:	D455F7CB56A6BBB34456CB221C0E6625267EEA100307D5C181CD06D2836D7578
SHA-512:	5DCDD3111CA9D8A785D1CF6624A3D70857009080E31B2298301AB53E990D6D74064BA6AC7F01023035A17092E2B07E0D19FBB6B0499CC380B23646F8DC5D5EE8
Malicious:	false
Preview:	..5...:MO...f..i..z....a....Q. .....\|..!...ZvgK......TF.-.hbB...5...+Y.......7[c<i.h..,f.`.^.4.0).9.....wf..}_.m.s...w....I..m.L..:O...r...L.....B...........%.1.-9.Rw..!.v0....."D.b.!SPGAF.$...WEc6.....rm...@.z..7...#.s......F>V.(.3.h..u.t.....\|$iI:Z.QS.!0sv..L.^[~...j.....M[....y......A..}I...Fm/l..z..bC...[.qi._..7.5.m...I....^......#..a.Z..=.......}..@d...MEDUSA..\|................R++...].....X.y.d...I.!..j.S.x..b8_.;..A..3g..h..pq{.#.,mz0.......d..L3Lo...]&ro..u.......{_..Jnil?...\|/...Dj.C.I..T5.Q6\|-..hA.........5i\=.6....E..Qm...O.\. .Jh..uI.+...V .ei...<..u"$.h.4.3c..>T2.0m...3.$...,^...+3O...M.Y.?.&fT.X..rz@./.;K..Yda23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\QyzM5yhuwd.exe
File Type:	ASCII text, with very long lines (322), with CRLF line terminators
Category:	dropped
Size (bytes):	7447145
Entropy (8bit):	4.8506633243187265
Encrypted:	false
SSDEEP:	6144:vTB9J8Hub/cjrg1oaedgBCUBV4W/Ut53NDiWl5YBLNZxHB68aStTZto+8PKAckYl:vTBn8j4HXVW8
MD5:	19ED72AE548290E6F3F2EF196F793674
SHA1:	8C8E300C9FCD821AC30EB1AC4C82D0E20D761292
SHA-256:	2D1ADED11D10914F0A8BF6A14512B32CFC3E81DF20EDA47D2B6757829A8173B1
SHA-512:	544FF432DF490526EE6B6F2A4D41E9ED35B2B07552B7891343150C1D0223E20AC0AC741B4704F241673A1E5A701AAEAE27597C917497285EACF731B95F0B3122
Malicious:	false
Preview:	--start--..default key:0..preprocess..kill_services processes..kill_services Acronis VSS Provider..kill_services Enterprise Client Service..kill_services Sophos Agent..kill_services Sophos AutoUpdate Service..kill_services Sophos Clean Service..kill_services Sophos Device Control Service..kill_services Sophos File Scanner Service..kill_services Sophos Health Service..kill_services Sophos MCS Agent..kill_services Sophos MCS Client..kill_services Sophos Message Router..kill_services Sophos Safestore Service..kill_services Sophos System Protection Service..kill_services Sophos Web Control Service..kill_services SQLsafe Backup Service..kill_services SQLsafe Filter Service..kill_services Symantec System Recovery..kill_services Veeam Backup Catalog Data Service..kill_services AcronisAgent..kill_services AcrSch2Svc..kill_services Antivirus..kill_services ARSM..kill_services BackupExecAgentAccelerator..kill_services BackupExecAgentBrowser..kill_services BackupExecDeviceMediaService..kill_servi

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.700856215026353
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QyzM5yhuwd.exe
File size:	638'976 bytes
MD5:	602d720f1184d2ad739568cbf6403331
SHA1:	c5f349be3ed0591acbe52160cb6bf5acbfbfb91f
SHA256:	6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de
SHA512:	9e4a83ed0d329b79b79f75e493af4457bbd7999293ddd3d5c7010701cfc3a28c84d99a3bffbbcfaadad5a1dd8daf927202dd8911246f3ff2f94f57860f7ad653
SSDEEP:	12288:GhdW6SX6bEpZqRMsHcrnjjZV9StQ5Hs5yFAgks8B4lDBJsH3Jt5+REn8Ic04qKYb:kB36aAJmVSvGWEcXvvKw4IRRs3WPOFTJ
TLSH:	20D49E257483C136E57201314E5CABB661BFFC310B734DEBA7905A5A5A382E06F3297B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s3.W7Rg.7Rg.7Rg.l:d.&Rg.l:b..Rg.l:c. Rg.."c.%Rg.."d. Rg.."b..Rg.l:f.>Rg.7Rf..Rg..#n.4Rg..#..6Rg..#e.6Rg.Rich7Rg................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x437bfa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x61CBD52B [Wed Dec 29 03:25:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	82a8292007e682f1a127ba8dcebfae96

Entrypoint Preview

Instruction
call 00007FD71506C40Bh
jmp 00007FD71506B9C9h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FD71506C4FFh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FD71506C4E9h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FD71506B260h
jmp 00007FD71506BB30h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00493018h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00493018h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x920cc	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa1000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa2000	0x73c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x89d50	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x89e78	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x89dc0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x79000	0x268	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x77597	0x77600	2fa8094a8f303cb8bfc1d389643207cc	False	0.5036178828534031	data	6.688642473736684	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x79000	0x19f24	0x1a000	03d24c2d4cc4f2f0d0d98c9286122f5a	False	0.43531212439903844	data	5.415410122685352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x93000	0xd9bc	0x3000	c28497f2600b43e5d80153d987b21ba1	False	0.18229166666666666	DOS executable (block device driver \277DN)	4.52228478654575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xa1000	0x1e0	0x200	26dcbe29c388cbc6c191d09039a56f72	False	0.529296875	data	4.7082365148683625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa2000	0x73c8	0x7400	0955c066319f690460514168c57355a3	False	0.7045393318965517	data	6.6971512609875266	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xa1060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	ReadFile, SetHandleInformation, lstrlenW, CreatePipe, GetFileAttributesW, SetFileAttributesW, GetLogicalDriveStringsW, Sleep, GetTickCount64, GetDiskFreeSpaceExW, CloseHandle, GetConsoleWindow, CreateProcessA, MoveFileW, GetDriveTypeW, GetSystemFirmwareTable, HeapSize, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, GetTimeZoneInformation, HeapReAlloc, FlushFileBuffers, GetFileSizeEx, GetConsoleCP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetProcessHeap, HeapAlloc, WriteConsoleW, HeapFree, RaiseException, WaitForSingleObjectEx, SwitchToThread, GetCurrentThreadId, GetExitCodeThread, GetNativeSystemInfo, MultiByteToWideChar, LocalFree, FormatMessageA, CreateFileW, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, SetEndOfFile, SetFilePointerEx, AreFileApisANSI, GetLastError, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, GetModuleHandleW, GetProcAddress, QueryPerformanceCounter, EncodePointer, DecodePointer, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, SetEvent, ResetEvent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, CreateTimerQueue, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, GetCurrentThread, GetThreadTimes, FreeLibrary, FreeLibraryAndExitThread, GetModuleFileNameW, GetModuleHandleA, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, LoadLibraryW, RtlUnwind, ExitThread, GetModuleHandleExW, SetEnvironmentVariableW, ExitProcess, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, GetConsoleMode, ReadConsoleW, GetFileType, GetDateFormatW, GetTimeFormatW
USER32.dll	wsprintfW, ShowWindow
bcrypt.dll	BCryptImportKeyPair, BCryptCloseAlgorithmProvider, BCryptFinishHash, BCryptSetProperty, BCryptGetProperty, BCryptDestroyKey, BCryptEncrypt, BCryptHashData, BCryptGenerateSymmetricKey, BCryptCreateHash, BCryptOpenAlgorithmProvider
CRYPT32.dll	CryptStringToBinaryA, CryptDecodeObjectEx

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T19:27:19.152372+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49719	204.79.197.203	443	TCP

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 19:29:14.199362040 CET	51397	53	192.168.2.9	1.1.1.1
Dec 12, 2024 19:29:19.312441111 CET	50124	53	192.168.2.9	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 19:29:14.199362040 CET	192.168.2.9	1.1.1.1	0x452a	Standard query (0)	res.public.onecdn.static.microsoft	A (IP address)	IN (0x0001)	false
Dec 12, 2024 19:29:19.312441111 CET	192.168.2.9	1.1.1.1	0xc5b6	Standard query (0)	tse1.mm.bing.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 19:29:14.337129116 CET	1.1.1.1	192.168.2.9	0x452a	No error (0)	res.public.onecdn.static.microsoft	res-ocdi-public.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 19:29:14.337129116 CET	1.1.1.1	192.168.2.9	0x452a	No error (0)	res-2.public.onecdn.static.microsoft	cdn-office.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 19:29:14.337129116 CET	1.1.1.1	192.168.2.9	0x452a	No error (0)	scdn1cc4b.wpc.9aea3.sigmacdn.net	sni1gl.wpc.sigmacdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 19:29:14.337129116 CET	1.1.1.1	192.168.2.9	0x452a	No error (0)	sni1gl.wpc.sigmacdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Dec 12, 2024 19:29:19.720637083 CET	1.1.1.1	192.168.2.9	0xc5b6	No error (0)	tse1.mm.bing.net	mm-mm.bing.net.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 19:29:19.720637083 CET	1.1.1.1	192.168.2.9	0xc5b6	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Dec 12, 2024 19:29:19.720637083 CET	1.1.1.1	192.168.2.9	0xc5b6	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:26:19
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\QyzM5yhuwd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QyzM5yhuwd.exe"
Imagebase:	0xae0000
File size:	638'976 bytes
MD5 hash:	602D720F1184D2AD739568CBF6403331
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3640894845.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3294115904.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3132606073.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3612035104.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2298467572.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2754921253.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3261815447.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3584042301.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3312981493.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1907445670.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1801787793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3303069748.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3852311222.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2003779694.0000000001567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3812857527.0000000001594000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3331286776.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3246027854.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3176331314.000000000154C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2883354747.000000000156A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3175698744.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2325427505.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2035464820.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3132319120.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3422625661.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2294962907.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1791555119.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1979812280.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3598905508.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3402255382.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3127203114.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3079318130.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3730275872.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3905019855.000000000158F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3870302443.000000000154D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1995209341.0000000001521000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3145239137.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1818843655.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3598944009.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2708498546.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3877581274.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2194212770.0000000001567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1868826389.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3541829750.0000000001549000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3202935659.0000000001552000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1993152388.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3065633455.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3042193613.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2325003515.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1968349445.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2334621186.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3336869895.000000000154A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1977929716.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2839990271.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3433064692.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3020306217.0000000001590000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1910884921.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3879399849.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3719725494.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2165880793.000000000155E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2541236354.0000000001512000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3266722129.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3422625661.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3324955354.0000000001507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1903123863.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2365187358.0000000001516000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3175698744.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3146754899.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3135022063.000000000156A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3605096332.0000000001545000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3605532068.0000000001559000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3852311222.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3166764264.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3812857527.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2088094679.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3019712178.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3019063508.0000000001517000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2992890050.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3331089817.0000000001594000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3418860100.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2534601643.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2009761583.0000000001567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3331221192.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2248122637.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2541124307.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3745813644.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1926670448.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3145322714.0000000001526000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3042992372.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3612035104.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3332149410.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1888426959.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1943790351.0000000001515000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3877581274.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2031930124.0000000001516000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3355172431.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3127173092.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2001508097.0000000001567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3018622659.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1852394616.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1872033487.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2537972549.0000000001591000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1899108454.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3077583736.0000000001516000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1993179696.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3598944009.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3166941364.0000000001538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2860202126.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2021849873.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3161278871.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2413305865.0000000001516000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3812719661.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3882742855.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2044100208.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3145461186.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1846925533.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2341530505.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2243501292.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1821742997.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3372258557.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2155255446.000000000150F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3870051484.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3047734924.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3141944674.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3369988771.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2324821490.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3363997024.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3692211307.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1993037726.000000000154C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3456008694.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3646903498.0000000001594000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3605096332.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3132319120.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3359022187.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1885310626.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3042193613.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2412988666.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3115652353.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3079535358.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2992890050.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2243580880.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3684891898.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2160709215.0000000001510000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3421549881.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3141261131.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3324653342.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1949133478.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3433299355.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2860202126.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3685110939.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3339967210.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2160150753.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1995135515.0000000001516000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3290591478.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2506182530.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2099606171.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2194289591.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1995035066.000000000156A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3492855189.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3317477526.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3463443403.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1942105832.0000000001521000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2035520115.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2189115351.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2341684474.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3355224794.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3359022187.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3133186086.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2535063809.000000000150F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1995178560.000000000156A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3132319120.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2839990271.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3592476775.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2754921253.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3246556746.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1995829268.0000000001522000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3146466694.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3852153969.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3311974938.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2846883658.0000000001502000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3028193910.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3415359594.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2044532060.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2708569023.0000000001510000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2506142114.0000000001516000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1825672364.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3132606073.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2077383442.0000000001519000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3125123576.0000000001533000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3042862522.0000000001516000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3408342844.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2155027834.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2114302278.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3135022063.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3077146117.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1976174509.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3116661059.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3542541740.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3127413066.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3641052144.00000000015A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3355224794.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1946056470.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3442673224.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3592476775.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3166941364.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2189017053.0000000001561000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3605096332.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3355224794.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2298467572.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2365087656.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3852584276.0000000001554000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2295051735.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3236601191.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3084697309.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1993107816.0000000001562000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3125227436.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3521806866.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3727024687.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2365087656.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3914980872.000000000158F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3640894845.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2879234188.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3134614334.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3125195273.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3521806866.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2058900871.0000000001519000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2412988666.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2499956024.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2326676165.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3059221702.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3119620550.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3237528942.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3569434443.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1994918954.000000000156A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3465963096.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3704253011.00000000015AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2182562195.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1990151847.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3646733045.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2022153803.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3870051484.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1975769744.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3137175440.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3476928706.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2860362164.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3812921046.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3057586389.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2232363989.0000000001518000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3605532068.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3166764264.0000000001538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1872381734.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3726951500.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2623498682.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2755786916.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3592476775.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3646733045.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2001683974.0000000001519000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2842318422.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3266478006.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3084585124.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3415359594.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3147071239.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000002.3975578193.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2506088502.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3237431982.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3313388328.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3132278514.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3852584276.000000000155C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1993072538.0000000001515000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3028389212.0000000001517000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3119692552.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1884616177.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3877581274.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3745954951.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3426194720.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3583610911.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3048932501.000000000159E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3138111875.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3439480657.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3369841097.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3345853819.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3598662869.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3145547958.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1847402988.0000000001523000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3268094485.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1982184334.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3870302443.000000000155C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3583610911.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2165115385.000000000150F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1870228793.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3583610911.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3869910047.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2051717191.000000000150F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3049159863.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3275628163.0000000001507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3435399890.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1844716005.0000000001523000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3812719661.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3077146117.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2190595036.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3115652353.0000000001518000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3813079157.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1846882404.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3355627290.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2231247945.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3019712178.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3137104188.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2150713257.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3598662869.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2004126125.000000000150F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3125051743.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1990330001.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3489898913.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3028193910.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000002.3975315135.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3592702122.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3605096332.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3355627290.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2521210238.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2104791230.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000002.3975176096.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3324184757.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3145322714.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3522287604.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3522111503.000000000156A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3125015912.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3268371055.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3127383570.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3140895497.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3359304506.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3470262463.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3141261131.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3018622659.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3316563630.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2170192792.0000000001556000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3812719661.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2708626040.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2150477102.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3148219299.0000000001552000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3079318130.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2044239599.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3703866711.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3065821728.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2326676165.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3127244403.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1923887569.000000000151C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3137011918.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1975050874.0000000001517000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1923064273.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3730487483.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3878840199.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3134272394.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3345997403.0000000001508000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3236827133.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2334621186.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2092651263.0000000001519000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2237257792.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2623761450.0000000001510000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3345745529.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2018328066.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3573292802.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3388494055.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1785288421.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3443116501.000000000156B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3146754899.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2099428707.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2467676994.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3146992914.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3914948212.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3421549881.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3605532068.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3492855189.000000000154A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3047018159.0000000001526000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3132606073.0000000001533000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1841131519.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1893078752.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3063555034.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3119423115.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1828521013.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2038185183.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2334820687.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2324821490.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3605532068.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1845454539.0000000001523000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3388648556.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2520012736.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3541829750.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3280396253.0000000001568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3813048437.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3161224808.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3877581274.000000000155C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3167105223.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2959718567.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2247469426.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2180318569.000000000155D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3146466694.000000000152D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2185209999.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1952349670.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3598662869.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2061777699.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3612376425.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1882246078.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2031873532.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3408234254.0000000001547000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2467676994.000000000158D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3605725698.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1983286554.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2083460952.0000000001519000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2521434091.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3612035104.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2261019197.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.1895769079.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2285134778.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.3145675223.000000000152D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2881346999.0000000001517000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000002.3975578193.000000000158E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.2500191002.0000000001520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	13:26:19
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	13:26:19
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Acronis VSS Provider" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:26:19
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:26:19
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:26:19
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Enterprise Client Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:26:19
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:26:19
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Enterprise Client Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos Agent" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos Agent" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos AutoUpdate Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos Clean Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos Clean Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos Device Control Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:26:20
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:26:21
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:26:21
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos File Scanner Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:26:21
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:26:21
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:26:21
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos Health Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:26:21
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:26:21
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos Health Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:26:21
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos MCS Agent" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:26:21
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:26:21
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos MCS Client" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos MCS Client" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos Message Router" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos Message Router" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos Safestore Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos System Protection Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Sophos Web Control Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	13:26:22
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "SQLsafe Backup Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "SQLsafe Filter Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Symantec System Recovery" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Symantec System Recovery" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "Veeam Backup Catalog Data Service" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net stop "AcronisAgent" /y
Imagebase:	0xa80000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	13:26:23
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "AcronisAgent" /y
Imagebase:	0xf00000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	169

Executed Functions

Function 00AF4E60 Relevance: 95.0, APIs: 15, Strings: 39, Instructions: 469
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 00AF4F50
__Init_thread_footer.LIBCMT ref: 00AF5000
BCryptOpenAlgorithmProvider.BCRYPT(?,SHA256,00000000,00000000,?,?,?,B5607032,76FA1310,?), ref: 00AF50B9
BCryptGetProperty.BCRYPT(?,ObjectLength,?,00000004,00000000,00000000,?,?,?,B5607032,76FA1310,?), ref: 00AF50E2
GetProcessHeap.KERNEL32(00000000,?,?,?,?,B5607032,76FA1310,?), ref: 00AF50ED
HeapAlloc.KERNEL32(00000000,?,?,?,B5607032,76FA1310,?), ref: 00AF50F4
BCryptGetProperty.BCRYPT(?,HashDigestLength,?,00000004,00000000,00000000,?,?,?,B5607032,76FA1310,?), ref: 00AF5123
BCryptCreateHash.BCRYPT(?,?,?,?,00000000,00000000,00000000,?,?,?,B5607032,76FA1310,?), ref: 00AF5145

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AF5452

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

:note path = %s, xrefs: 00AF5BF2
ObjectLength, xrefs: 00AF50D7
SHA256, xrefs: 00AF50AB
preprocess, xrefs: 00AF5E5C
:exclude systemdrive, xrefs: 00AF5B80
%S, xrefs: 00AF5F1C
Version:%.2f, xrefs: 00AF5B37
:exclude systemfolder, xrefs: 00AF5BAC
{lbg, xrefs: 00AF53C3
-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9, xrefs: 00AF5054, 00AF5156, 00AF5157
:do not delete itself, xrefs: 00AF5B96
:In Path = %ws, xrefs: 00AF6101
:initial run powershell path = %s, xrefs: 00AF5C28
.exe, xrefs: 00AF627F
error: load note, xrefs: 00AF5DAF
encrypt system, xrefs: 00AF5E9A
load_note:note length is too long.(< 8KB), xrefs: 00AF566D
HashDigestLength, xrefs: 00AF5118
--start--, xrefs: 00AF5865
:use networkdrive, xrefs: 00AF5B6A
-----BEGIN PUBLIC KEY-----, xrefs: 00AF4F25, 00AF4F7E, 00AF503D, 00AF504E, 00AF504F, 00AF5065
vi:nsdfpk:t:w:Vx:, xrefs: 00AF5934
powershell -Command "& {%s}", xrefs: 00AF5CE3
powershell -executionpolicy bypass -File %s, xrefs: 00AF5C39
-----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf, xrefs: 00AF54A4, 00AF54AE
%s.exe, xrefs: 00AF62C7
error: load key, xrefs: 00AF5D8E
$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ |$$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ |, xrefs: 00AF5857
load_note:File open error, xrefs: 00AF563C
cmd /c ping localhost -n 3 > nul & del %s, xrefs: 00AF62DF
-----END PUBLIC KEY-----, xrefs: 00AF4FD4, 00AF5028, 00AF533E
:keyfile path = %s, xrefs: 00AF5BDA
:initial run powershell from predefined variable., xrefs: 00AF5CCD
-----BEGIN RSA PUBLIC KEY-----%s-----END RSA PUBLIC KEY-----, xrefs: 00AF5436, 00AF549F
:System, xrefs: 00AF5E90
:do not use preprocess, xrefs: 00AF5BC2
j?j, xrefs: 00AF543D
: option requires an argument -- , xrefs: 00AF598C
: illegal option -- , xrefs: 00AF5AC5

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalCryptSection$Init_thread_footer$EnterHeapLeaveProperty$AlgorithmAllocConditionCreateHashOpenProcessProviderVariableWake
String ID: -----END PUBLIC KEY-----$$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ |$$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ |$%S$%s.exe$-----BEGIN PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9$-----BEGIN RSA PUBLIC KEY-----%s-----END RSA PUBLIC KEY-----$-----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf$--start--$.exe$: illegal option -- $: option requires an argument -- $:In Path = %ws$:System$:do not delete itself$:do not use preprocess$:exclude systemdrive$:exclude systemfolder$:initial run powershell from predefined variable.$:initial run powershell path = %s$:keyfile path = %s$:note path = %s$:use networkdrive$HashDigestLength$ObjectLength$SHA256$Version:%.2f$cmd /c ping localhost -n 3 > nul & del %s$encrypt system$error: load key$error: load note$j?j$load_note:File open error$load_note:note length is too long.(< 8KB)$powershell -Command "& {%s}"$powershell -executionpolicy bypass -File %s$preprocess$vi:nsdfpk:t:w:Vx:${lbg
API String ID: 1619380481-527398421
Opcode ID: e5a2c54b4d37bdaeba9fadbd8ef8d58c2f0441b3ab8547f5a3dd35dc9e54be46
Instruction ID: 1a18731111a6d73ce12a2bad57958052bb03400120a4bf91dfe67b8de51465d2
Opcode Fuzzy Hash: e5a2c54b4d37bdaeba9fadbd8ef8d58c2f0441b3ab8547f5a3dd35dc9e54be46
Instruction Fuzzy Hash: 6D120231D047489ADB11CFB8CC05BF8BBB1BF55304F1443E9EA596B2A2EB715A85CB50

Function 00AEFA00 Relevance: 56.9, APIs: 16, Strings: 16, Instructions: 923fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,B5607032,?,?,?,?,?,00B52F51,000000FF), ref: 00AEFA4C
SetFileAttributesW.KERNELBASE(?,00000000,?,B5607032,?,?,?,?,?,00B52F51,000000FF), ref: 00AEFA5B
__Init_thread_footer.LIBCMT ref: 00AEFBB6
__fread_nolock.LIBCMT ref: 00AEFC19
__Init_thread_footer.LIBCMT ref: 00AEFC96
__Init_thread_footer.LIBCMT ref: 00AEFD72
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AF009D
__fread_nolock.LIBCMT ref: 00AF02F8
__Init_thread_footer.LIBCMT ref: 00AF0484
__Init_thread_footer.LIBCMT ref: 00AEFE6A

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

BCryptEncrypt.BCRYPT(?,?,00000020,?), ref: 00AEFF97
__fread_nolock.LIBCMT ref: 00AF012B
BCryptEncrypt.BCRYPT(?,?,00000020,00B67C24,00000000,00000000,?,00000000,00000000,00000004), ref: 00AEFFD7

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AF06CA
wsprintfW.USER32 ref: 00AF07C7
MoveFileW.KERNEL32(?,?), ref: 00AF085C

Strings

{}o., xrefs: 00AF0430
File open error : %s, xrefs: 00AEFA8D
File already have locker Extension., xrefs: 00AF0644
Read File Error, xrefs: 00AF0627
ckj{, xrefs: 00AEFDF9
MEDUSA, xrefs: 00AEFC6A, 00AEFCDE
.MEDUSA, xrefs: 00AF0465, 00AF04CD, 00AF04F9, 00AF04FA
MEDUSA, xrefs: 00AEFB8A, 00AEFBF8, 00AEFC15
.MEDUSA, xrefs: 00AF06AB, 00AF0713, 00AF073F, 00AF0740
{}o., xrefs: 00AF067D
File Size is Zero., xrefs: 00AEFAE1
MEDUSA, xrefs: 00AEFD46, 00AEFDC1
., xrefs: 00AEFE0C
File is already encrypted., xrefs: 00AEFDD3
rb+, xrefs: 00AEFA61
%s%s, xrefs: 00AF07C1

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$CriticalSection$File__fread_nolock$AttributesCryptEncryptEnterLeave$ConditionMoveUnothrow_t@std@@@VariableWake__ehfuncinfo$??2@wsprintf
String ID: %s%s$.$.MEDUSA$.MEDUSA$File Size is Zero.$File already have locker Extension.$File is already encrypted.$File open error : %s$MEDUSA$MEDUSA$MEDUSA$Read File Error$ckj{$rb+${}o.${}o.
API String ID: 4228427841-3940126098
Opcode ID: 12f7c9497bb730c36b13c1a142043afc80f000746b054b073e769630b5d8abeb
Instruction ID: 7c6861ada403eee25550c50c4baf675b4e0cfc326176dadbe09dc3963f8822ae
Opcode Fuzzy Hash: 12f7c9497bb730c36b13c1a142043afc80f000746b054b073e769630b5d8abeb
Instruction Fuzzy Hash: 768246709442989EDB65DB68DC49BEE77B4AF04344F1441E8F50CA72A3DBB09AC8CF25

Function 00AE1A10 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 224
memoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

BCryptDestroyKey.BCRYPT ref: 00AE1A3F
CryptStringToBinaryA.CRYPT32(-----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf,-----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf,00000007,00000000,00000000,00000000,00000000), ref: 00AE1A7E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE1A96
HeapAlloc.KERNEL32(00000000), ref: 00AE1A99
CryptStringToBinaryA.CRYPT32(-----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf,00000000,00000007,00000000,?,00000000,00000000), ref: 00AE1ACD
CryptDecodeObjectEx.CRYPT32(00010001,00000013,00000000), ref: 00AE1B02
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE1B14
HeapAlloc.KERNEL32(00000000), ref: 00AE1B17
CryptDecodeObjectEx.CRYPT32(00010001,00000013,00000000,?,00000000,00000000,?,?), ref: 00AE1B53
GetProcessHeap.KERNEL32(00000000,?), ref: 00AE1BD9
HeapAlloc.KERNEL32(00000000), ref: 00AE1BDC
BCryptImportKeyPair.BCRYPT(?,00000000,RSAPUBLICBLOB,?,?,?,00000000), ref: 00AE1C87
GetProcessHeap.KERNEL32(00000000,?), ref: 00AE1C98
HeapFree.KERNEL32(00000000), ref: 00AE1CA1
GetProcessHeap.KERNEL32(00000000,?), ref: 00AE1CAB
HeapFree.KERNEL32(00000000), ref: 00AE1CAE
GetProcessHeap.KERNEL32(00000000,?), ref: 00AE1CB3
HeapFree.KERNEL32(00000000), ref: 00AE1CB6

Strings

RSAPUBLICBLOB, xrefs: 00AE1C7D
`n4w`o3w, xrefs: 00AE1A61
-----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf, xrefs: 00AE1A45, 00AE1A78, 00AE1A79, 00AE1AC8

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Heap$CryptProcess$AllocFree$BinaryDecodeObjectString$DestroyImportPair
String ID: -----BEGIN RSA PUBLIC KEY-----MIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9YX6efB8NfqGdB1uTnxhCzPqX2tSf$RSAPUBLICBLOB$`n4w`o3w
API String ID: 457515451-3936801596
Opcode ID: 1dc779902f5d38fed62334b37c4798e988484ce8ad4a78b4434c782be4c1659c
Instruction ID: 3c2ba7ca68e3422190f7ce35d713a3a2f3dfa8416ef9fe5d5f24553f2fb2a9a4
Opcode Fuzzy Hash: 1dc779902f5d38fed62334b37c4798e988484ce8ad4a78b4434c782be4c1659c
Instruction Fuzzy Hash: E081C471E40368ABDB209B55DC45FE9B7B8EF48740F1441D5F648EB290D6B1AEC08FA4

Function 00AF37C0 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 409
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AF386B

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Part of subcall function 00AF3E40: __Init_thread_footer.LIBCMT ref: 00AF3EB8

__Init_thread_footer.LIBCMT ref: 00AF3B2F
__Init_thread_footer.LIBCMT ref: 00AF3D77

Strings

GKZ., xrefs: 00AF3D19
vssadmin Delete Shadows /all /quiet, xrefs: 00AF3842, 00AF38B3
j<j, xrefs: 00AF3AEF
vssadmin resize shadowstorage /for=%s /on=%s /maxsize=401MB, xrefs: 00AF3AE8, 00AF3B87
zoolz.exe, xrefs: 00AF37E1
V]GT, xrefs: 00AF3A84
vssadmin Delete Shadows /all /quiet, xrefs: 00AF3D4E, 00AF3DC2
delete_shadow_copies, xrefs: 00AF37ED

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalInit_thread_footerSection$EnterLeave$ConditionVariableWake
String ID: GKZ.$V]GT$delete_shadow_copies$j<j$vssadmin Delete Shadows /all /quiet$vssadmin Delete Shadows /all /quiet$vssadmin resize shadowstorage /for=%s /on=%s /maxsize=401MB$zoolz.exe
API String ID: 4264893276-700526847
Opcode ID: 54cdc15c258af094abc0cfbe4499e839aa48fe3c93c3bebff853cc431be2c9fd
Instruction ID: 66227c3ef112f3c41f1aa689f1c32fecabda2c3149757b55a25ee2b941599a0f
Opcode Fuzzy Hash: 54cdc15c258af094abc0cfbe4499e839aa48fe3c93c3bebff853cc431be2c9fd
Instruction Fuzzy Hash: ED02C5319102598BDB25CB78CD46BFDB7B1AF59304F0482E9E54DA71A2EB30ABC5CB50

Function 00AF15A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDriveStringsW.KERNELBASE(00000000,00000000,B5607032,?,?), ref: 00AF160A
GetLogicalDriveStringsW.KERNELBASE(00000000,00000000), ref: 00AF164C
GetDriveTypeW.KERNEL32(?), ref: 00AF1661
GetDiskFreeSpaceExW.KERNELBASE(?,?,00000000,00000000), ref: 00AF1672

Strings

:, xrefs: 00AF168A

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Drive$LogicalStrings$DiskFreeSpaceType
String ID: :
API String ID: 491702994-336475711
Opcode ID: d2d4bd55c3c392102a3b505ae98c875e9c9d305e8b886e328822bf7df2c64640
Instruction ID: 58128b7f73af1840e9482fd313cb24fbc3cd7475b7078fce1a85cc412ce53005
Opcode Fuzzy Hash: d2d4bd55c3c392102a3b505ae98c875e9c9d305e8b886e328822bf7df2c64640
Instruction Fuzzy Hash: F04137B1D10219DFDB10DFA8D945BAEBBF4FB48700F14826AE815A7380EB756945CB90

Function 00AE1520 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AFE863: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00AFE86F

BCryptOpenAlgorithmProvider.BCRYPT(00000005,AES,00000000,00000000,00000007,00000000,string too long,00AE2096,00000007,?,00AE1280,00969E88,00969E87), ref: 00AE1580
BCryptOpenAlgorithmProvider.BCRYPT(00000008,RSA,00000000,00000000,?,00AE1280,00969E88,00969E87), ref: 00AE1592

Strings

RSA, xrefs: 00AE158C
AES, xrefs: 00AE1541
string too long, xrefs: 00AE1520

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: AlgorithmCryptOpenProvider$std::invalid_argument::invalid_argument
String ID: AES$RSA$string too long
API String ID: 519036944-4292978783
Opcode ID: d4e463c40b89a927d8fa1a5b3dee5626d6d2748e56e9fee848a3575bb9c1427a
Instruction ID: ad3dfdb2e24df1a8f3c7b5b3c4a53fe6b33eac136b0c6fa9e141aac2775e4f41
Opcode Fuzzy Hash: d4e463c40b89a927d8fa1a5b3dee5626d6d2748e56e9fee848a3575bb9c1427a
Instruction Fuzzy Hash: DCF01DB0184705AFE3309F15DC19B53BBF8EB44B05F00495DE48597A90DBF9A4058BA1

Function 00AF4A80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

default key:%d, xrefs: 00AF4E18
-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9, xrefs: 00AF4D2D, 00AF4E25

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9$default key:%d
API String ID: 0-2982882179
Opcode ID: b3eae31baaefc13e9e676e157d5f2179968cac39cd28131736b16defd8dad791
Instruction ID: a55978a8baa8e9b4c32ad53c781f6a15e9c07090c8edc17d98e23dee8063846b
Opcode Fuzzy Hash: b3eae31baaefc13e9e676e157d5f2179968cac39cd28131736b16defd8dad791
Instruction Fuzzy Hash: 3E117FB1A402443BDB11A774DC02FBAB7A8EF45704F1446BCFB08AB2C2D97569458664

Function 00B16F75 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNELBASE(?,?,00B16B89,?,00000022,00000000,00000002,?,?,00B0C51B,00000004,00B066F8,?,00000004,00B07EB7,00000000), ref: 00B16F97
GetLocaleInfoW.KERNEL32(00000000,?,?,?,?,?,00B16B89,?,00000022,00000000,00000002,?,?,00B0C51B,00000004,00B066F8), ref: 00B16FA2

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e67c3ef93d257112e0af41c18051cecd6a087fe4be8b57303d028d98cd4ac0b8
Instruction ID: a6e655aae290b027feb1b59cfc2a52ef6f34536196c6f064f1833183fe08ded2
Opcode Fuzzy Hash: e67c3ef93d257112e0af41c18051cecd6a087fe4be8b57303d028d98cd4ac0b8
Instruction Fuzzy Hash: 38E0EC32504628FB8F022F90FC489DE7F69EB04761B440095F90957521CF7698A2AB91

Function 00B43CED Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ce3eefb7f0640314cdb8497ab014cb07f837dc48b3aa8940f740277c13940c
Instruction ID: 53fc62c34358a8f5c310833decb78b42846198f295724ea2dc983c1ba6ed4f2c
Opcode Fuzzy Hash: 65ce3eefb7f0640314cdb8497ab014cb07f837dc48b3aa8940f740277c13940c
Instruction Fuzzy Hash: 46F03932A11328ABCB26CB48E845A99B3F8EB49B61F5550E6F505EB250C7B0DF40DBD1

Function 00AF4260 Relevance: 30.3, APIs: 13, Strings: 4, Instructions: 509
filepipeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,?,?,?,?,?), ref: 00AF434A
SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,?,?,?), ref: 00AF4368
CreatePipe.KERNELBASE(00000000,00000000,0000000C,00000000,?,?,?,?,?,?), ref: 00AF4389
SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,?,?,?), ref: 00AF43A1
CreateProcessA.KERNELBASE(?,?,00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,?), ref: 00AF443E
CloseHandle.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,?), ref: 00AF4450
CloseHandle.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,?), ref: 00AF4458
ReadFile.KERNELBASE(00000000,?,00001000,?,00000000,?,?,00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,?), ref: 00AF4485
ReadFile.KERNELBASE(00000000,?,00001000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000), ref: 00AF45BA
ReadFile.KERNELBASE(00000000,?,00001000,?,00000000,?,?,00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,?), ref: 00AF45E9
ReadFile.KERNELBASE(00000000,?,00001000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,?,00000000), ref: 00AF4720
__Init_thread_footer.LIBCMT ref: 00AF484E
wsprintfW.USER32 ref: 00AF494D

Strings

., xrefs: 00AF47EA
$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ |$$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ |, xrefs: 00AF4A07, 00AF4A1A, 00AF4A1D
!!!READ_ME_MEDUSA!!!.txt, xrefs: 00AF4823, 00AF4876, 00AF488D, 00AF48B9, 00AF48BA
%s\%s, xrefs: 00AF4947

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: FileHandleRead$Create$CloseInformationPipe$Init_thread_footerProcesswsprintf
String ID: !!!READ_ME_MEDUSA!!!.txt$$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ |$$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ |$%s\%s$.
API String ID: 1244822653-1301308757
Opcode ID: a1f45b038bdafdf220f63b5bb900149991fe70582d56a3ee49aa54b6033ccd42
Instruction ID: bbff0fb7f7572abce5ec191bc29813cbfdb04cdd5736c4277f65cd5e489bf912
Opcode Fuzzy Hash: a1f45b038bdafdf220f63b5bb900149991fe70582d56a3ee49aa54b6033ccd42
Instruction Fuzzy Hash: 4222A2719002A89BEB20DB64CD85BEAB7B9AF05344F0042D9F588A7291DBB45FC8CF54

Function 00B1496C Relevance: 22.8, APIs: 15, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

__Getcoll.LIBCPMT ref: 00B14997

Part of subcall function 00B131F8: __EH_prolog3.LIBCMT ref: 00B131FF
Part of subcall function 00B131F8: std::_Lockit::_Lockit.LIBCPMT ref: 00B13209
Part of subcall function 00B131F8: std::_Lockit::~_Lockit.LIBCPMT ref: 00B1327A

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B149AB
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B149C0
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B149FE
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14A11
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14A57
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14A8B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14AE8
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14B46
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14B59

Part of subcall function 00B02777: __EH_prolog3.LIBCMT ref: 00B0277E
Part of subcall function 00B02777: std::_Lockit::_Lockit.LIBCPMT ref: 00B02788
Part of subcall function 00B02777: std::_Lockit::~_Lockit.LIBCPMT ref: 00B0282C

Part of subcall function 00B1328D: __EH_prolog3.LIBCMT ref: 00B13294
Part of subcall function 00B1328D: std::_Lockit::_Lockit.LIBCPMT ref: 00B1329E
Part of subcall function 00B1328D: std::_Lockit::~_Lockit.LIBCPMT ref: 00B1330F

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14B76

Part of subcall function 00B02777: Concurrency::cancel_current_task.LIBCPMT ref: 00B02837
Part of subcall function 00B02777: __EH_prolog3.LIBCMT ref: 00B02844
Part of subcall function 00B02777: std::locale::_Locimp::_Makeloc.LIBCPMT ref: 00B02870

Part of subcall function 00B133B7: __EH_prolog3.LIBCMT ref: 00B133BE
Part of subcall function 00B133B7: std::_Lockit::_Lockit.LIBCPMT ref: 00B133C8
Part of subcall function 00B133B7: std::_Lockit::~_Lockit.LIBCPMT ref: 00B13439

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14B93

Part of subcall function 00B13322: __EH_prolog3.LIBCMT ref: 00B13329
Part of subcall function 00B13322: std::_Lockit::_Lockit.LIBCPMT ref: 00B13333
Part of subcall function 00B13322: std::_Lockit::~_Lockit.LIBCPMT ref: 00B133A4

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14BB0
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14BFF
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B14C43

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Locimp::_std::locale::_$AddfacLocimp_$Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskGetcollMakeloc
String ID:
API String ID: 685370067-0
Opcode ID: 12d626858a0b63cf62999beb887fdb5db506141b204791a5178b87db22ad65d8
Instruction ID: 4edbdc028b9506dd55c2238f422e6f2f9a6a67a4fff6c580e73480996f53d54e
Opcode Fuzzy Hash: 12d626858a0b63cf62999beb887fdb5db506141b204791a5178b87db22ad65d8
Instruction Fuzzy Hash: 5A810671D05211AAD7246B758C46BBFBEF8EF02760F9484DCF858A7281EF718E4487A1

Function 00AF1870 Relevance: 21.8, APIs: 5, Strings: 7, Instructions: 813sleepCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00AF1A45

Part of subcall function 00AE4AD0: __Stat.LIBCPMT ref: 00AE4AFF

__To_byte.LIBCPMT ref: 00AF1C91

Part of subcall function 00B00066: AreFileApisANSI.KERNEL32(?,00AF1C96,00000000,?,?,?,00000000,?,00000048,?,B5607032), ref: 00B00069
Part of subcall function 00B00066: WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,?,00000104,00000000,00000000,?,00AF1C96,00000000,?,?,?,00000000), ref: 00B00087

__Init_thread_footer.LIBCMT ref: 00AF1F40
Sleep.KERNELBASE(000001F4,?,?,?,0000002E,B5607032,?,00000000,00000000,!!!READ_ME_MEDUSA!!!.txt,?,00000000,?,00000048,?,B5607032), ref: 00AF2235
__Read_dir.LIBCPMT ref: 00AF23D3

Strings

invalid wchar_t filename argument, xrefs: 00AF24B3
skipped : %ls, xrefs: 00AF1A3F
%ls, xrefs: 00AF1A52
too long filename: %s, xrefs: 00AF1C03
., xrefs: 00AF1EDC
!!!READ_ME_MEDUSA!!!.txt, xrefs: 00AF1F15, 00AF1F68, 00AF1F7D, 00AF1FA9, 00AF1FAA
.dll, xrefs: 00AF1DB0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ApisByteCharFileInit_thread_footerMultiRead_dirSleepStatTo_byteWidewsprintf
String ID: !!!READ_ME_MEDUSA!!!.txt$%ls$.$.dll$invalid wchar_t filename argument$skipped : %ls$too long filename: %s
API String ID: 241826219-2504891108
Opcode ID: 584f6ad3bb9ec2f32cf2e28c2e6c46c47178c85020bd0004987669a18b991f2f
Instruction ID: a26bf6bfac6024aab3d12b82c969e0a41446d2b83d0411098628f3375cfd6e63
Opcode Fuzzy Hash: 584f6ad3bb9ec2f32cf2e28c2e6c46c47178c85020bd0004987669a18b991f2f
Instruction Fuzzy Hash: 57620171A0025C8BDB28CB64CD85BEEB7B6AF45305F1081E8E609A7291DB75AFC4CF54

Function 00AF3500 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 00AF35C5
__Init_thread_footer.LIBCMT ref: 00AF36F5

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

net stop "%s" /y, xrefs: 00AF35AC, 00AF35EF, 00AF35FB
zoolz.exe, xrefs: 00AF3654, 00AF3660, 00AF367F, 00AF3731
kill_services processes, xrefs: 00AF351C
., xrefs: 00AF3579
taskkill /F /IM %s /T, xrefs: 00AF36DB, 00AF371D, 00AF3736
z., xrefs: 00AF369C
kill_services %s, xrefs: 00AF3565
kill_processes %s, xrefs: 00AF3680
Acronis VSS Provider, xrefs: 00AF3544, 00AF3564, 00AF35F6

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalInit_thread_footerSection$ConditionEnterLeaveVariableWake
String ID: .$Acronis VSS Provider$kill_processes %s$kill_services %s$kill_services processes$net stop "%s" /y$taskkill /F /IM %s /T$z.$zoolz.exe
API String ID: 1224567774-856189466
Opcode ID: e668deb61cf3ee8312065c8fcf1522a899a06a9f4f22f27f80b26e674970a667
Instruction ID: 1e32534c7b356a52e9ad0846df5e136fbdb8aa74aadb6fb9cd68714adcce26a3
Opcode Fuzzy Hash: e668deb61cf3ee8312065c8fcf1522a899a06a9f4f22f27f80b26e674970a667
Instruction Fuzzy Hash: E561D1725043815BDB10EB78DC46BBA77A0AF95304F044668FA589B3B2FF71D688C752

Function 00B02911 Relevance: 18.2, APIs: 12, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B02942
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B02955
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B0299A
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B029CE
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B02A22
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B02A35
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B02A52
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B02A6F
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B02AAC
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00B02ABF
std::locale::_Locimp::_Makeushloc.LIBCPMT ref: 00B02ADB
std::locale::_Locimp::_Makeushloc.LIBCPMT ref: 00B02AE7

Part of subcall function 00AE3430: __Getctype.LIBCPMT ref: 00AE3449

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Locimp::_std::locale::_$AddfacLocimp_$LockitMakeushlocstd::_$GetctypeLockit::_Lockit::~_
String ID:
API String ID: 1289230215-0
Opcode ID: a346088a0eee2c7084118a9c202255439966c3a57625ea5cb5395d921835c2bc
Instruction ID: 8dad8d673eb184be443fc5e8789a62cb479a00133187c9267ad611865b612e91
Opcode Fuzzy Hash: a346088a0eee2c7084118a9c202255439966c3a57625ea5cb5395d921835c2bc
Instruction Fuzzy Hash: 0C519071A002157AE7217B754C4AB7F6EECEF423A0F4480E9F914962D2EF758D0896A1

Function 00B4E824 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B4E56B: CreateFileW.KERNELBASE(00000000,00000000,?,00B4E8CD,?,?,00000000,?,00B4E8CD,00000000,0000000C), ref: 00B4E588

GetLastError.KERNEL32 ref: 00B4E938
__dosmaperr.LIBCMT ref: 00B4E93F
GetFileType.KERNELBASE(00000000), ref: 00B4E94B
GetLastError.KERNEL32 ref: 00B4E955
__dosmaperr.LIBCMT ref: 00B4E95E
CloseHandle.KERNEL32(00000000), ref: 00B4E97E
CloseHandle.KERNEL32(00000000), ref: 00B4EACB
GetLastError.KERNEL32 ref: 00B4EAFD
__dosmaperr.LIBCMT ref: 00B4EB04

Strings

H, xrefs: 00B4EA89

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 189282f5ebeb833048bdcceea3ae1488fda2acf88c7289a9e8c92266ce3d22f4
Instruction ID: b1d4dbee682fbbaaee45e5f914be23116938334062b0848275110351034242b0
Opcode Fuzzy Hash: 189282f5ebeb833048bdcceea3ae1488fda2acf88c7289a9e8c92266ce3d22f4
Instruction Fuzzy Hash: 54A1F132A041549FCF19DF78D8917AD7BE0EF06324F284199E825EB292DB34CE52DB51

Function 00AF4780 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 00AF494D

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AF484E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

load_encryption_key:File open error, xrefs: 00AF4BF3
default key:%d, xrefs: 00AF4E18
., xrefs: 00AF47EA
-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9, xrefs: 00AF4D2D, 00AF4E25
$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ |$$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ |, xrefs: 00AF4A07, 00AF4A1A, 00AF4A1D
%s\%s, xrefs: 00AF4947
!!!READ_ME_MEDUSA!!!.txt, xrefs: 00AF4823, 00AF4876, 00AF488D, 00AF48B9, 00AF48BA

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWakewsprintf
String ID: !!!READ_ME_MEDUSA!!!.txt$$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ |$$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ |$%s\%s$-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3my9$.$default key:%d$load_encryption_key:File open error
API String ID: 247313798-3375616742
Opcode ID: 6bdd6ad0bed736e5a747e9803f52e069e71c9b99c0a36f968a75662923033a94
Instruction ID: 122d59a9587c121a406e054e3f20b58b67dc0b37fbe8d55005c59a4543bb1483
Opcode Fuzzy Hash: 6bdd6ad0bed736e5a747e9803f52e069e71c9b99c0a36f968a75662923033a94
Instruction Fuzzy Hash: 99716AB0A142589FDB24DF24CC86BEE73B4EF45304F0042E8F60967292EB745AC8CB58

Function 00AF2580 Relevance: 15.0, APIs: 1, Strings: 7, Instructions: 1014COMMON

Download Yara Rule

APIs

Part of subcall function 00AF6B70: __Open_dir.LIBCPMT ref: 00AF6C29

__Read_dir.LIBCPMT ref: 00AF3427

Strings

ProgramData, xrefs: 00AF31DD
Program Files (x86), xrefs: 00AF300D
Program Files, xrefs: 00AF2E3E
Windows, xrefs: 00AF26D8
PerfLogs, xrefs: 00AF2A76
Windows.old, xrefs: 00AF28A6
MSOCache, xrefs: 00AF2C46

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Open_dirRead_dir
String ID: MSOCache$PerfLogs$Program Files$Program Files (x86)$ProgramData$Windows$Windows.old
API String ID: 1548678592-2725118275
Opcode ID: a4832b3248c7a9777f44e0ceb83c43bc81b61e02d769cf1875c5e80411398eb9
Instruction ID: 5f19fab87ae5412bea89d2d3d1eaeb2443a5d7b7417ef928675e64323f238206
Opcode Fuzzy Hash: a4832b3248c7a9777f44e0ceb83c43bc81b61e02d769cf1875c5e80411398eb9
Instruction Fuzzy Hash: 5592E231A0111C8BDF2ADB64CD89BEDB7B9AF44304F5482D8E509AB291DB35AF85CF50

Function 00B0C344 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00B0C34B
_Maklocstr.LIBCPMT ref: 00B0C3B4
_Maklocstr.LIBCPMT ref: 00B0C3C6
_Maklocchr.LIBCPMT ref: 00B0C3DE
_Maklocchr.LIBCPMT ref: 00B0C3EE
_Getvals.LIBCPMT ref: 00B0C410

Part of subcall function 00B05008: _Maklocchr.LIBCPMT ref: 00B05037
Part of subcall function 00B05008: _Maklocchr.LIBCPMT ref: 00B0504D

Strings

true, xrefs: 00B0C3C1
false, xrefs: 00B0C3AF

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: bcd538ff53236fee33a32622925f74c609846501e27c187c8b405247cf614632
Instruction ID: f45834a524064b2834b8e73cddcaa400c9853db7336daf5b3c4371519aebe2d7
Opcode Fuzzy Hash: bcd538ff53236fee33a32622925f74c609846501e27c187c8b405247cf614632
Instruction Fuzzy Hash: 622153B1D44318AADF14EFA4D846ADF7FF8EF04710F108596B904AF192DB709644CBA1

Function 00B4257C Relevance: 13.8, APIs: 9, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98c9d64bc1be49039df14bb15ab00596665cb715777e3eaf0c3ec74ee06ac9c
Instruction ID: 35efd2a5e66b077297b5a1d41f7f55f1b504d49c0f83a498bbd36c39e337c91a
Opcode Fuzzy Hash: c98c9d64bc1be49039df14bb15ab00596665cb715777e3eaf0c3ec74ee06ac9c
Instruction Fuzzy Hash: 28C1BD74A04209AFDF15DFA8C881BADBBF0EF49310F5440D9F945AB292CB709E41EB65

Function 00AF3ED0 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00AF4122

Part of subcall function 00AEFA00: GetFileAttributesW.KERNELBASE(?,B5607032,?,?,?,?,?,00B52F51,000000FF), ref: 00AEFA4C
Part of subcall function 00AEFA00: SetFileAttributesW.KERNELBASE(?,00000000,?,B5607032,?,?,?,?,?,00B52F51,000000FF), ref: 00AEFA5B

GetTickCount64.KERNEL32 ref: 00AF4190
wsprintfW.USER32 ref: 00AF41C5

Strings

too long filename, xrefs: 00AF412F
encrypt %d %ls %ld, xrefs: 00AF41BF
%ls, xrefs: 00AF41D2
SystemDrive, xrefs: 00AF3F00

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: AttributesCount64FileTick$wsprintf
String ID: %ls$SystemDrive$encrypt %d %ls %ld$too long filename
API String ID: 2307605127-958896483
Opcode ID: dca5d4db6d894392323aa7b2c029a49b535a343ee6bb2ef80f2e0b2b606ccfc0
Instruction ID: 782308e015a10062e3a804e485425253ce268a705f46d29c779de876f259962d
Opcode Fuzzy Hash: dca5d4db6d894392323aa7b2c029a49b535a343ee6bb2ef80f2e0b2b606ccfc0
Instruction Fuzzy Hash: 2FA12731A0010C9FDF14DFA4CD85BEEB7B5EF48314F1082A8F619A7681DB35AA84CB54

Function 00B0C41D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00B0C424
_Maklocstr.LIBCPMT ref: 00B0C48B
_Maklocstr.LIBCPMT ref: 00B0C49D
_Maklocchr.LIBCPMT ref: 00B0C4B5
_Maklocchr.LIBCPMT ref: 00B0C4C5

Strings

true, xrefs: 00B0C498
false, xrefs: 00B0C486

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: MaklocchrMaklocstr$H_prolog3_
String ID: false$true
API String ID: 2404127365-2658103896
Opcode ID: cd0f3c869af005d7cd91662a6a42736655d01dcc298b483a0ccf2bcabf52d335
Instruction ID: 9be74ae3331f742d11e9addbf5b1b86315192151dd998a83ad5c012a154afb97
Opcode Fuzzy Hash: cd0f3c869af005d7cd91662a6a42736655d01dcc298b483a0ccf2bcabf52d335
Instruction Fuzzy Hash: D2214FB5C04348AADB24EFA5C845A9FBBF8EF44700F10859AF905AF691EB74D540CF60

Function 00AFE340 Relevance: 10.7, APIs: 7, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AFE3D8
___std_exception_copy.LIBVCRUNTIME ref: 00AFE405
___std_exception_destroy.LIBVCRUNTIME ref: 00AFE479
___std_exception_destroy.LIBVCRUNTIME ref: 00AFE436

Part of subcall function 00AFF6EF: shared_ptr.LIBCPMT ref: 00AFF6F7

__Mtx_unlock.LIBCPMT ref: 00AFE492
__Cnd_destroy_in_situ.LIBCPMT ref: 00AFE55E
__Mtx_destroy_in_situ.LIBCPMT ref: 00AFE567

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy$Cnd_destroy_in_situMtx_destroy_in_situMtx_unlockshared_ptr
String ID:
API String ID: 51637715-0
Opcode ID: eabab2316ac32b16aaa9cbdf275332f5a12ded49b344265b2e5390d4ed089619
Instruction ID: 9627384525ec7a45fc37ef0d698d7297e6fcdb6ee937ddbc4f777cbbb347773f
Opcode Fuzzy Hash: eabab2316ac32b16aaa9cbdf275332f5a12ded49b344265b2e5390d4ed089619
Instruction Fuzzy Hash: FF617CB1D0020DABCB10DFE4D985BEEBBF8AF48304F144169F915A7251EB75A648CBA1

Function 00B42D8F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00B42DE6
ext-ms-, xrefs: 00B42DFA

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: d82f8fae5fcff94ec3a9a7d8b9f13ca817fe9af01bce59b2453014af67a6419d
Instruction ID: 8bea82201c87134a793fb26587a2dcb4bd1b430eb81f124fe9f13e9537130b56
Opcode Fuzzy Hash: d82f8fae5fcff94ec3a9a7d8b9f13ca817fe9af01bce59b2453014af67a6419d
Instruction Fuzzy Hash: 6E21D575A41321EBCB215B659C84B2B77E8DF01B61FA505E4FD06A7291DA70EE00F5E0

Function 00B1349C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

std::_Facet_Register.LIBCPMT ref: 00B134AE
std::_Lockit::~_Lockit.LIBCPMT ref: 00B134CE
Concurrency::cancel_current_task.LIBCPMT ref: 00B134DB

Strings

bG, xrefs: 00B134D5
F, xrefs: 00B1357D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Concurrency::cancel_current_taskFacet_LockitLockit::~_Register
String ID: bG$F
API String ID: 967005056-2127308840
Opcode ID: 4ca8f01180e6aa7f8432057bf7ca6a0c33538a94f308c51385a16ea7f5af85a6
Instruction ID: 7f84a96ce51c354b1bb0b4d1df6cd15d754b98861bb559df6538849f1fa0afda
Opcode Fuzzy Hash: 4ca8f01180e6aa7f8432057bf7ca6a0c33538a94f308c51385a16ea7f5af85a6
Instruction Fuzzy Hash: 47E0D87560415C9FCB08EB68D9455BD7BF4AF84320B64058AE425A33E2DF745E42CB51

Function 00B3FFB6 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B43D62: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B44C98,00001000,?,?,?,?,00B33988,?,?), ref: 00B43D94

_free.LIBCMT ref: 00B400C5
_free.LIBCMT ref: 00B400DC
_free.LIBCMT ref: 00B400F9
_free.LIBCMT ref: 00B40114
_free.LIBCMT ref: 00B4012B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 050c1036b4bdd7d3228a22fbe51fff4494aa6e92111b66c3852a05cd3f1fd04b
Instruction ID: 5bc3d57c1f26e36eda2119f10f173951f5901df08fb0dbc0f42e1ebd6c74803c
Opcode Fuzzy Hash: 050c1036b4bdd7d3228a22fbe51fff4494aa6e92111b66c3852a05cd3f1fd04b
Instruction Fuzzy Hash: 8751B332A10209AFDB20EF29C841B6A77F5EF58720F1445A9EA49E7261E771DB01EB44

Function 00AFBD80 Relevance: 6.2, APIs: 4, Instructions: 246COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00AFBE42
__Mtx_unlock.LIBCPMT ref: 00AFBFCC
__Cnd_signal.LIBCPMT ref: 00AFC014
__Mtx_unlock.LIBCPMT ref: 00AFC065

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_signalMtx_init_in_situ
String ID:
API String ID: 1712778520-0
Opcode ID: dd4ea08d88ae5594f75c1552f3bb556f8bdd08b9dea5e302c4e5ffadeff116a1
Instruction ID: b82826a0f209af2f74b2c876230ca3377fde37ee522c6926ff35b4a4c1de79fc
Opcode Fuzzy Hash: dd4ea08d88ae5594f75c1552f3bb556f8bdd08b9dea5e302c4e5ffadeff116a1
Instruction Fuzzy Hash: A2A1E270900349CFDB11CFA4C941BAEBBF4EF19304F14819DE859AB3A2EB759A45CB91

Function 00AE3F30 Relevance: 4.7, APIs: 3, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AF7630: __Mtx_unlock.LIBCPMT ref: 00AF76AB

__Mtx_unlock.LIBCPMT ref: 00AE4091
__Mtx_unlock.LIBCPMT ref: 00AE4101
__Mtx_destroy_in_situ.LIBCPMT ref: 00AE4127

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Mtx_destroy_in_situ
String ID:
API String ID: 1417551972-0
Opcode ID: c70fd3116a7843f5b1e1cb28e9520e137f9c62e61b33553fe5e32308ee2d8df4
Instruction ID: 92e06a57d409e315fcdd6a6ab13302f5f17e4023f34b686b3c8ca54e23420c61
Opcode Fuzzy Hash: c70fd3116a7843f5b1e1cb28e9520e137f9c62e61b33553fe5e32308ee2d8df4
Instruction Fuzzy Hash: 0B51E371D002599FCF10DF95C845BEEBBF8AF09314F0801A9E805AB382D735AA45CBE1

Function 00B457EB Relevance: 4.7, APIs: 3, Instructions: 177fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B44F80: GetConsoleCP.KERNEL32(00000000,00000000,00000000), ref: 00B44FC8

WriteFile.KERNELBASE(?,00000000,?,?,00000000,0000000C,00000000,00000000,?,?,?,00000000,?,?,?,00000000), ref: 00B4593C
GetLastError.KERNEL32 ref: 00B45946
__dosmaperr.LIBCMT ref: 00B4598B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: 920ffc14cdfef6af68bbb9e592a40f13a756abc2982fa40f8baa288e73b2d9e5
Instruction ID: a7c3f9b6fd2d9fa2fe36639564bb2891f753e8a2f2a81469b8ed2070813453ec
Opcode Fuzzy Hash: 920ffc14cdfef6af68bbb9e592a40f13a756abc2982fa40f8baa288e73b2d9e5
Instruction Fuzzy Hash: 0C518471900E1AEFDF219FA4C885BEE7BF9EF05364F140495E500AB193DA709E41ABA1

Function 00B3B5E3 Relevance: 4.6, APIs: 3, Instructions: 142COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B41B2D: GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
Part of subcall function 00B41B2D: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

_free.LIBCMT ref: 00B3B692
_free.LIBCMT ref: 00B3B6C0
_free.LIBCMT ref: 00B3B708

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 98f7cf3c8ecc24591e267713c61299092bf176e2300c8c4246549191ef744f0d
Instruction ID: 86996b533b9458fb2d353c08d6b154d07ce4a30c0e89e294c76b1a9f41b056b1
Opcode Fuzzy Hash: 98f7cf3c8ecc24591e267713c61299092bf176e2300c8c4246549191ef744f0d
Instruction Fuzzy Hash: B1417C31600205EFDB24DFACC886E69B3E9EF89314F2405ADE555C7296DB31ED10EB50

Function 00B3B747 Relevance: 4.6, APIs: 3, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00B3B773
__cftoe.LIBCMT ref: 00B3B7A5
_free.LIBCMT ref: 00B3B7CB

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: 819c4b2a404fd064672370bf943e758c343b3119fff2a2f57cb4e057bd2c3ac1
Instruction ID: 136c262fa3206c454ad3c83c3e6e77468061cd0f9445799d159d003bef5071db
Opcode Fuzzy Hash: 819c4b2a404fd064672370bf943e758c343b3119fff2a2f57cb4e057bd2c3ac1
Instruction Fuzzy Hash: C921F836804108BADF21AB95CC46EDF3BF8DFC5760F3041AAFA15E5195EB30CB0596A1

Function 00AF7455 Relevance: 4.6, APIs: 3, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AF7467
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7488
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00AF7497

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$AddfacLocimp::_Locimp_Lockit::_Lockit::~_std::locale::_
String ID:
API String ID: 4268195171-0
Opcode ID: 1c49f9523a0a0282b033a574bacd6230abe76cb2ab813a9245280b3c6b1f076c
Instruction ID: c1750cdfa4cebf1560398bae3349b8406ec6065f725bf63f3be64c5516281083
Opcode Fuzzy Hash: 1c49f9523a0a0282b033a574bacd6230abe76cb2ab813a9245280b3c6b1f076c
Instruction Fuzzy Hash: 0231AD71A046069FDB14DFA4D845B6ABBF4EF44304F0441A9E90ACB361EF75ED80CB91

Function 00AF7300 Relevance: 4.6, APIs: 3, Instructions: 89COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00AF7344

Part of subcall function 00B0378A: __EH_prolog3.LIBCMT ref: 00B03791
Part of subcall function 00B0378A: std::_Lockit::_Lockit.LIBCPMT ref: 00B0379C
Part of subcall function 00B0378A: std::locale::_Setgloballocale.LIBCPMT ref: 00B037B7
Part of subcall function 00B0378A: std::_Lockit::~_Lockit.LIBCPMT ref: 00B0380D

std::_Lockit::_Lockit.LIBCPMT ref: 00AF73B2
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AF73FA

Part of subcall function 00AE2E90: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AE2EB6
Part of subcall function 00AE2E90: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2F4A

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Locinfo::_Lockit::_Lockit::~_std::locale::_$H_prolog3InitLocinfo_ctorLocinfo_dtorSetgloballocale
String ID:
API String ID: 2703978214-0
Opcode ID: fa82153e7d40753f31d6b611c67725178cd5a2600925016d44a983b42834d310
Instruction ID: 3b98cfce514d9b67fd0067dce2d32ab5ebde1e3dc69328de2cc45a1aa430788f
Opcode Fuzzy Hash: fa82153e7d40753f31d6b611c67725178cd5a2600925016d44a983b42834d310
Instruction Fuzzy Hash: 40415BB0C00788DEDB11CFA8C545B8EBFF4BF18704F10469AE449A7682E7B5A248CB51

Function 00B32D79 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00052C1D,00000000,00000000,00000000), ref: 00B32DC2
GetLastError.KERNEL32(?,00AE3E73,00000000,00000000), ref: 00B32DCE
__dosmaperr.LIBCMT ref: 00B32DD5

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: df8b2dc84651e36b85bb6d5f091d708a6124d897949121892d3bf94de458d1f4
Instruction ID: 896e24a1ac578e61d44f6a2bca00308f4915edd2af90b2e8bb7e9d2b583aa018
Opcode Fuzzy Hash: df8b2dc84651e36b85bb6d5f091d708a6124d897949121892d3bf94de458d1f4
Instruction Fuzzy Hash: A3015A7650021AFFDF15AFA1DC06AAE3BE5EF00365F2041A8FC02A61A0DB70DE50DB90

Function 00B41E8B Relevance: 4.5, APIs: 3, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,0000000C,00000002,00000000,00000000,0000000C,00000000,?,?,?,00B41F38,00000000,0000000C,00000002,00000000), ref: 00B41EC4
GetLastError.KERNEL32(?,00B41F38,00000000,0000000C,00000002,00000000,?,00B45874,00000000,00000000,00000000,00000002,0000000C,00000000,00000000,?), ref: 00B41ECE
__dosmaperr.LIBCMT ref: 00B41ED5

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 6f6094b037be3ce00ff4da14b7a7b9b892f51c37987bc4c8d3c2d05f90e5f55d
Instruction ID: cf00c4d95918e379727c4f72e914427e6bbb36fb0605da699db4717c1652a67f
Opcode Fuzzy Hash: 6f6094b037be3ce00ff4da14b7a7b9b892f51c37987bc4c8d3c2d05f90e5f55d
Instruction Fuzzy Hash: 87012836A10214EFCF05CF59DC0585E3B69DB85330B244684F911DB2D0EB70DE419B90

Function 00B45403 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,00B45920,?,00000000,00000000,?,0000000C,00000000), ref: 00B4549F
GetLastError.KERNEL32(?,00B45920,?,00000000,00000000,?,0000000C,00000000,00000000,?,?,?,00000000,?,?,?), ref: 00B454C5

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 1c0da0c9b8a69e9befb2ac1c9acbf46ed7a3332afaff6190a287ccf765216e63
Instruction ID: 52630ba526d83c008dbc0cf5e0229c8f358f10c1b9a683bf958dc7bb9950ddf8
Opcode Fuzzy Hash: 1c0da0c9b8a69e9befb2ac1c9acbf46ed7a3332afaff6190a287ccf765216e63
Instruction Fuzzy Hash: F3218230A006199BCF26CF19DC80ADDB7F9EF48312F1441E9E949D7315DA30DE829B60

Function 00B429E2 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B42A2E
GetFileType.KERNELBASE(00000000), ref: 00B42A40

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d967edfa00b46c8cff61191a48bcb9796e6311a1caa5d896de9b7efa4c635b2e
Instruction ID: 6e0c293203a402346894069ef2e40d8e935da8a61865e9fe7551ac81d583a733
Opcode Fuzzy Hash: d967edfa00b46c8cff61191a48bcb9796e6311a1caa5d896de9b7efa4c635b2e
Instruction Fuzzy Hash: 0C11A2311047524ECB314F3E8C886227AD5EB56330B780799F8B6C71F1CA30DE82B252

Function 00AE2E90 Relevance: 3.1, APIs: 2, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AE2EB6
std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2F4A

Part of subcall function 00B36849: _free.LIBCMT ref: 00B3685C

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~__free
String ID:
API String ID: 2189227594-0
Opcode ID: 8a45a674d731b1b828bf795a3f334e466690f7b0a250443f60a47ee696c1bf41
Instruction ID: 8fdb1be7d6d9b23fc5bcbe8d40a9ca55552f0ae3bce2642bcc6c9cac4b464d83
Opcode Fuzzy Hash: 8a45a674d731b1b828bf795a3f334e466690f7b0a250443f60a47ee696c1bf41
Instruction Fuzzy Hash: CF1130F1A047406BEB30DF65D906B1777ECAB04710F04856DE84AC7681EB75E9148B91

Function 00B0381A Relevance: 3.0, APIs: 2, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B03826
std::_Lockit::~_Lockit.LIBCPMT ref: 00B03881

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: f047a863667670e7a43433081ec10ea8a044065885f91183c7bdaec031674d98
Instruction ID: 6747521b90322069c39a0673bc1b1cf87b8944e5ce948e0833a65c75b5a75350
Opcode Fuzzy Hash: f047a863667670e7a43433081ec10ea8a044065885f91183c7bdaec031674d98
Instruction Fuzzy Hash: 3A014C35600218AFCF15DB55C899AA97BB9EF84750F1480E9E9019B3A1DF70EE41CB90

Function 00B4758C Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B475AD

Part of subcall function 00B43D62: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B44C98,00001000,?,?,?,?,00B33988,?,?), ref: 00B43D94

HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,00B4AB6E,?,00000004,?,?,?,?,00B3EF44,?,?), ref: 00B475E9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 7201b4f669446ee50a3f90d9ee2a952a3aa6557d371103ea09c02a24af884038
Instruction ID: ee5cbb30e5c9d80d20bd2b3dd5182918a2d81947ed5fc48a30b5dc5a3cb8e43c
Opcode Fuzzy Hash: 7201b4f669446ee50a3f90d9ee2a952a3aa6557d371103ea09c02a24af884038
Instruction Fuzzy Hash: 6AF06831588215A9DB212A35AC04B6B37D9DFA1771B2541D5FC24AE1D0DF30DB00F5A0

Function 00B32C1D Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00B71890,0000000C), ref: 00B32C30
ExitThread.KERNEL32 ref: 00B32C37

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: dc4d71f00ad0c6f89bebf011445ce47ba70c2d860d78f3c3a353df19a2c04b64
Instruction ID: d9dcfa0520dd4683803586216bccd27d36ea56d98c038e7470694402f45fa2c1
Opcode Fuzzy Hash: dc4d71f00ad0c6f89bebf011445ce47ba70c2d860d78f3c3a353df19a2c04b64
Instruction Fuzzy Hash: 7BF04971900605EFDB05AFB0C84AA6E7BF5EF44B11F2445C9F411972A2CF39AA41DBA1

Function 00B0C4EE Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B0C4F5
_Getvals.LIBCPMT ref: 00B0C511

Part of subcall function 00B0506A: _Maklocstr.LIBCPMT ref: 00B0509B
Part of subcall function 00B0506A: std::_Locinfo::_Getmonths.LIBCPMT ref: 00B050AE
Part of subcall function 00B0506A: _Maklocstr.LIBCPMT ref: 00B050B4
Part of subcall function 00B0506A: _Maklocstr.LIBCPMT ref: 00B050C3

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Maklocstr$GetmonthsGetvalsH_prolog3Locinfo::_std::_
String ID:
API String ID: 1641642162-0
Opcode ID: 9d251afe47c0f159e301c8d51501a321e131a648b09a26b93698661b727e3eb0
Instruction ID: daede1380a058cfdb8d1f56220034160e8809fdf70d7e2aa4ae2f3feb64b783a
Opcode Fuzzy Hash: 9d251afe47c0f159e301c8d51501a321e131a648b09a26b93698661b727e3eb0
Instruction Fuzzy Hash: 7BE0B6B1D047049FCB20EF74840165ABAF0EB04700B4089AAA959D7641EB749A808B95

Function 00B0C526 Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B0C52D
_Getvals.LIBCPMT ref: 00B0C549

Part of subcall function 00B050D5: std::_Locinfo::_W_Getdays.LIBCPMT ref: 00B050F7
Part of subcall function 00B050D5: std::_Locinfo::_W_Getmonths.LIBCPMT ref: 00B05109

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Locinfo::_std::_$GetdaysGetmonthsGetvalsH_prolog3
String ID:
API String ID: 4209536323-0
Opcode ID: c82d906177539f12c1d4e66694239695b06e999bb089d7571f85dd19834892fa
Instruction ID: 4cad39207b122fdf78a2a65a5ce1cabaa9019caac79dbfd017fd65a605106000
Opcode Fuzzy Hash: c82d906177539f12c1d4e66694239695b06e999bb089d7571f85dd19834892fa
Instruction Fuzzy Hash: 57E0B6B1C047449FCB20EF74880165ABBF4EB04710B4089AEA959D7641EB749A808B95

Function 00B32297 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6b7497a364fad5000e47a193feec074443ef79d0f756799a80b162e1d9558b
Instruction ID: f0b394db3f117729abc648f9c4e8a2c44a67278f567e7182f335429df8fa8b00
Opcode Fuzzy Hash: ac6b7497a364fad5000e47a193feec074443ef79d0f756799a80b162e1d9558b
Instruction Fuzzy Hash: 7941C371A00108AFDB14DF58C881AA97BE2EF89364F3981E8F8499B351D775EE85CB50

Function 00B3D69C Relevance: 1.6, APIs: 1, Instructions: 141COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3D7D1

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d8364c363c41fa5bea8e522bcd788f9e9f39ec81f2f3343cf35f9293f3fab714
Instruction ID: 95f7cc2e8b2d339ca5397156a4c920112b9605a606d416375e81b5a02e49a5a5
Opcode Fuzzy Hash: d8364c363c41fa5bea8e522bcd788f9e9f39ec81f2f3343cf35f9293f3fab714
Instruction Fuzzy Hash: EF411439A001059BCB28DF6CDC42ABEB7F9EF44310F2945ADE956D7684E630AE02CB40

Function 00AE49B0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__Stat.LIBCPMT ref: 00AE4AAF

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Stat
String ID:
API String ID: 2156548127-0
Opcode ID: 98e7aec95da8399931398261572fe3f64efbb9861a982dbff4a960d1da592db5
Instruction ID: 097c3a4ebc722b20a90f04a8402bb474c1758901c6911958e6c46867260c1ad3
Opcode Fuzzy Hash: 98e7aec95da8399931398261572fe3f64efbb9861a982dbff4a960d1da592db5
Instruction Fuzzy Hash: D431F7312106008BD738DF29D94976A73E9EF84370F144A2DE59AC7AA0D734FD44C795

Function 00AFD710 Relevance: 1.6, APIs: 1, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00AFD756

Part of subcall function 00AFF856: GetCurrentThreadId.KERNEL32 ref: 00AFF862
Part of subcall function 00AFF856: __Mtx_unlock.LIBCPMT ref: 00AFF8A3
Part of subcall function 00AFF856: __Cnd_broadcast.LIBCPMT ref: 00AFF8AB

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Cnd_broadcastConcurrency::cancel_current_taskCurrentMtx_unlockThread
String ID:
API String ID: 3922999975-0
Opcode ID: 2702d0bc4f0ff0f0dca92694fc677683b3235d46435e23b33544b19fb0616208
Instruction ID: 2f0503ec1f83e9ec2f90932a2269c7128ae915b9972dc74d614a28367dd3cca4
Opcode Fuzzy Hash: 2702d0bc4f0ff0f0dca92694fc677683b3235d46435e23b33544b19fb0616208
Instruction Fuzzy Hash: A2214932600618AFC312AF98DC44F7BB7EAEF85B20F044569FA588B350DB31B90087D1

Function 00AFD4A0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00AFD542

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Mtx_unlock
String ID:
API String ID: 1418687624-0
Opcode ID: 5ecf134e403cb82bf87c5cc898aac13b35a4918c43e9ced280454cda6c7e4526
Instruction ID: f791be47e36aced41b5d2f46c78d22942764d3ccf08a1c96a41476bd9a4fe71c
Opcode Fuzzy Hash: 5ecf134e403cb82bf87c5cc898aac13b35a4918c43e9ced280454cda6c7e4526
Instruction Fuzzy Hash: 8331DFB0D002499FDB21DBA4C845BBEBBF4EF08704F00416AF505A7241DB34AA44CBA1

Function 00AF6B70 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__Open_dir.LIBCPMT ref: 00AF6C29

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Open_dir
String ID:
API String ID: 3511170096-0
Opcode ID: fea6df299f5b283f4e4cd3782378557c1fdf52887caf654b07d4a14a45fa3004
Instruction ID: ee0965c2037b47ee33b3d2243590f4c9514f4eb6c61114c01c580b56ee9db061
Opcode Fuzzy Hash: fea6df299f5b283f4e4cd3782378557c1fdf52887caf654b07d4a14a45fa3004
Instruction Fuzzy Hash: D53181B1900258EFCB20DFA4C944BAABBF8FF08710F1005AEE54997650DB74AA44CF94

Function 00B44C26 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B44C9C

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 091ec44c05ce80536416ee89aab3db63b26ec8efc9f083675cc41c3127c1ad0e
Instruction ID: 5de50de14a3845870eccf59d986da7ad56fa7751644cb452eed54574f7927bc2
Opcode Fuzzy Hash: 091ec44c05ce80536416ee89aab3db63b26ec8efc9f083675cc41c3127c1ad0e
Instruction Fuzzy Hash: 671127715067018FE7209F29E4C1B52B7E4EF14364F3444AEF59DCB282EB71EAA0AB54

Function 00B42E56 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30ab3bfd411561d07ec59cafac4ae5e13f193b9e9eb66d0a8c7475d2fdb4a4b
Instruction ID: 212fe58dfd209496f187ee8f7a7b9e99b60c46e2b82cbd55b906c6571936138c
Opcode Fuzzy Hash: a30ab3bfd411561d07ec59cafac4ae5e13f193b9e9eb66d0a8c7475d2fdb4a4b
Instruction Fuzzy Hash: 8301F133A50212AF9F2ACF69EC40A5A33D6EB857207644160FD08CB188DA30DA81B790

Function 00B43996 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B439D0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ee0849e55458ae1db11e0163db43b88a09ef80ff245c1e6adfbd6a3c56795fa4
Instruction ID: b0325d68de4f22144cd18f8a1a7ff16e48abb1d621ee62bf9051e1dfa55536ca
Opcode Fuzzy Hash: ee0849e55458ae1db11e0163db43b88a09ef80ff245c1e6adfbd6a3c56795fa4
Instruction Fuzzy Hash: E3111571A0420AAFCF05DF58E98199E7BF4EF48304F0440A9F809AB251D730EE11DB65

Function 00B32B22 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4ae782832f37e9802e3c93312cebe17f99e1259ccbbc0bd70a7f0de354550
Instruction ID: a7c49c4a06e75f0f016d6ff7b461f16418e1a5be738e1a9e3340001106ecd32c
Opcode Fuzzy Hash: a1a4ae782832f37e9802e3c93312cebe17f99e1259ccbbc0bd70a7f0de354550
Instruction Fuzzy Hash: 5AF028369016106ACA353F398C06B9AB7D8CF81330F340795F824931D1EB70EA029695

Function 00B3F668 Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B42B22: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B41CCF,00000001,00000364,00000005,000000FF,?,?,00B36778,00B42BA5,?,?,00B3F09C), ref: 00B42B63

_free.LIBCMT ref: 00B3F688

Part of subcall function 00B42B7F: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3F09C), ref: 00B42B95
Part of subcall function 00B42B7F: GetLastError.KERNEL32(?,?,00B3F09C), ref: 00B42BA7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 1b6ba648c2738b4144a8c7aa8d8d94d7e15070feae0236920e53bf15a5476207
Instruction ID: e102af247042060ff0f3d35ec4088225e3fe1bd54f8e1b5e2f191cf126a4a6a7
Opcode Fuzzy Hash: 1b6ba648c2738b4144a8c7aa8d8d94d7e15070feae0236920e53bf15a5476207
Instruction Fuzzy Hash: EE011AB6D00219AFCB10DFA9C841BDEBBF8FB48710F104566E914E7240E774AA45CBD0

Function 00AFB490 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00AFB4E0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5f0a94cc3ffd75a9a1bb21bb50790a892fe623813425291572cd920b9eb00d66
Instruction ID: 2d56dda3d1f86e3993e301a97c929e65dcd1f1264d3a750baa5cfb97ea2da2b0
Opcode Fuzzy Hash: 5f0a94cc3ffd75a9a1bb21bb50790a892fe623813425291572cd920b9eb00d66
Instruction Fuzzy Hash: 63F027B211020C06D714A7B0EB0797EB2E84E203A57144175F629C7693EB25E890C138

Function 00B42B22 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B41CCF,00000001,00000364,00000005,000000FF,?,?,00B36778,00B42BA5,?,?,00B3F09C), ref: 00B42B63

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9dd9de43f7b254d4e06cc96b600793631b75f8a2400e8e02cca1ea0e49597757
Instruction ID: 633a8482e3a2198ff8a4eff71e061c667a6bbad657d835cc9b93bc5dc0130633
Opcode Fuzzy Hash: 9dd9de43f7b254d4e06cc96b600793631b75f8a2400e8e02cca1ea0e49597757
Instruction Fuzzy Hash: 47F0BE31A05224A69B226F2A9C41B5B3BD8EF80770F6480D1FC09AB194CF70DA00BAA5

Function 00B4746C Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B43D62: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B44C98,00001000,?,?,?,?,00B33988,?,?), ref: 00B43D94

_free.LIBCMT ref: 00B4748C

Part of subcall function 00B42B7F: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3F09C), ref: 00B42B95
Part of subcall function 00B42B7F: GetLastError.KERNEL32(?,?,00B3F09C), ref: 00B42BA7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 1067f01909f0d0fc446b7462217ae7b040926dcb854104151382752c12055a6f
Instruction ID: 75b33a087b232797830c5de3390eda3638d0a503d8678e53016ebbd2e31cbd94
Opcode Fuzzy Hash: 1067f01909f0d0fc446b7462217ae7b040926dcb854104151382752c12055a6f
Instruction Fuzzy Hash: EDF06D725057009FD3249F49D801B62F7E8EF80B21F10846FE29A9BAA1DBB4A9459B94

Function 00B43D62 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00B44C98,00001000,?,?,?,?,00B33988,?,?), ref: 00B43D94

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e3143aa4b94896463e4af339f2fe0bddff1860139e8d825acb44935b335a6ff6
Instruction ID: 2eade96b28c82c2689f32b8bbc9cf566602d8ee0dda9896c6e3463b38d669676
Opcode Fuzzy Hash: e3143aa4b94896463e4af339f2fe0bddff1860139e8d825acb44935b335a6ff6
Instruction Fuzzy Hash: 3CE03931A04225AA9B6136659D00B6A3AD8DF41BA0F6901B5AC29961E1DF60EF00A5A8

Function 00AE4A80 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__Stat.LIBCPMT ref: 00AE4AAF

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Stat
String ID:
API String ID: 2156548127-0
Opcode ID: 08df4ac2c120ff3fb98908b625a32808eacb36180e331dfa2db5a5e08c8f517f
Instruction ID: 4f8ab178175fa35782ac05b399ec5c54538efd816945396a29d6bfe9d331ca2b
Opcode Fuzzy Hash: 08df4ac2c120ff3fb98908b625a32808eacb36180e331dfa2db5a5e08c8f517f
Instruction Fuzzy Hash: AFE09B3142531D5B8A30FFB4EA4346E73E89E45720F040E6EFC5587251DE20AA5497E7

Function 00AE4AD0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__Stat.LIBCPMT ref: 00AE4AFF

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Stat
String ID:
API String ID: 2156548127-0
Opcode ID: 5222a42df4a2e27f22ac8f1549a2a7e1b8e579be97e1ccd65092beaa9240ee14
Instruction ID: 17ad1c2dcda7d226902d52981c50613c8c927a882e261eea6808675f6f5936a3
Opcode Fuzzy Hash: 5222a42df4a2e27f22ac8f1549a2a7e1b8e579be97e1ccd65092beaa9240ee14
Instruction Fuzzy Hash: 02E09B3142521D5B8A20FFB8EA4346E73E8AE45720F040A6EFD5487251DE20AA5497E7

Function 00AE3430 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__Getctype.LIBCPMT ref: 00AE3449

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Getctype
String ID:
API String ID: 2085600672-0
Opcode ID: ffa70d92a053117bcbea51e9479aec797b130fc71bddf51f33f96df9d36b9c73
Instruction ID: bb26cb834931d487db46e8a03d7527da1fd114afe8ea07b92ee8feb20e1ef0ea
Opcode Fuzzy Hash: ffa70d92a053117bcbea51e9479aec797b130fc71bddf51f33f96df9d36b9c73
Instruction Fuzzy Hash: 7AE08CB2C046188B8310EF5C98014A6B3ECAA1C700B0082ABEC9A97211FA70B69887E1

Function 00B4E56B Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B4E8CD,?,?,00000000,?,00B4E8CD,00000000,0000000C), ref: 00B4E588

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a92342fbcd59bd4fe3dbb547256cef83e3ec0ce9f00279b7204fd8ccec90bba
Instruction ID: 89ceec3587ab546fc67a94da47b464298f1b1553ab4cd484aa0bb724da54d9a0
Opcode Fuzzy Hash: 9a92342fbcd59bd4fe3dbb547256cef83e3ec0ce9f00279b7204fd8ccec90bba
Instruction Fuzzy Hash: A7D06C3200020DFBDF028F84DC06EDA3BAAFB48714F018040BA1856060C732E821AB91

Function 00B36849 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3685C

Part of subcall function 00B42B7F: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3F09C), ref: 00B42B95
Part of subcall function 00B42B7F: GetLastError.KERNEL32(?,?,00B3F09C), ref: 00B42BA7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: da67c7ba373e7fc3130bdca8f7a283d8aa79e6c792f6d21d865955370dc1b554
Instruction ID: d4c0994fb9b8a9131431a2394644e660aa20bf53a25ee967e97f16e191577406
Opcode Fuzzy Hash: da67c7ba373e7fc3130bdca8f7a283d8aa79e6c792f6d21d865955370dc1b554
Instruction Fuzzy Hash: EDC04C71500208BBDB059F45D906E4E7BA9DB80364F604094F85557251DAB1EF44A694

Function 00AFF7EE Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 00AFF7F8

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d8712aeb802d057d314bf32acf46608cacdce7818d1acda435e651b8dcff0ff9
Instruction ID: a8d153923e5a0e55187a7d9e61ad36abd17704858bf6af91dd88f35509ae4ab4
Opcode Fuzzy Hash: d8712aeb802d057d314bf32acf46608cacdce7818d1acda435e651b8dcff0ff9
Instruction Fuzzy Hash: D6C09B7490421DDBCF04E7E5D94988EB7FCAA08105B440451D911E3140E771F94587E1

Non-executed Functions

Function 00B040C9 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B040CF
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B040DD
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B040EE
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B040FF
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B04110
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00B04121
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00B04132
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00B04143
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00B04154
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00B04165
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00B04176
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00B04187
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00B04198
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00B041A9
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00B041BA
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00B041CB
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00B041DC
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00B041ED
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00B041FE
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00B0420F
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00B04220
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00B04231
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00B04242
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00B04253
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00B04264
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00B04275
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B04286
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00B04297
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B042A8
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B042B9
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00B042CA
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00B042DB
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00B042EC
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00B042FD
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00B0430E
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00B0431F
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00B04330
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00B04341
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00B04352
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00B04363
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00B04374

Strings

CreateThreadpoolWait, xrefs: 00B041AF
FlsGetValue, xrefs: 00B040F4
CreateThreadpoolTimer, xrefs: 00B0416B
FlsSetValue, xrefs: 00B04105
CreateSemaphoreW, xrefs: 00B04149
AcquireSRWLockExclusive, xrefs: 00B042D0
CreateEventExW, xrefs: 00B04138
CompareStringEx, xrefs: 00B04347
CreateThreadpoolWork, xrefs: 00B04314
TryAcquireSRWLockExclusive, xrefs: 00B042E1
GetTickCount64, xrefs: 00B04237
InitializeConditionVariable, xrefs: 00B0427B
ReleaseSRWLockExclusive, xrefs: 00B042F2
InitializeSRWLock, xrefs: 00B042BF
FlsFree, xrefs: 00B040E3
FreeLibraryWhenCallbackReturns, xrefs: 00B041F3
FlsAlloc, xrefs: 00B040D7
SetThreadpoolWait, xrefs: 00B041C0
CreateSymbolicLinkW, xrefs: 00B0421A
CloseThreadpoolWait, xrefs: 00B041D1
GetFileInformationByHandleEx, xrefs: 00B04248
CloseThreadpoolTimer, xrefs: 00B0419E
SleepConditionVariableCS, xrefs: 00B042AE
GetCurrentProcessorNumber, xrefs: 00B04204
InitOnceExecuteOnce, xrefs: 00B04127
GetSystemTimePreciseAsFileTime, xrefs: 00B0426A
WakeAllConditionVariable, xrefs: 00B0429D
GetLocaleInfoEx, xrefs: 00B04358
SetThreadpoolTimer, xrefs: 00B0417C
WakeConditionVariable, xrefs: 00B0428C
SetFileInformationByHandle, xrefs: 00B04259
InitializeCriticalSectionEx, xrefs: 00B04116
CloseThreadpoolWork, xrefs: 00B04336
WaitForThreadpoolTimerCallbacks, xrefs: 00B0418D
SleepConditionVariableSRW, xrefs: 00B04303
GetCurrentPackageId, xrefs: 00B04226
SubmitThreadpoolWork, xrefs: 00B04325
FlushProcessWriteBuffers, xrefs: 00B041E2
LCMapStringEx, xrefs: 00B04369
kernel32.dll, xrefs: 00B040CA
CreateSemaphoreExW, xrefs: 00B0415A

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 5555ffd433977e66ed0764a296ad90b5846447060cedeb5d1fd4f51b3e0881da
Instruction ID: 421f0a8ab93a581e1b9f2623124b1f6d1cfcf8e0124bc13e54d7e7d8dd938dc9
Opcode Fuzzy Hash: 5555ffd433977e66ed0764a296ad90b5846447060cedeb5d1fd4f51b3e0881da
Instruction Fuzzy Hash: A7610B71952B22FBCB406FB4AC0EA463FE8EA1A70730086D6B505F3171EFB844499F55

Function 00AE1640 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

BCryptGetProperty.BCRYPT(?,ObjectLength,?,00000004,?,00000000), ref: 00AE1684
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE16A8
HeapFree.KERNEL32(00000000), ref: 00AE16AB
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE16B2
HeapAlloc.KERNEL32(00000000), ref: 00AE16B5
BCryptGetProperty.BCRYPT(?,BlockLength,00000000,00000004,00000000,00000000), ref: 00AE16E8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE1700
HeapFree.KERNEL32(00000000), ref: 00AE1703
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE170A
HeapAlloc.KERNEL32(00000000), ref: 00AE170D
GetProcessHeap.KERNEL32(00000000,?), ref: 00AE1739
HeapFree.KERNEL32(00000000), ref: 00AE173C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE1743
HeapAlloc.KERNEL32(00000000), ref: 00AE1746
BCryptSetProperty.BCRYPT(?,ChainingMode,ChainingModeCBC,00000020,00000000), ref: 00AE177B
BCryptGenerateSymmetricKey.BCRYPT(?,00000000,00000000,00000000,?,00000020,00000000), ref: 00AE1798

Strings

ObjectLength, xrefs: 00AE1675
BlockLength, xrefs: 00AE16E0
ChainingModeCBC, xrefs: 00AE176E
ChainingMode, xrefs: 00AE1773

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Heap$Process$Crypt$AllocFreeProperty$GenerateSymmetric
String ID: BlockLength$ChainingMode$ChainingModeCBC$ObjectLength
API String ID: 570536696-2130194543
Opcode ID: 083d4d45c92da58558a1ffa1a79ae4b4406b7f575c8d11725cac4fd584da9d5c
Instruction ID: cf468034531b945640190848a8e09e35f34f429572f681ea8842159594fc3c8a
Opcode Fuzzy Hash: 083d4d45c92da58558a1ffa1a79ae4b4406b7f575c8d11725cac4fd584da9d5c
Instruction Fuzzy Hash: C0414B70A40319BBEB20AFA1DC45FAFBBF8EB44B05F044499F915E7190EB71D9049B60

Function 00B1B2AE Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00B1B3B1
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00B1B3FD

Part of subcall function 00B1CAE5: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00B1CBD8

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00B1B469
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00B1B485
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00B1B4D9
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00B1B506
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00B1B55C

Strings

(, xrefs: 00B1B3BD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID: (
API String ID: 2943730970-3887548279
Opcode ID: b8af9174e55672a7e92758bdc843b53c0f3d52dedccc177ddac57f26bd072b69
Instruction ID: 7a39f4b77b18a45e3f1a8e199c488f8be5ac0f4b1140d5d1b389004839494e79
Opcode Fuzzy Hash: b8af9174e55672a7e92758bdc843b53c0f3d52dedccc177ddac57f26bd072b69
Instruction Fuzzy Hash: D0B16AB1A00611AFDB18CF68D991ABABBF5FF44300F5481AEE8459B355D730ED80CB91

Function 00AE15A0 Relevance: 13.6, APIs: 9, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

BCryptCloseAlgorithmProvider.BCRYPT(?,00000000,?,?,00AE4D9B,B5607032,?,?,?,?,00B52BE0,000000FF), ref: 00AE15B4
BCryptDestroyKey.BCRYPT(?,?,?,00AE4D9B,B5607032,?,?,?,?,00B52BE0,000000FF), ref: 00AE15C8
HeapFree.KERNEL32(00000000,?,?,00AE4D9B,B5607032,?,?,?,?,00B52BE0,000000FF), ref: 00AE15DC
HeapFree.KERNEL32(00000000,?,?,00AE4D9B,B5607032,?,?,?,?,00B52BE0,000000FF), ref: 00AE15F4
GetProcessHeap.KERNEL32(00000000,?,?,?,00AE4D9B,B5607032,?,?,?,?,00B52BE0,000000FF), ref: 00AE1604
HeapFree.KERNEL32(00000000,?,?,00AE4D9B,B5607032,?,?,?,?,00B52BE0,000000FF), ref: 00AE160B
BCryptCloseAlgorithmProvider.BCRYPT(?,00000000,?,?,00AE4D9B,B5607032,?,?,?,?,00B52BE0,000000FF), ref: 00AE161B
BCryptDestroyKey.BCRYPT(?,?,?,00AE4D9B,B5607032,?,?,?,?,00B52BE0,000000FF), ref: 00AE1629
BCryptDestroyKey.BCRYPT(?,?,?,00AE4D9B,B5607032,?,?,?,?,00B52BE0,000000FF), ref: 00AE1633

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Crypt$Heap$DestroyFree$AlgorithmCloseProvider$Process
String ID:
API String ID: 581851313-0
Opcode ID: 3f91352d202a60b025c45219dff73f129ebec24e6f27a9c81770fa32197467bd
Instruction ID: 9adfd045f4de39f2212413b30ac794b1ba9becd2f38d199a307b44ee5d7e5ad3
Opcode Fuzzy Hash: 3f91352d202a60b025c45219dff73f129ebec24e6f27a9c81770fa32197467bd
Instruction Fuzzy Hash: EF11A874701351ABEB649F76DC48F26B3ECEF88702F084959BD5AD3690DF74E8008A20

Function 00B4C85E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B41B2D: GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
Part of subcall function 00B41B2D: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

GetACP.KERNEL32(?,?,?,?,?,?,00B3FCA8,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00B4C91F
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00B3FCA8,?,?,?,00000055,?,-00000050,?,?), ref: 00B4C94A
_wcschr.LIBVCRUNTIME ref: 00B4C9DE
_wcschr.LIBVCRUNTIME ref: 00B4C9EC
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00B4CAAD

Strings

utf8, xrefs: 00B4CA1C

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: e2e26fad6cb57711fe4c12d4691961659f926dc5837bb798cae1a510395c749a
Instruction ID: 2d498d8760e892483fceeb88e37444f97531e353abd42c2edf67de3309241f07
Opcode Fuzzy Hash: e2e26fad6cb57711fe4c12d4691961659f926dc5837bb798cae1a510395c749a
Instruction Fuzzy Hash: 4971F77160120AAADB65EB39CC46BB77BE8EF48B40F1444E9F905E7181FB70DB40A660

Function 00B4EE6A Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B4EFE5

Strings

1#IND, xrefs: 00B50175
1#SNAN, xrefs: 00B5017C
1#INF, xrefs: 00B501A0
1#QNAN, xrefs: 00B50183

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 44d73685c149e7c47c121df03754e2423a122f9d9b32cff44c6ac128ae4918ce
Instruction ID: a7f3d9f2e5d8b7167c6f58788f5799394132986960bd6d29b9ca2258a1c5a76a
Opcode Fuzzy Hash: 44d73685c149e7c47c121df03754e2423a122f9d9b32cff44c6ac128ae4918ce
Instruction Fuzzy Hash: A7C23771E046298FDB25CE28DD807EAB3F5EB48305F1441EAD84EE7241E778AE859F41

Function 00B29520 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B29559

Part of subcall function 00B233F8: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00B23419

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00B295BE
Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 00B295D6
Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 00B29611

Part of subcall function 00B2907E: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 00B290A9
Part of subcall function 00B2907E: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 00B29146
Part of subcall function 00B2907E: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 00B29150

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveBindCommitPointsReclaimResolveSafeThrowTokenTraceTrigger
String ID:
API String ID: 4167633089-0
Opcode ID: b6f0f4273a56aa6bdf91774b310746ead01f763dd5a072a1437018db86cbb5bf
Instruction ID: be8baea5b324d3677f286338883d400d46e4222e6383ca247ff33c0cbb76722e
Opcode Fuzzy Hash: b6f0f4273a56aa6bdf91774b310746ead01f763dd5a072a1437018db86cbb5bf
Instruction Fuzzy Hash: 6D419231A00225EBCF15EF64D995FAEB7F5EF44310F1400E8A90A7B296CB75AE05CB90

Function 00B4CFEA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00B4D308,00000002,00000000,?,?,?,00B4D308,?,00000000), ref: 00B4D083
GetLocaleInfoW.KERNEL32(?,20001004,00B4D308,00000002,00000000,?,?,?,00B4D308,?,00000000), ref: 00B4D0AC
GetACP.KERNEL32(?,?,00B4D308,?,00000000), ref: 00B4D0C1

Strings

ACP, xrefs: 00B4D008
OCP, xrefs: 00B4D03E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 5938ab8f32185369cb14de26c3c8f3469df25f438ee2a26d537a96e2bb69b361
Instruction ID: 168909dee9438b21c5f2f5c19f1cff9bc02e5c7b790b45b4cc6e6defee78e5f6
Opcode Fuzzy Hash: 5938ab8f32185369cb14de26c3c8f3469df25f438ee2a26d537a96e2bb69b361
Instruction Fuzzy Hash: 87218022600201A6EB348F68C964BA773F7EB54F64F5684E4E90AD7314EB32DF42E350

Function 00B4D1BF Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B41B2D: GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
Part of subcall function 00B41B2D: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

Part of subcall function 00B41B2D: _free.LIBCMT ref: 00B41B8F
Part of subcall function 00B41B2D: _free.LIBCMT ref: 00B41BC5

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00B4D2CB
IsValidCodePage.KERNEL32(00000000), ref: 00B4D314
IsValidLocale.KERNEL32(?,00000001), ref: 00B4D323
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B4D36B
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B4D38A

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 6d17639a72f8fca19196658a3957a9c2cdaa2a2186c44e86f368eac4f1c33dff
Instruction ID: bc39687d9e001e34ad27870776707c2c30de74870399f82dcfe0ee374a97d6cf
Opcode Fuzzy Hash: 6d17639a72f8fca19196658a3957a9c2cdaa2a2186c44e86f368eac4f1c33dff
Instruction Fuzzy Hash: 7C515171A00219AFDB10DFA9CC85BAE77F8EF44700F1804A9E911E7190EBB0DB44EB61

Function 00B493F2 Relevance: 6.3, APIs: 4, Instructions: 281timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B49427
_free.LIBCMT ref: 00B4944B
_free.LIBCMT ref: 00B495D8
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B61720), ref: 00B495EA

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 8b4a2917e246717a88588f1578c1d70a13552296490a261d7eb7219813320ee8
Instruction ID: 467423b2032485cb1a02a84543dfb53dd1de148e419cd795005628d1c618879a
Opcode Fuzzy Hash: 8b4a2917e246717a88588f1578c1d70a13552296490a261d7eb7219813320ee8
Instruction Fuzzy Hash: D2912571A042059FDB25AF68D8526BB7BF9EF16310F2844E9E484D7291EB318F42FB50

Function 00AE4B20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE4D01

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

., xrefs: 00AE4B8C
-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3, xrefs: 00AE4CE8, 00AE4D0E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3$.
API String ID: 2296764815-205044689
Opcode ID: f86a5bf09275a6ea9703d1fd1ea5779db7fab582b8abd3c31ad16fca71592f81
Instruction ID: 6d254fa2d5db4f34807cdc7107a8b0786cdc1822733bc6162ec8b5e6d064d720
Opcode Fuzzy Hash: f86a5bf09275a6ea9703d1fd1ea5779db7fab582b8abd3c31ad16fca71592f81
Instruction Fuzzy Hash: 35518611C14BD982E7529B68AD812F8E3B4BFB9319F15A395DD8832072FFB427D9C600

Function 00B4CC71 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00B41B2D: GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
Part of subcall function 00B41B2D: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

Part of subcall function 00B41B2D: _free.LIBCMT ref: 00B41B8F
Part of subcall function 00B41B2D: _free.LIBCMT ref: 00B41BC5

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B4CCC5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B4CD0F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B4CDD5

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 90206fd2461152d140a090ae2fc66ebc56924f017bb0da1c20e3c7cf95c6c10f
Instruction ID: 83a28b4d97da6331817e97e1346816b9091edd63ba1954fcdbd453cebfca42d5
Opcode Fuzzy Hash: 90206fd2461152d140a090ae2fc66ebc56924f017bb0da1c20e3c7cf95c6c10f
Instruction Fuzzy Hash: 7B61A4719412179FDB649F28CC82BBA7BE8EF04B00F1041F9ED19D6585EB35EA81EB50

Function 00AE17D0 Relevance: 4.6, APIs: 3, Instructions: 86COMMON

Download Yara Rule

APIs

BCryptEncrypt.BCRYPT(?,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00AE1816
BCryptEncrypt.BCRYPT(00000000,?,?,00000000,?,00000000,00000000,00000000,?,00000001), ref: 00AE1852
BCryptEncrypt.BCRYPT(00000000,?,?,00000000,?,00000000,?,00000000,00000000,00000001), ref: 00AE1877

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CryptEncrypt
String ID:
API String ID: 1352496322-0
Opcode ID: 4a36f27a29f5af78d9e5c0cf85902ad0a9da20e16233f3675dc2781166cf5422
Instruction ID: dd09928931828eb40dc6e4b9c5b3db77714565bbc26b3a04f89394f1f970b4e3
Opcode Fuzzy Hash: 4a36f27a29f5af78d9e5c0cf85902ad0a9da20e16233f3675dc2781166cf5422
Instruction Fuzzy Hash: 21210A75A40208BFDB20CF95DC41FAEBBB8EB48710F104199FA15A7250D771AA54DBA0

Function 00B31F6E Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B32066
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B32070
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B3207D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b4128d60cbbb384c4f5d308b0473eedf3a7beedd371b3bb73b3fb2b0eb6ebcf6
Instruction ID: 2ed47e9a6a979a7cc279f449fd25d8865ac227b14bda1bfb1fcb5194b2cde84d
Opcode Fuzzy Hash: b4128d60cbbb384c4f5d308b0473eedf3a7beedd371b3bb73b3fb2b0eb6ebcf6
Instruction Fuzzy Hash: 1E319374941229ABCB21DF64DD897CDBBF8BF08350F6041EAE41CA7250EB709B858F44

Function 00B3E735 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00B3E734,?,?,?,?), ref: 00B3E757
TerminateProcess.KERNEL32(00000000,?,00B3E734,?,?,?,?), ref: 00B3E75E
ExitProcess.KERNEL32 ref: 00B3E770

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d957d9e7fbc8e61e0e70b306e6dafb81ca3b353de4e003536c3b250cca29f6df
Instruction ID: 7f32a07020d0b47bbcf3cef31d644892fe448b81522b64f291126420568dd722
Opcode Fuzzy Hash: d957d9e7fbc8e61e0e70b306e6dafb81ca3b353de4e003536c3b250cca29f6df
Instruction Fuzzy Hash: D9E04631000648FBCF126FA4CD4CA583BA8FB00742F100495F82496271DF35DD41CA41

Function 00B3B000 Relevance: 3.4, APIs: 2, Instructions: 450COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b5821bdd297cae2537986498195a08dba67318056b1e695f11af01e9b0293d
Instruction ID: 13c8ecd597e4d7afa144d6f8436c3f156c892a8386801b3482acb715a3d96052
Opcode Fuzzy Hash: b0b5821bdd297cae2537986498195a08dba67318056b1e695f11af01e9b0293d
Instruction Fuzzy Hash: 33F12D71E012199FDF14CFA8C890AAEBBF1FF48314F2582A9D919AB345D731AD41CB94

Function 00B4623F Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B4623A,?,?,00000008,?,?,00B50E49,00000000), ref: 00B4646C

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 14e449deef8e7f4ff9de726d67a27bd12a83b2a019d77473b0353bf07f9019f0
Instruction ID: e784e0e4e497dc2ee4594946ca3abf0da8a73ce420cc98488ec41ed7f4239e60
Opcode Fuzzy Hash: 14e449deef8e7f4ff9de726d67a27bd12a83b2a019d77473b0353bf07f9019f0
Instruction Fuzzy Hash: B9B14D31610608DFDB14CF2CC486B657BE0FF46364F258698E89ACF2A1C735EA91DB41

Function 00B18288 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B1829E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8ffc6ff13e9731531e07c82736ae2e651d5429e5b708714c0c599b83aaa9d124
Instruction ID: b0d71abbbd0b51d542ad89dde83ecfe51b15f9ab82813be37423414542a0288b
Opcode Fuzzy Hash: 8ffc6ff13e9731531e07c82736ae2e651d5429e5b708714c0c599b83aaa9d124
Instruction Fuzzy Hash: DC51ADB19126158BDB18CF58E8C17AEBBF0FB48754F6488AAD819EB350DB349D80CB50

Function 00B49AEC Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb3b0903a281c6761678589a5602ac837e9a68d4698197e931212947f0b5556
Instruction ID: 3123410e212a51ec89e4e902221e56d06fbd93b1ce1bf1a8f0a0fc25e1aaa328
Opcode Fuzzy Hash: 6cb3b0903a281c6761678589a5602ac837e9a68d4698197e931212947f0b5556
Instruction Fuzzy Hash: 3A41AFB5C04218AEDF24DF69CC89AAABBF8EF45300F1442D9E45DE3211DA349E859F60

Function 00B4CEC4 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00B41B2D: GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
Part of subcall function 00B41B2D: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

Part of subcall function 00B41B2D: _free.LIBCMT ref: 00B41B8F
Part of subcall function 00B41B2D: _free.LIBCMT ref: 00B41BC5

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B4CF18

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 4472eac1a6c20449805be960e7624e4ba99b1ca8dca2076e574a4b7d7e76cf08
Instruction ID: b7e386f9c403e8499a8caa35bea57cedb987902558e8596ea1af72090b0bccf5
Opcode Fuzzy Hash: 4472eac1a6c20449805be960e7624e4ba99b1ca8dca2076e574a4b7d7e76cf08
Instruction Fuzzy Hash: 8F21B671616216ABDB189B24DC41E7A77E9EF05B10F1000FAFD01D6141EB38EF49AB50

Function 00B4CB4B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B41B2D: GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
Part of subcall function 00B41B2D: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

EnumSystemLocalesW.KERNEL32(00B4CC71,00000001,00000000,?,-00000050,?,00B4D29F,00000000,?,?,?,00000055,?), ref: 00B4CBBD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: d309a4531f6336846ab7085f4a5738b65514e8e7e4c367ec79cbbfd6442e3c69
Instruction ID: 484c4bc8219d530dd6533c8a1a843a3343935dd549d07d3a94c97cc3067604ee
Opcode Fuzzy Hash: d309a4531f6336846ab7085f4a5738b65514e8e7e4c367ec79cbbfd6442e3c69
Instruction Fuzzy Hash: 7211293A2003059FDB189F38D89267ABBD1FF84768B14446DE94787B40D771AA42D740

Function 00B4D0F0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00B41B2D: GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
Part of subcall function 00B41B2D: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B4CE8D,00000000,00000000,?), ref: 00B4D11C

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d129c4350d0f0e90bc6aed5e51ccbe25f54c30926abd1b1be2987b605dbf7be8
Instruction ID: 8e0e722972e473155bea0b5efc353f5bd981b7b645798631d5dfc82b152affa3
Opcode Fuzzy Hash: d129c4350d0f0e90bc6aed5e51ccbe25f54c30926abd1b1be2987b605dbf7be8
Instruction Fuzzy Hash: 08F02D32900116BBDF285B24CC55BBA77E4DB40754F1444A4EC06B3280EA78FF41D5D0

Function 00B4CBE6 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B41B2D: GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
Part of subcall function 00B41B2D: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

EnumSystemLocalesW.KERNEL32(00B4CEC4,00000001,00000000,?,-00000050,?,00B4D263,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00B4CC30

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 25e5b38569aeaae930c56395bb7b0f363ed62a3581c753327c67857ea7a1750a
Instruction ID: 95ea46b7a9c3fc13a7739fbf2b83323d9af94025494c996d2d6b6f92c23ff95a
Opcode Fuzzy Hash: 25e5b38569aeaae930c56395bb7b0f363ed62a3581c753327c67857ea7a1750a
Instruction Fuzzy Hash: 82F04C322003045FCB145F39DCC167A7FD0EF80768B0584ACF90547681C6715D02D650

Function 00B42BC6 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B3727D: EnterCriticalSection.KERNEL32(?,?,00B46E92,?,00B71D90,0000000C), ref: 00B3728C

EnumSystemLocalesW.KERNEL32(00B42BB9,00000001,00B71CB0,0000000C,00B43024,00000000), ref: 00B42BFE

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 6492822927bce1804ef5d503b24c7984bb1ac2e393713424ab4d325c3d1d6e72
Instruction ID: 56726384936a727901c60581be51b4fac028c25bf02ab3b2becea4f758edf375
Opcode Fuzzy Hash: 6492822927bce1804ef5d503b24c7984bb1ac2e393713424ab4d325c3d1d6e72
Instruction Fuzzy Hash: 4EF04F76A40214DFDB10DF98E842B9D77F0EB08721F2085AAF424EB2E1DB755A809F50

Function 00B4CB00 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B41B2D: GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
Part of subcall function 00B41B2D: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

EnumSystemLocalesW.KERNEL32(00B4CA59,00000001,00000000,?,?,00B4D2C1,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00B4CB37

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8d35af9504b2c08802c3fc1ce73a9304d97ed2e99e88c677248c1aa98137ec0f
Instruction ID: 940bb71963751dca9515531347b4024abd13fa7e7c7c96fbb551fda960e7afc3
Opcode Fuzzy Hash: 8d35af9504b2c08802c3fc1ce73a9304d97ed2e99e88c677248c1aa98137ec0f
Instruction Fuzzy Hash: 90F0EC35700209D7CB049F79D845766BFD4EFC1B64B064099EE158B691C6719D43D750

Function 00B4317F Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00B40825,?,20001004,00000000,00000002,?,?,00B3FE10), ref: 00B431B3

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 951dda22d16c7694686c9cf8e967bbccf96dc70ff52d4f2a90743574db83a967
Instruction ID: 0668f1a55c18ac0df032e3250e067d5bb98be70dbba1d1fca54c9085b33cd42c
Opcode Fuzzy Hash: 951dda22d16c7694686c9cf8e967bbccf96dc70ff52d4f2a90743574db83a967
Instruction Fuzzy Hash: 09E04F35540228FBCF122F60DC09EDE3EA9EF44B62F044090FD0566161CF368B61BAD4

Function 00B044BE Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON

Download Yara Rule

APIs

NtFlushProcessWriteBuffers.NTDLL ref: 00B044D1

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: BuffersFlushProcessWrite
String ID:
API String ID: 2982998374-0
Opcode ID: 2e5077f3299e75c55dd86c6e8e80cf482d0399e35d5783a3e62d17b03fc7f299
Instruction ID: 7adfa62dea2463bbf76d1502e4df985d7eda1a78b293e1a9d43e502884b3feab
Opcode Fuzzy Hash: 2e5077f3299e75c55dd86c6e8e80cf482d0399e35d5783a3e62d17b03fc7f299
Instruction Fuzzy Hash: D5B09232E0A9348789912B14BC0439E7B98AA40B1230601D6D901AB668CF545C828BC1

Function 00B181BC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000381C8,00B17A6B), ref: 00B181C1

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9e7065d8981f2ef6a91556190a635532fba83687d6029451d23bd749f6e3f78e
Instruction ID: 88c07a8a11af513d6e597993b15106f1b75d39716616ee6f58d3413f79f22dab
Opcode Fuzzy Hash: 9e7065d8981f2ef6a91556190a635532fba83687d6029451d23bd749f6e3f78e
Instruction Fuzzy Hash:

Function 00B34BE9 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 00B34D81

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 82c92b6ec29c0ec306f3fdf751ad8871cb4beecfa41230c656a6766f6e2c6b9e
Instruction ID: d59e9f1c21d66bb00b20438ae1d49c5339aaa6939acb0826020a8e3444fe7619
Opcode Fuzzy Hash: 82c92b6ec29c0ec306f3fdf751ad8871cb4beecfa41230c656a6766f6e2c6b9e
Instruction Fuzzy Hash: 3E618970740A086ADB3C9E288891BBEB3E5EF51700FF418EEE442DB390DB65BE458745

Function 00B34785 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00B34901

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: aa2fa68d09fcc502e2888f21537d076114a6f17d0793a5864a7e6d9fd0f38288
Instruction ID: 5cb68fad111b85b4d4ccfb77cfc272ee6f9401bcce80b151322342cf7bdd6d3b
Opcode Fuzzy Hash: aa2fa68d09fcc502e2888f21537d076114a6f17d0793a5864a7e6d9fd0f38288
Instruction Fuzzy Hash: 24510670604688AADB388A6C89D67BFB7DAEB03304F3405DDD482D7682D762FD49C752

Function 00B349B7 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00B34B33

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 5bc45ad36b3539a26abff5b513fb9fb3055d52183e3f84cbcfd8c26eaeaf56ae
Instruction ID: 9543986e6afb433f58925278cf197e95d89cb4964e8e51bd65a720a6b6d9362e
Opcode Fuzzy Hash: 5bc45ad36b3539a26abff5b513fb9fb3055d52183e3f84cbcfd8c26eaeaf56ae
Instruction Fuzzy Hash: 5B51497028878856DB388AAC89D67BEB7D9EB42300F3405DED443D7281E765FD49C719

Function 00B58521 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

-----BEGIN PUBLIC KEY-----, xrefs: 00B5852D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID: -----BEGIN PUBLIC KEY-----
API String ID: 0-1076190141
Opcode ID: 84563a2e2c4c499124c3a70b9e970b46cfc4905c20cd3bb54011dcd5e223e620
Instruction ID: bd5180fd4e27e5b7df880361a8b3c28741f109873533c71342b440df4c3be102
Opcode Fuzzy Hash: 84563a2e2c4c499124c3a70b9e970b46cfc4905c20cd3bb54011dcd5e223e620
Instruction Fuzzy Hash: A2C0025590EBC1CEE7028750ED206E52F2197B7204F0A6296918486362992405C48359

Function 00B584E0 Relevance: 1.3, Strings: 1, Instructions: 6COMMON

Download Yara Rule

Strings

-----BEGIN RSA PUBLIC KEY-----%s-----END RSA PUBLIC KEY-----, xrefs: 00B584E4

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID: -----BEGIN RSA PUBLIC KEY-----%s-----END RSA PUBLIC KEY-----
API String ID: 0-1095318868
Opcode ID: aededca9ad67387af2c8129ad1d4ee63a2027c9a2af8c65378ab806adab5ce0e
Instruction ID: 860a7bf838511a147b10b1f03f48cfb5d41a008061c02dc4a5be4f282f789b6a
Opcode Fuzzy Hash: aededca9ad67387af2c8129ad1d4ee63a2027c9a2af8c65378ab806adab5ce0e
Instruction Fuzzy Hash: C5A00259FD031621F42761653C07F3831845760FC8FD555F0BE2C391DBA4C55318905B

Function 00B56540 Relevance: 1.3, Strings: 1, Instructions: 6COMMON

Download Yara Rule

Strings

-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3, xrefs: 00B56547

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+v98CV504tIa3I5fs/gSa74MMKsll5pvf/RamQUtmkDG1RqIlbEIPB+/cE0P2Mh44DdKa5jGpJsPdCC1gjaXDQ1YsEu14Z2uqo0yCRr3145JT+EaQU/gAHzsnX+l6vn1wsikcbk7PaBq+Bo5nmaxk3zNwJVmETt7j2Gj279zZh9VvaUKjwoZ1q1i3
API String ID: 0-2078637782
Opcode ID: 9eaff0fa6399e9d045e1a216d3e05ad21decb6b0c6e3d65de7825cef2ab2475d
Instruction ID: 570fd00faa6a8a4eda450b1e1506b0a9ece8ea8f0c769fd4e49389ccb94461cd
Opcode Fuzzy Hash: 9eaff0fa6399e9d045e1a216d3e05ad21decb6b0c6e3d65de7825cef2ab2475d
Instruction Fuzzy Hash: 0FA0026DFE231521F49371557C23F5421801B90FC8FD455E07A28281E2A4C9931C9267

Function 00B47AD9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcb404c5df9c4942a682a2dd58eaac5a0187c8ccd97667ad1147597b9d05052
Instruction ID: b55ce6d1413e95077e9d013c7761201f3be6e853d50009994b25a3b7a425f403
Opcode Fuzzy Hash: 5bcb404c5df9c4942a682a2dd58eaac5a0187c8ccd97667ad1147597b9d05052
Instruction Fuzzy Hash: EF321631D29F414DD7239638DC62339A288AFB73C4F15D727E81AF6AA5EF69C5835100

Function 00B4C30F Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: 9aa9360f19192b01cc3af5751140b689bbfaa4887cd6fbbffd2e40671e9f2040
Instruction ID: f0880ff242a247e2201bcb7cff20eefe12eaaf74681ca106bb00f5daced872a8
Opcode Fuzzy Hash: 9aa9360f19192b01cc3af5751140b689bbfaa4887cd6fbbffd2e40671e9f2040
Instruction Fuzzy Hash: F4B127355007019BDB349F24CC92ABBB7E8EF54B04F1445ADEA87C6680EA75FB85EB10

Function 00B3903A Relevance: .2, Instructions: 159COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364714ef4a045745b5f7468df55b66ae6613611fc605849022e6df72a2900bd6
Instruction ID: 378fae5ee5a791640f7f4c8c2cd5fd77f91409cf4e7d216dce2335e4697289d2
Opcode Fuzzy Hash: 364714ef4a045745b5f7468df55b66ae6613611fc605849022e6df72a2900bd6
Instruction Fuzzy Hash: 4D517171E00119EFDF08CF99C981AAEBBB2EF89310F198099E915BB241C7759E51DB90

Function 00B5099F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06021442126f7e0dbc83577eed1fa34ff18e410a3c80d8c3db7c12d613864522
Instruction ID: 8e974306e1217f2b9994348c9fe768ab58c5300c9c92d5d5a100ebeddffd144f
Opcode Fuzzy Hash: 06021442126f7e0dbc83577eed1fa34ff18e410a3c80d8c3db7c12d613864522
Instruction Fuzzy Hash: C221D673F20439077B0CC47ECC5327DB6E1C68C601744427AE8A6EA2C1D968D917E2E4

Function 00B5087F Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c1ee62ef25aed3d3d48fa644cf6cbffa9629673d816d521a140ec4d2ff1651
Instruction ID: 3da7e0c4853232ea0b21ab243185c5cfed93005dbd08b85ece9919a8be9c7011
Opcode Fuzzy Hash: f7c1ee62ef25aed3d3d48fa644cf6cbffa9629673d816d521a140ec4d2ff1651
Instruction Fuzzy Hash: CE117723F30C255A675C81698C1727A95D2EBD825074F537AD826EB284E9A4DE13D290

Function 00B2F4A0 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 8038c99e99843439c00a34406019bd4ded2c8478ca489a6390b4d522e756b64b
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 06112B772000B343E614DE2DF4B4AB7A3F5EBD532073C43FAD06E4B758D26299469600

Function 00B43D31 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466b9623b9868babe8ab3b70770baf7c21bc992727f76c7427cd8225c4a6a6c7
Instruction ID: 3e44d4466e7c1f57105fe60b5663723dfa833f36d6579f6f908567be43129a92
Opcode Fuzzy Hash: 466b9623b9868babe8ab3b70770baf7c21bc992727f76c7427cd8225c4a6a6c7
Instruction Fuzzy Hash: 25E08C32911238EBCB25DB88C94498AF7ECEB45F10B1544EAB906D3110C670DF00E7E0

Function 00B194B3 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 229COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B194BA
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B19746

Strings

pEvents, xrefs: 00B1973E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: H_prolog3std::invalid_argument::invalid_argument
String ID: pEvents
API String ID: 1590901807-2498624650
Opcode ID: b2c9d242f9629f94f0849d20efae3e78a6aab28f9a6e9f40c4968d43e13d641f
Instruction ID: 6d2182e953e5d57ec4b385cbbf41fdcf5613c6c576316903c906c453c9232e5e
Opcode Fuzzy Hash: b2c9d242f9629f94f0849d20efae3e78a6aab28f9a6e9f40c4968d43e13d641f
Instruction Fuzzy Hash: FC818931D00298DBCF25DFA8C891BEEB7F5EF15310F9444A9E401AB281DB34AE85CB61

Function 00B3BCB7 Relevance: 22.9, APIs: 15, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3BD26
_free.LIBCMT ref: 00B3BD3C
_free.LIBCMT ref: 00B3BD4F
_free.LIBCMT ref: 00B3BD64
_free.LIBCMT ref: 00B3BD79
GetCPInfo.KERNEL32(?,?), ref: 00B3BDC3

Part of subcall function 00B48EAE: _free.LIBCMT ref: 00B48F19

_free.LIBCMT ref: 00B3C02E
_free.LIBCMT ref: 00B3C041
_free.LIBCMT ref: 00B3C04F
_free.LIBCMT ref: 00B3C05A
_free.LIBCMT ref: 00B3C09C
_free.LIBCMT ref: 00B3C0A4
_free.LIBCMT ref: 00B3C0AA
_free.LIBCMT ref: 00B3C0B2
_free.LIBCMT ref: 00B3C0C0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 115e9b4879ec67dd40df6fbbcb4e72ce77e90756a49976be104e9b544cad0634
Instruction ID: fdf0b16a73477f56e7166ca5023b0c6a4cf4baa9ebfe41c5e96e3c7472bd476a
Opcode Fuzzy Hash: 115e9b4879ec67dd40df6fbbcb4e72ce77e90756a49976be104e9b544cad0634
Instruction Fuzzy Hash: A8D1BC71D003459FDB11DFB8C881BEEBBF4FF08300F2444A9E999AB296D771A9459B60

Function 00B17412 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00B7646C,00000FA0,?,?,00B173F0), ref: 00B1741E
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00B173F0), ref: 00B17429
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00B173F0), ref: 00B1743A
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B1744C
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B1745A
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00B173F0), ref: 00B1747D
___scrt_fastfail.LIBCMT ref: 00B1748E
DeleteCriticalSection.KERNEL32(00B7646C,00000007,?,?,00B173F0), ref: 00B17499
CloseHandle.KERNEL32(00000000,?,?,00B173F0), ref: 00B174A9

Strings

SleepConditionVariableCS, xrefs: 00B17446
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B17424
WakeAllConditionVariable, xrefs: 00B17452
kernel32.dll, xrefs: 00B17435

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: 7a4414f2bb14c5c2ec4f1be09432922d5218d7ba42acfdb135a005ab9806af86
Instruction ID: 736726cc73804be0c0106b44e8da43f48fe90316c9fefd3bf35b7183b11abbb6
Opcode Fuzzy Hash: 7a4414f2bb14c5c2ec4f1be09432922d5218d7ba42acfdb135a005ab9806af86
Instruction Fuzzy Hash: 3E017171A84B12FBDB201B75AC0EF963BE8EB40B5274445D0FC06E33A0EE60C8C09671

Function 00B2CFC6 Relevance: 22.7, APIs: 15, Instructions: 229COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00B2CFD8

Part of subcall function 00B2CDD6: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00B2CDF9

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00B2CFF9
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00B2D006
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 00B2D054
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 00B2D0DB
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 00B2D0EE
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00B2D13B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: f4ae1cdc8706de23165059d7e6e9e5d3ae3b1aa1f306c22851700e0275623c50
Instruction ID: 2f6b3e95a597993ae0bc59394b9421f4c3a1b4b9cee48376429266fc726be57c
Opcode Fuzzy Hash: f4ae1cdc8706de23165059d7e6e9e5d3ae3b1aa1f306c22851700e0275623c50
Instruction Fuzzy Hash: 9A81AF30800269ABDF169F94E954BBE7BF2EF46304F0440D8EC496B262C7768D66DB61

Function 00B1E958 Relevance: 22.7, APIs: 15, Instructions: 200timeregistryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B1E95F
ListArray.LIBCONCRT ref: 00B1E9B2

Part of subcall function 00B1E793: InitializeSListHead.KERNEL32(?,?,00000000,?,?), ref: 00B1E85F
Part of subcall function 00B1E793: InitializeSListHead.KERNEL32(?), ref: 00B1E869

ListArray.LIBCONCRT ref: 00B1E9E6
Hash.LIBCMT ref: 00B1EA4F
Hash.LIBCMT ref: 00B1EA5F
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 00B1EAF4
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 00B1EB01
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 00B1EB0E
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 00B1EB1B

Part of subcall function 00B2452C: std::bad_exception::bad_exception.LIBCMT ref: 00B2454E

RegisterWaitForSingleObject.KERNEL32(?,00000000,00B21ECE,?,000000FF,00000000), ref: 00B1EBA3
Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00B1EBC5
GetLastError.KERNEL32(00B1F981,?,?,00000000,?,?), ref: 00B1EBD7
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 00B1EBF4

Part of subcall function 00B1A01C: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,00B1F981,00000008,?,00B1EBF9,?,00000000,00B21EBF,?,7FFFFFFF,7FFFFFFF,00000000), ref: 00B1A034

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B1EC1E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorH_prolog3LastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
String ID:
API String ID: 1224710184-0
Opcode ID: b5431cfcc10e8c9ca5e7246ac863836bdbc836b7d01f4a08677da32164b98abb
Instruction ID: 3355ea1e5cca2727d9ef55a50039ee6d8b9b2a73da453cd99b78b46a91401f7d
Opcode Fuzzy Hash: b5431cfcc10e8c9ca5e7246ac863836bdbc836b7d01f4a08677da32164b98abb
Instruction Fuzzy Hash: 73812BB0A11A66FBD7049F748845BDAFBE8FF08710F40429AF52897281DBB4A564CBD1

Function 00B1CCBA Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00B1CCC9

Part of subcall function 00B1DFBA: GetVersionExW.KERNEL32(?), ref: 00B1DFDE
Part of subcall function 00B1DFBA: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00B1E07D

Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00B1CCDD
Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00B1CCFE
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00B1CD67
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00B1CD9B

Part of subcall function 00B1AC89: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 00B1ACA9

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00B1CE1B

Part of subcall function 00B1C7EE: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00B1C802

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00B1CE63

Part of subcall function 00B1AC5E: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00B1AC7A

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00B1CE77
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00B1CE88
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00B1CED5
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00B1CEFA
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00B1CF06

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
String ID:
API String ID: 4140532746-0
Opcode ID: 0498d60de45c9a17c34dd04ed48cfbd4be3af23d1c5e5c396c0f0787bc0058d6
Instruction ID: 07dc5ec46f90568c1037dc9159a19deb7ff47ad2d0b31d1c5d852fbd2d01b84e
Opcode Fuzzy Hash: 0498d60de45c9a17c34dd04ed48cfbd4be3af23d1c5e5c396c0f0787bc0058d6
Instruction Fuzzy Hash: FF814D72A815169FCB18DFA9E8915EDBFF1FB48300BA441BED449E7240DB31A9C5CB81

Function 00B4BE45 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B4BE89

Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B10C
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B11E
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B130
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B142
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B154
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B166
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B178
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B18A
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B19C
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B1AE
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B1C0
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B1D2
Part of subcall function 00B4B0EF: _free.LIBCMT ref: 00B4B1E4

_free.LIBCMT ref: 00B4BE7E

Part of subcall function 00B42B7F: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3F09C), ref: 00B42B95
Part of subcall function 00B42B7F: GetLastError.KERNEL32(?,?,00B3F09C), ref: 00B42BA7

_free.LIBCMT ref: 00B4BEA0
_free.LIBCMT ref: 00B4BEB5
_free.LIBCMT ref: 00B4BEC0
_free.LIBCMT ref: 00B4BEE2
_free.LIBCMT ref: 00B4BEF5
_free.LIBCMT ref: 00B4BF03
_free.LIBCMT ref: 00B4BF0E
_free.LIBCMT ref: 00B4BF46
_free.LIBCMT ref: 00B4BF4D
_free.LIBCMT ref: 00B4BF6A
_free.LIBCMT ref: 00B4BF82

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9e936724f8123261bf9510e5c8aee5166ed9f14c291b98a20f2655451f72c01e
Instruction ID: 733b78237a3e6b2b522aa1026b55729f195a644a33157b0c839df7486f9b4bd0
Opcode Fuzzy Hash: 9e936724f8123261bf9510e5c8aee5166ed9f14c291b98a20f2655451f72c01e
Instruction Fuzzy Hash: F9315C31A04204AFEB20AF78D845F9A73E9EF90310F504899F69CD6195DB70EE84FB24

Function 00B19EE3 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,00B1E074), ref: 00B19EF1
GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 00B19EFF
GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 00B19F0D
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 00B19F3B
GetLastError.KERNEL32(?,00000000,?,?,?,00B1E074), ref: 00B19F56
GetLastError.KERNEL32(?,00000000,?,?,?,00B1E074), ref: 00B19F62
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B19F78

Strings

GetThreadGroupAffinity, xrefs: 00B19F05
SetThreadGroupAffinity, xrefs: 00B19EF9
kernel32.dll, xrefs: 00B19EEC
GetCurrentProcessorNumberEx, xrefs: 00B19F30

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
API String ID: 1654681794-465693683
Opcode ID: f064ab879d900c3dd3f94a389df08a06ebe2490475f7bed2fb96acbc17ca3c55
Instruction ID: 1d6e03ebb54f61425c9b059ade56d455c5c894adc2f5c2d3763718ce6581ab92
Opcode Fuzzy Hash: f064ab879d900c3dd3f94a389df08a06ebe2490475f7bed2fb96acbc17ca3c55
Instruction Fuzzy Hash: C401DB71900361FF9710BBB57C1EAAB37ECD901B123508AD6B405D3261EEB4E4424665

Function 00B4B1ED Relevance: 18.4, APIs: 12, Instructions: 374COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B4B235
_free.LIBCMT ref: 00B4B259
_free.LIBCMT ref: 00B4B266
_free.LIBCMT ref: 00B4B28B
_free.LIBCMT ref: 00B4B298
_free.LIBCMT ref: 00B4B2A1
_free.LIBCMT ref: 00B4B57C
_free.LIBCMT ref: 00B4B584

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f8bbcb5542c3318a61600f2d93a11f908f386120897724401e6814db7a3f57ab
Instruction ID: 3ff860222c98998a58525f76996ef35aed17281598519d1071e7bf12eff750e5
Opcode Fuzzy Hash: f8bbcb5542c3318a61600f2d93a11f908f386120897724401e6814db7a3f57ab
Instruction Fuzzy Hash: 4AC1F476D40205BBDB20DBA8CC82FDE77F8EB58700F1441A5FA45FB286D670DA41A764

Function 00B2D263 Relevance: 16.7, APIs: 11, Instructions: 216COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00B2D275

Part of subcall function 00B2CDD6: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00B2CDF9

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00B2D296
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00B2D2A3
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 00B2D2F1
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 00B2D399
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00B2D3CB

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: 5fea69880fef916234a816b7c67296e37098d38e0c93a748567bcf47ebcfed9e
Instruction ID: b7cb77427bb90e38a561889a6b19e2ad179e10def30ccf9dae07bf821b8fa12f
Opcode Fuzzy Hash: 5fea69880fef916234a816b7c67296e37098d38e0c93a748567bcf47ebcfed9e
Instruction Fuzzy Hash: 39718930900269ABDF05DF54E890ABEBBF1EF56304F0440D8EC596B252C776ED16DB62

Function 00B20E8E Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00B20ED3
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00B20F05
List.LIBCONCRT ref: 00B20F40
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00B20F51
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00B20F6D
List.LIBCONCRT ref: 00B20FA8
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00B20FB9
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00B20FD4
List.LIBCONCRT ref: 00B2100F
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00B2101C

Part of subcall function 00B203A3: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00B203BB
Part of subcall function 00B203A3: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00B203CD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 80a484a2c0d1e850d37a3c0fceb0b0fe47bdf371199bdbde22ea9b5a75ad1d49
Instruction ID: 11c584f3b1ced3ae8612a4b43546d82784bf021a27301ddebfc9858c22babd37
Opcode Fuzzy Hash: 80a484a2c0d1e850d37a3c0fceb0b0fe47bdf371199bdbde22ea9b5a75ad1d49
Instruction Fuzzy Hash: 18516E71A10219ABDB18EF54D595BEDB3F8FF48344F4440B9E949AB282DB30AE45CB90

Function 00B285D5 Relevance: 15.1, APIs: 10, Instructions: 138threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B285DC
GetCurrentThreadId.KERNEL32 ref: 00B285EB
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 00B28656
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 00B28673
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 00B286D9
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 00B286EE
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 00B28700
Concurrency::details::InternalContextBase::CleanupDispatchedContextOnCancel.LIBCMT ref: 00B28729
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 00B28734
Concurrency::details::ContextBase::ReleaseWorkQueue.LIBCMT ref: 00B28799

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Context$Base::$Internal$Work$ChoreCurrentThread$AssociatedCancelCleanupCompletionCreateDispatchedExecuteExecutedFoundH_prolog3InlineListQueueReleaseWait
String ID:
API String ID: 3801383771-0
Opcode ID: d9e9622e5560f5b3adc464aa1928405a3715d4c90aabacfefe6a62a623bf6ae3
Instruction ID: fb122005a68812183aa0894e2c5510429d088331744426412ccb79cd2b29cec5
Opcode Fuzzy Hash: d9e9622e5560f5b3adc464aa1928405a3715d4c90aabacfefe6a62a623bf6ae3
Instruction Fuzzy Hash: A151AA30A052689BCF15FFA4A5557AD7BE5AF05300F1840E9E84D6B2D3CF754E05C7A2

Function 00B41A15 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B41A2B

Part of subcall function 00B42B7F: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3F09C), ref: 00B42B95
Part of subcall function 00B42B7F: GetLastError.KERNEL32(?,?,00B3F09C), ref: 00B42BA7

_free.LIBCMT ref: 00B41A37
_free.LIBCMT ref: 00B41A42
_free.LIBCMT ref: 00B41A4D
_free.LIBCMT ref: 00B41A58
_free.LIBCMT ref: 00B41A63
_free.LIBCMT ref: 00B41A6E
_free.LIBCMT ref: 00B41A79
_free.LIBCMT ref: 00B41A84
_free.LIBCMT ref: 00B41A92

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ff9f971ef9b361d7d170e2093f5069e2f6c44019ea0084eb8ea07581e78d7d44
Instruction ID: f4eeb9bd0383177f8e560ae8ab8fb7d5c9ea563bf8e057450356d024588438c7
Opcode Fuzzy Hash: ff9f971ef9b361d7d170e2093f5069e2f6c44019ea0084eb8ea07581e78d7d44
Instruction Fuzzy Hash: 73219676900108AFCB41EF94C882DDE7BF9FF58340B4045A6F9559B121DB71EB84AB84

Function 00B30EE0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00B30FDB
___TypeMatch.LIBVCRUNTIME ref: 00B3110E
IsInExceptionSpec.LIBVCRUNTIME ref: 00B311E9
_UnwindNestedFrames.LIBCMT ref: 00B31270
CallUnexpected.LIBVCRUNTIME ref: 00B3128B

Strings

csm, xrefs: 00B30F1B
csm, xrefs: 00B30F88
csm, xrefs: 00B31039

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwind
String ID: csm$csm$csm
API String ID: 1184646756-393685449
Opcode ID: 4c29c6126b119d63b8ed61bf0dd7c789af31a32dc7ea24fb3a6b66bc669d3111
Instruction ID: 69d7a87e93358793ed8a7ac5af1b5f6c3cc1706a0b482b03e557a17fa5f99ba8
Opcode Fuzzy Hash: 4c29c6126b119d63b8ed61bf0dd7c789af31a32dc7ea24fb3a6b66bc669d3111
Instruction Fuzzy Hash: F2C15D71C00209EFCF29EFA8D8819AEBBF9FF14310F244999E815AB252D731D951CB91

Function 00B10079 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 302COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B100B7

Part of subcall function 00B059B1: __EH_prolog3.LIBCMT ref: 00B059B8
Part of subcall function 00B059B1: std::_Lockit::_Lockit.LIBCPMT ref: 00B059C2
Part of subcall function 00B059B1: std::_Lockit::~_Lockit.LIBCPMT ref: 00B05A33

Strings

%b %d %H : %M : %S %Y, xrefs: 00B1015B
%H : %M, xrefs: 00B102E8
%m / %d / %y, xrefs: 00B101E2
%d / %m / %y, xrefs: 00B1032B
%H : %M : %S, xrefs: 00B102FF
%I : %M : %S %p, xrefs: 00B102DE
:AM:am:PM:pm, xrefs: 00B102A7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: 3816486692b7e014592b194c214be5acef9b40a89ebd2e8855c9f4d7ab4fb763
Instruction ID: df2cd7ea4971174506c23380a9131369a172befc0a1ee672a6ec39b161955119
Opcode Fuzzy Hash: 3816486692b7e014592b194c214be5acef9b40a89ebd2e8855c9f4d7ab4fb763
Instruction Fuzzy Hash: 6BB1897590020AAFCF05EF54CC82EEF7BF9EF08300F504589F956A62A1D671DAA1DB61

Function 00B154D2 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B154D9

Part of subcall function 00AFB780: std::_Lockit::_Lockit.LIBCPMT ref: 00AFB7C9
Part of subcall function 00AFB780: std::_Lockit::_Lockit.LIBCPMT ref: 00AFB7EB
Part of subcall function 00AFB780: std::_Lockit::~_Lockit.LIBCPMT ref: 00AFB80B
Part of subcall function 00AFB780: std::_Lockit::~_Lockit.LIBCPMT ref: 00AFB8D8

Strings

%b %d %H : %M : %S %Y, xrefs: 00B1557D
%H : %M, xrefs: 00B1570A
%m / %d / %y, xrefs: 00B15604
%d / %m / %y, xrefs: 00B1574D
%H : %M : %S, xrefs: 00B15721
%I : %M : %S %p, xrefs: 00B15700
:AM:am:PM:pm, xrefs: 00B156C9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 9a2c7474d56e8f0ace29be689fbb5cb4490e9b506686bc92fdbf4f8199e7d598
Instruction ID: c07db60aad1262e2b11b22385754a0924e469a3151ce9235581a5b5cdc4f1259
Opcode Fuzzy Hash: 9a2c7474d56e8f0ace29be689fbb5cb4490e9b506686bc92fdbf4f8199e7d598
Instruction Fuzzy Hash: EFA1577150020AEFCF15CF44CC82EFE7BFAEF58304F90419AFA56A6291D6319A90DB61

Function 00B0FD0B Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B0FD12

Part of subcall function 00B0591C: __EH_prolog3.LIBCMT ref: 00B05923
Part of subcall function 00B0591C: std::_Lockit::_Lockit.LIBCPMT ref: 00B0592D
Part of subcall function 00B0591C: std::_Lockit::~_Lockit.LIBCPMT ref: 00B0599E

Strings

%b %d %H : %M : %S %Y, xrefs: 00B0FDB6
%H : %M, xrefs: 00B0FF43
%m / %d / %y, xrefs: 00B0FE3D
%d / %m / %y, xrefs: 00B0FF86
%H : %M : %S, xrefs: 00B0FF5A
%I : %M : %S %p, xrefs: 00B0FF39
:AM:am:PM:pm, xrefs: 00B0FF02

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: ce33211c875f5fafe3fdb6ae21cee6fc5f711f8c7013e1f0c21fe103163d783f
Instruction ID: e1d4c338362d84fe0e6593fe96ecc48d9580f6bc87cf4f36b50717d6e845042b
Opcode Fuzzy Hash: ce33211c875f5fafe3fdb6ae21cee6fc5f711f8c7013e1f0c21fe103163d783f
Instruction Fuzzy Hash: BCA1467160020AEFDF15CF44CC92EFE7FF9EF08304F1045AAFA46A6291D6319A659B61

Function 00B212D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00B212EA
GetCurrentProcess.KERNEL32 ref: 00B212F2
DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 00B21307
SafeRWList.LIBCONCRT ref: 00B21327

Part of subcall function 00B1F33B: __EH_prolog3.LIBCMT ref: 00B1F342
Part of subcall function 00B1F33B: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00B1F34C
Part of subcall function 00B1F33B: List.LIBCMT ref: 00B1F356

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B21339
GetLastError.KERNEL32 ref: 00B21348
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B2135E

Strings

eventObject, xrefs: 00B21331

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorH_prolog3HandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 416234428-1680012138
Opcode ID: 1490df305501de46dc8795b401cd69a7765c5aab234a5b2bd075fc105b6f33f1
Instruction ID: 500e815b4a48c2dfb82557f300e7881112f30cc7427086bb964e390c55aab314
Opcode Fuzzy Hash: 1490df305501de46dc8795b401cd69a7765c5aab234a5b2bd075fc105b6f33f1
Instruction Fuzzy Hash: EB11E371500325FBDB20EBA4EC49FEE33F8AB14701F1045E4B519A60E1DB709A05CB69

Function 00B130CE Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B130D5
collate.LIBCPMT ref: 00B13119
std::_Facet_Register.LIBCPMT ref: 00B13130
std::_Lockit::~_Lockit.LIBCPMT ref: 00B13150
Concurrency::cancel_current_task.LIBCPMT ref: 00B1315D
std::_Lockit::_Lockit.LIBCPMT ref: 00B130DF

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

Strings

bG, xrefs: 00B134D5
H, xrefs: 00B13453

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID: H$bG
API String ID: 1767075461-4276473746
Opcode ID: 59f1f6ed48ab66343769fcccfe0c79c483b8b087914315c5c1ba0692b524b449
Instruction ID: 7e23089e9d6bffc7913eda4bd365e84e12ab7232caef8cbfde3ce5163be4a131
Opcode Fuzzy Hash: 59f1f6ed48ab66343769fcccfe0c79c483b8b087914315c5c1ba0692b524b449
Instruction Fuzzy Hash: F001A172904119ABCB04EB64C9456FD7BF9EF40B10FA40088F41467392DF709E858781

Function 00B4B60D Relevance: 13.7, APIs: 9, Instructions: 200COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B4B67B
_free.LIBCMT ref: 00B4B687
_free.LIBCMT ref: 00B4B7B0
_free.LIBCMT ref: 00B4B7BB

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a30a5bbda687c5e18ad62dc561333f44806617f159a536b5f47a9e75ccb91782
Instruction ID: 0fb2d90bc677b3292e283665b8701bae5ea60e9fcc571c76a25ef722afc2154e
Opcode Fuzzy Hash: a30a5bbda687c5e18ad62dc561333f44806617f159a536b5f47a9e75ccb91782
Instruction Fuzzy Hash: D861A371900705AFDB20DF78C881FAAB7E9EF94710F1444A9EA55EB251EB70DE40AB50

Function 00B03ACF Relevance: 13.6, APIs: 9, Instructions: 139threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B03AF7
GetCurrentThreadId.KERNEL32 ref: 00B03B14
GetCurrentThreadId.KERNEL32 ref: 00B03B29
_xtime_get.LIBCPMT ref: 00B03BAF
GetCurrentThreadId.KERNEL32 ref: 00B03BD9
__Xtime_diff_to_millis2.LIBCPMT ref: 00B03BF5
_xtime_get.LIBCPMT ref: 00B03C18
GetCurrentThreadId.KERNEL32 ref: 00B03C22
GetCurrentThreadId.KERNEL32 ref: 00B03C59

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
String ID:
API String ID: 3943753294-0
Opcode ID: 65fb9356f74a8f1ed79794a912df1ac7f2b1fdecb5b24b27b10a627f90b59e3e
Instruction ID: 2cffd37542c1a1a7dbc38246bbae09f6db6f431ef4531e8e668e3a2ae6f4f089
Opcode Fuzzy Hash: 65fb9356f74a8f1ed79794a912df1ac7f2b1fdecb5b24b27b10a627f90b59e3e
Instruction Fuzzy Hash: 6D514E70900205CFCF24DF54C9C9AA9BBF9EF04B15B1589DAD906EB291DB30EE81CB94

Function 00B2B29F Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B2B2B5
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00B2016D,?), ref: 00B2B2C7
GetCurrentThread.KERNEL32 ref: 00B2B2CF
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00B2016D,?), ref: 00B2B2D7
DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00B2016D,?), ref: 00B2B2F0
Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 00B2B311

Part of subcall function 00B1A683: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00B1A69D

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00B2016D,?), ref: 00B2B323
GetLastError.KERNEL32(?,?,?,?,?,00B2016D,?), ref: 00B2B34E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B2B364

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
String ID:
API String ID: 1293880212-0
Opcode ID: a8af511ec66532e154e827f8f8f774c6872cdbd76bb34ab1ab9346f6e8e101fe
Instruction ID: 36623aa60556e5de57718759682b04078f7b148dbed90e0507b137174686d795
Opcode Fuzzy Hash: a8af511ec66532e154e827f8f8f774c6872cdbd76bb34ab1ab9346f6e8e101fe
Instruction Fuzzy Hash: 0911C071640321EBD700AB74AC4AF9A3BE8AF05701F1404E5F949EB262EF7098008B76

Function 00AFC8B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AFC8EF
std::_Lockit::_Lockit.LIBCPMT ref: 00AFC911
std::_Lockit::~_Lockit.LIBCPMT ref: 00AFC931
std::_Facet_Register.LIBCPMT ref: 00AFCA71
std::_Lockit::~_Lockit.LIBCPMT ref: 00AFCA89

Strings

true, xrefs: 00AFCA44
false, xrefs: 00AFCA31

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: false$true
API String ID: 459529453-2658103896
Opcode ID: e19c5bc5b95c944ceb114059d51e4a59a5f89aeeede27a0168a41157e6cb4173
Instruction ID: 977ea3b5828f1957bfc0df759d9e36b9b1114b2317eb098ad4f562621bb5c132
Opcode Fuzzy Hash: e19c5bc5b95c944ceb114059d51e4a59a5f89aeeede27a0168a41157e6cb4173
Instruction Fuzzy Hash: F651D07190021DDFDB20DFA4CA81BAEBBF4EF04710F10469DE555AB291EBB4AA45CB90

Function 00B2181D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00B21869
SwitchToThread.KERNEL32(?), ref: 00B2188C
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00B218AB
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 00B218C7
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B218F9

Strings

ppVirtualProcessorRoots, xrefs: 00B218F1
count, xrefs: 00B21837

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$FindMatchingNode::ProcessorSchedulingVirtual$Base::ContextInternalOversubscribedProcResetSwitchThreadstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 1244378731-3650809737
Opcode ID: 0a7d6f59b128cd6c68aa117892c182a6d9f6273533db8d4430b0231dca53fba7
Instruction ID: 6d8594aebf30806b149d316f74883c2c5064dc97c14e2a56a413c739363f8914
Opcode Fuzzy Hash: 0a7d6f59b128cd6c68aa117892c182a6d9f6273533db8d4430b0231dca53fba7
Instruction Fuzzy Hash: 78214C34A00319AFCB10EFA9D4D5AAEB7F4FF59344F5045E9E909AB261CB30AE41CB50

Function 00B1BA9E Relevance: 12.2, APIs: 8, Instructions: 211memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B1D184: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00B1D197
Part of subcall function 00B1D184: Concurrency::details::ResourceManager::PopulateCommonAllocationData.LIBCONCRT ref: 00B1D1CA
Part of subcall function 00B1D184: Concurrency::details::HillClimbing::Update.LIBCONCRT ref: 00B1D21E
Part of subcall function 00B1D184: Concurrency::details::SchedulerProxy::AdjustAllocationIncrease.LIBCMT ref: 00B1D231

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00B1BBDE
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00B1BC3E
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00B1BC4A
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 00B1BC88
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00B1BCA9
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00B1BCB5
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00B1BCBE
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 00B1BCD6

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Manager::Resource$Allocation$Adjust$CoreCoresDataDistributeDynamicIncreasePrepareReceiversSchedulerTransfer$AllocationsBuffersClimbing::CommonExclusiveFullyGlobalHillIdleInitializeLoadedPopulateProxy::ResetUpdate
String ID:
API String ID: 1715847140-0
Opcode ID: cbb15fa978125a8ea21641e035fb4142c7d621169541360eb8b363f850fc5fa4
Instruction ID: b0d3279470f22067c7281da5f27229eda4d2ff4c9446de082880e89d1b5da5be
Opcode Fuzzy Hash: cbb15fa978125a8ea21641e035fb4142c7d621169541360eb8b363f850fc5fa4
Instruction Fuzzy Hash: C5814A71E00615EFCB18DF69C580AAEB7F2FF48304F6586ADD415A7605DB30AD92CB90

Function 00B4A7BD Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B4A7E7
_free.LIBCMT ref: 00B4A8C0
_free.LIBCMT ref: 00B4A8ED

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: dbf524fa7cb7d0d3be80ae8aa213d5d8c9de5e53699df0b83cb5cd1c07749af6
Instruction ID: a020541eee1f74c091e1e29dedc29322b533b779ceedb9f152699784def31236
Opcode Fuzzy Hash: dbf524fa7cb7d0d3be80ae8aa213d5d8c9de5e53699df0b83cb5cd1c07749af6
Instruction Fuzzy Hash: 9351D471D84205AFDB25AF789882A6D7BE4EF01310F1181EEF95497182EF358B41FB52

Function 00B21D9A Relevance: 12.1, APIs: 8, Instructions: 106timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00B21DBC

Part of subcall function 00B20177: __EH_prolog3_catch.LIBCMT ref: 00B2017E
Part of subcall function 00B20177: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00B201B7

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00B21DE3
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00B21DEF

Part of subcall function 00B20177: InterlockedPopEntrySList.KERNEL32(?), ref: 00B20200
Part of subcall function 00B20177: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00B2022F
Part of subcall function 00B20177: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00B2023D

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00B21E3B
Concurrency::location::_Assign.LIBCMT ref: 00B21E5C
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 00B21E64
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00B21E76
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 00B21EA6

Part of subcall function 00B20DD9: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00B20DFE
Part of subcall function 00B20DD9: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00B20E19

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$ContextThrottling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextProcessor::RingSchedulingSpinStartupTicket::TimerUntilWith
String ID:
API String ID: 2285097503-0
Opcode ID: e48d282266c956cb6dd544059474c058705621f2702f4bf6ce729dd705c0e7e4
Instruction ID: aa0970474fdcfb5d118d6ef6b7bcdc3189a32fcc3aef1d299369ab8ec37fe85d
Opcode Fuzzy Hash: e48d282266c956cb6dd544059474c058705621f2702f4bf6ce729dd705c0e7e4
Instruction Fuzzy Hash: 86313630B04265ABCF16BA7C68827FEB7F99F65300F0408E9D849E7242DB255D458791

Function 00B17066 Relevance: 10.7, APIs: 7, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 00B170F1
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B1717F
__alloca_probe_16.LIBCMT ref: 00B171A9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B171F1
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B1720B
__alloca_probe_16.LIBCMT ref: 00B17231
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B1726E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$Info
String ID:
API String ID: 2298828789-0
Opcode ID: 94157ef452165ebe7c166b4a01ee81c39922aa1acc46dcd0988f14950c721603
Instruction ID: 55eb9cf7641aa1a800d693f4426d4555336990df5f5720d7ba997205d5d62d0d
Opcode Fuzzy Hash: 94157ef452165ebe7c166b4a01ee81c39922aa1acc46dcd0988f14950c721603
Instruction Fuzzy Hash: 9871927294825AABDF218FA4CC45AEE7BF6EF06310F9840D5F944B7250DB358D91CBA0

Function 00B2822A Relevance: 10.6, APIs: 7, Instructions: 114COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 00B2825C
StructuredWorkStealingQueue.LIBCMT ref: 00B2831E
Concurrency::location::_Assign.LIBCMT ref: 00B28339
Concurrency::location::_Assign.LIBCMT ref: 00B28349
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 00B28353
Concurrency::location::_Assign.LIBCMT ref: 00B28390
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00B28398

Part of subcall function 00B2A03E: Concurrency::location::_Assign.LIBCMT ref: 00B2A08A
Part of subcall function 00B2A03E: Concurrency::location::operator==.LIBCONCRT ref: 00B2A0C5
Part of subcall function 00B2A03E: Concurrency::location::_Assign.LIBCMT ref: 00B2A0EF
Part of subcall function 00B2A03E: Concurrency::location::_Assign.LIBCMT ref: 00B2A0FF
Part of subcall function 00B2A03E: Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 00B2A107

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: AssignConcurrency::location::_$Base::Concurrency::details::$ProcessorSchedulerStartupVirtual$Concurrency::location::operator==ContextGroupQueueRunnableScheduleSegmentStealingStructuredWork
String ID:
API String ID: 944676547-0
Opcode ID: 4c44159f2117ad7a4e93c30f0834b6524b161afc7b7b08776a7792e9b29ed3dd
Instruction ID: fdf72c3e840ea66b4c193998d9fead0659df4d784cc1a5301d038fc827e7986a
Opcode Fuzzy Hash: 4c44159f2117ad7a4e93c30f0834b6524b161afc7b7b08776a7792e9b29ed3dd
Instruction Fuzzy Hash: 94417B71A00224ABCF08EF24D085BBEB7E5BB84754F1545D9EC499B286DF34ED41CB91

Function 00B2907E Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 00B290A9

Part of subcall function 00B28E14: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00B28E47
Part of subcall function 00B28E14: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00B28E69

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B29128
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00B29134
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 00B29146
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 00B29150
Concurrency::location::_Assign.LIBCMT ref: 00B29183
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00B2918B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 418d638f848cd2e9efe7349a1e306664ec5fc80fea6ed0a6ecb9980e839b2428
Instruction ID: eed87244d05ddd296e53ec6e43593e4aab86310319ca208cffbb102b7771a0ab
Opcode Fuzzy Hash: 418d638f848cd2e9efe7349a1e306664ec5fc80fea6ed0a6ecb9980e839b2428
Instruction Fuzzy Hash: 7F413A35A00214EFDF04DF64D885BADB7F5FF88311F1480A9E949AB246DB34A941CB91

Function 00B2C42E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00B2C447

Part of subcall function 00B2C70E: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00B2C18F), ref: 00B2C71E

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00B2C45C
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B2C46B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B2C522

Strings

pContext, xrefs: 00B2C51A
switchState, xrefs: 00B2C463

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
String ID: pContext$switchState
API String ID: 1312548968-2660820399
Opcode ID: d4f59bb5361063366768d3823441913b900a118c91560a9050f1cdebbb229b49
Instruction ID: 2385d618a7e8ea5d62075b406d4ae5068d4a3a7f235a8bde8439ef14e4ffb569
Opcode Fuzzy Hash: d4f59bb5361063366768d3823441913b900a118c91560a9050f1cdebbb229b49
Instruction Fuzzy Hash: E731F536A002249BCF15EF24E895A7E7BE9EF54320F2446D4EC29972A2DB70ED05C790

Function 00B256D5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B256DC
List.LIBCONCRT ref: 00B2575A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B2577F
__EH_prolog3.LIBCMT ref: 00B2579A
Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 00B257BE

Strings

pExecutionResource, xrefs: 00B25777

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: FreeH_prolog3ProcessorVirtual$Concurrency::details::ListRootRoot::std::invalid_argument::invalid_argument
String ID: pExecutionResource
API String ID: 2527137531-359481074
Opcode ID: ecf32c4b8fbb7ef4fa08c94179d1274f8d3b43d3bfc86e8790b089311f9871ff
Instruction ID: e0b9b0057e58acfd3b133b2daad7a9cd3fcd9ba561426822730d5c814e8aa7a4
Opcode Fuzzy Hash: ecf32c4b8fbb7ef4fa08c94179d1274f8d3b43d3bfc86e8790b089311f9871ff
Instruction Fuzzy Hash: 7921C175A40705ABCB18EF64D892BED77F5BF48300F5040A9F5196B291CFB0AE44CBA5

Function 00B1F374 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 00B1F3D3
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B1F3F6
__EH_prolog3.LIBCMT ref: 00B1F411
Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 00B1F438

Strings

ppVirtualProcessorRoots, xrefs: 00B1F3EE
count, xrefs: 00B1F38C

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CacheConcurrency::details::GroupLocalSchedule$H_prolog3Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 2642201467-3650809737
Opcode ID: a8570cadd47c0b9344bafb807b9fa23b2ff1481d3e084a4a2a4baec6a9b330d5
Instruction ID: b1713e9491cf7d223b7246c3fb6947ae7fd2054f5ad2f052bea026b7c7ff5b8e
Opcode Fuzzy Hash: a8570cadd47c0b9344bafb807b9fa23b2ff1481d3e084a4a2a4baec6a9b330d5
Instruction Fuzzy Hash: 0821B039600216EFCB14EF98D891EAD77F5FF48300F4040AAF919976A1CB31AE41CB95

Function 00B192EA Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B192F1
_SpinWait.LIBCONCRT ref: 00B19347
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 00B19353
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00B1936C
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00B1939A
Concurrency::Context::Block.LIBCONCRT ref: 00B193BC

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::H_prolog3ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID:
API String ID: 1888882079-0
Opcode ID: e98aef9afae67425ec7d63435af0a2bed309d312a10cda46d8a870cdf920f178
Instruction ID: cea6a8c8b769190d4d336541534ca81505d325fcd1bf0c3cebcb4dbb9d1a6836
Opcode Fuzzy Hash: e98aef9afae67425ec7d63435af0a2bed309d312a10cda46d8a870cdf920f178
Instruction Fuzzy Hash: 29218370800249CADF24DFA4D8656EDB7F0FF05310FA006AAE075A62D0EB719AC4CB95

Function 00B4BAD0 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4B81C: _free.LIBCMT ref: 00B4B841

_free.LIBCMT ref: 00B4BB1E

Part of subcall function 00B42B7F: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3F09C), ref: 00B42B95
Part of subcall function 00B42B7F: GetLastError.KERNEL32(?,?,00B3F09C), ref: 00B42BA7

_free.LIBCMT ref: 00B4BB29
_free.LIBCMT ref: 00B4BB34
_free.LIBCMT ref: 00B4BB88
_free.LIBCMT ref: 00B4BB93
_free.LIBCMT ref: 00B4BB9E
_free.LIBCMT ref: 00B4BBA9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: af2a964dafbb1664078f1458bd78e7284d55ae2521dea9974e2e20a217fa9fdb
Instruction ID: dd499f415867e8da934e9d21823dbfad9787c93d4d84daa98970ba80ba4deb4c
Opcode Fuzzy Hash: af2a964dafbb1664078f1458bd78e7284d55ae2521dea9974e2e20a217fa9fdb
Instruction Fuzzy Hash: EC114F71941B04AAE620BBB0DC07FDB77DCAF50700F808895F39D6A056DBA5F604AA90

Function 00AE90B0 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE914B

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

\E, xrefs: 00AE90E5
McAfeeFrameworkMcAfeeFramework, xrefs: 00AE9113, 00AE9156
CKYA, xrefs: 00AE90DE
Kh\O, xrefs: 00AE90D0
MoHK, xrefs: 00AE90C7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CKYA$Kh\O$McAfeeFrameworkMcAfeeFramework$MoHK$\E
API String ID: 2296764815-986396205
Opcode ID: 6e081ec47936d7c84821183cc4530e0fcf7f0e753f911af9e714d73e8afd2461
Instruction ID: 984d6e67dd5a3f2914c3f30304f98255e0d6d4f90f09da22674870563446d03a
Opcode Fuzzy Hash: 6e081ec47936d7c84821183cc4530e0fcf7f0e753f911af9e714d73e8afd2461
Instruction Fuzzy Hash: 4711A074E54249DACB10EFA8E9425ADB7F0EF29300F0052D4E82967361EF30DA88CB52

Function 00AEEA10 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEEA9D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

AMO[, xrefs: 00AEEA27
ocautoupds.exe, xrefs: 00AEEA7F, 00AEEAA8
ZA[^, xrefs: 00AEEA30
VK, xrefs: 00AEEA45
J], xrefs: 00AEEA3E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: AMO[$J]$VK$ZA[^$ocautoupds.exe
API String ID: 2296764815-3057251732
Opcode ID: 022ae41390efa7e00b707282f09f6d1bc1cb0257e958d318b01efb186d4295a1
Instruction ID: b40b2c5c0158f003dc8cd8fda7fc3df1575e11270088a4b4f591af32f128879f
Opcode Fuzzy Hash: 022ae41390efa7e00b707282f09f6d1bc1cb0257e958d318b01efb186d4295a1
Instruction Fuzzy Hash: 2401C474A51205DBDB10EFA8E88159DB7F0EF18740F4041E9E8296F361EE30AA88CF55

Function 00AEEF70 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEEFFD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

VK, xrefs: 00AEEFA5
]_BL, xrefs: 00AEEF87
K\, xrefs: 00AEEF9E
\AY], xrefs: 00AEEF90
sqlbrowser.exe, xrefs: 00AEEFDF, 00AEF008

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K\$VK$\AY]$]_BL$sqlbrowser.exe
API String ID: 2296764815-531526104
Opcode ID: c7d3cdb6673a896ee265dd63a18ef914c9cbb0d1809c519398355ac1038f6236
Instruction ID: 990b4512298d223a32e36330868cb2f2841b8f7c8d2b7ceca2366cb9044e92e6
Opcode Fuzzy Hash: c7d3cdb6673a896ee265dd63a18ef914c9cbb0d1809c519398355ac1038f6236
Instruction Fuzzy Hash: 7701A175A44244DFCB11DFA8E84299DB7F0EF19704F0245E9E43E5B361EB309A808F5A

Function 00AE9810 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE989D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

IKci, xrefs: 00AE983E
cz, xrefs: 00AE9845
MSExchangeMGMT, xrefs: 00AE987F, 00AE98A8
MFO@, xrefs: 00AE9830
c}kV, xrefs: 00AE9827

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IKci$MFO@$MSExchangeMGMT$cz$c}kV
API String ID: 2296764815-3908694829
Opcode ID: 48bb6d3b2b9346af64d14fd6517cfd71b305a68956e90f66a13d6d0092794755
Instruction ID: 623a39d57a3bf2a37050fb30ffb7ad122b5ae4399e484c1567042d3d599d00ce
Opcode Fuzzy Hash: 48bb6d3b2b9346af64d14fd6517cfd71b305a68956e90f66a13d6d0092794755
Instruction Fuzzy Hash: 3401C474D45309EBDB00DFA8E8816ADB7F0EF09700F5041E9E92967361EF309A80CB65

Function 00AE8450 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE84CB

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

K\OZ, xrefs: 00AE847F
A\, xrefs: 00AE8486
MMKB, xrefs: 00AE8471
BackupExecAgentAccelerator, xrefs: 00AE84B1, 00AE84D6
., xrefs: 00AE848C

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$A\$BackupExecAgentAccelerator$K\OZ$MMKB
API String ID: 2296764815-2406794741
Opcode ID: 118e75ad410fa026383a89eb1cec6f5b601a1be128deae7cf210806d52413de4
Instruction ID: 01c4c40b0e5db36d7b05b811581a1cb5db9ff829f8440af86273f74f6a88dd97
Opcode Fuzzy Hash: 118e75ad410fa026383a89eb1cec6f5b601a1be128deae7cf210806d52413de4
Instruction Fuzzy Hash: 3501FC30E44349DBCB00DBA8DD81ABDB7F0EF58704F0041E4E929673A1EF34AA859B55

Function 00AEA5A0 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEA61B

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQLFDLauncher$SHAREPOINT, xrefs: 00AEA601, 00AEA626
`z, xrefs: 00AEA5D6
k~ag, xrefs: 00AEA5CF
., xrefs: 00AEA5DC
}fo|, xrefs: 00AEA5C1

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$MSSQLFDLauncher$SHAREPOINT$`z$k~ag$}fo|
API String ID: 2296764815-1966754759
Opcode ID: de3f3e9d827edacd554c412ab10e732d5a8ba7f02f4fb92b65a43c21cfb98815
Instruction ID: ee3c1da84d8987b6f42560cd607a9a0dd1f39a4774257cf75f83c15c5291cf4a
Opcode Fuzzy Hash: de3f3e9d827edacd554c412ab10e732d5a8ba7f02f4fb92b65a43c21cfb98815
Instruction Fuzzy Hash: D701B5309442489BCB00DFA8D9426DCB7F4EF1C704F5045D4E829673A2EF74AA848756

Function 00AEA500 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEA57E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

i., xrefs: 00AEA53D
MSSQLFDLauncher$SBSMONITORING, xrefs: 00AEA564, 00AEA589
a`gz, xrefs: 00AEA52F
a|g`, xrefs: 00AEA536
}l}c, xrefs: 00AEA521

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQLFDLauncher$SBSMONITORING$a`gz$a|g`$i.$}l}c
API String ID: 2296764815-2761476531
Opcode ID: 3c52d28d1d9b7cf2b9c7ec560e918abd4be83dba72a24f1c79d3d06ef5a4210c
Instruction ID: 4679165b4f1418c6c040c98878970577fd79fe92b040eeedefb2ac968626e5ed
Opcode Fuzzy Hash: 3c52d28d1d9b7cf2b9c7ec560e918abd4be83dba72a24f1c79d3d06ef5a4210c
Instruction Fuzzy Hash: 0C0171709442099BCB10DFA499826ECB7F0EF18704F5086F9E819A7361EE316F849B66

Function 00AEA6E0 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEA75B

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

kcql, xrefs: 00AEA70F
., xrefs: 00AEA71C
MSSQLFDLauncher$SYSTEM_BGC, xrefs: 00AEA741, 00AEA766
}w}z, xrefs: 00AEA701
im, xrefs: 00AEA716

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$MSSQLFDLauncher$SYSTEM_BGC$im$kcql$}w}z
API String ID: 2296764815-2044327037
Opcode ID: 78ebb12465aeb031654fe69e30fdf1c7b93931997a9ebeb26ca30fc4f110bed7
Instruction ID: 630ec3cc71b014fb012232478d585cb10a804d71ac3d5e11f65e70b18565e461
Opcode Fuzzy Hash: 78ebb12465aeb031654fe69e30fdf1c7b93931997a9ebeb26ca30fc4f110bed7
Instruction Fuzzy Hash: D5017574E542489BCB10EFA8D9826AC77F0EB18700F404195EC15673A1EB746A88CF66

Function 00AEF0C0 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF144

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

\, xrefs: 00AEF0E4
K., xrefs: 00AEF0F2
]_BY, xrefs: 00AEF0D6
sqlwriter.exe, xrefs: 00AEF12C, 00AEF14F
\GZK, xrefs: 00AEF0DD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K.$\$\GZK$]_BY$sqlwriter.exe
API String ID: 2296764815-2778453125
Opcode ID: a25a546ccf9896c4f60bbb5fd23ee220197ed4e8b9b831c8027d033aa9ef23ab
Instruction ID: 224ca227f88a39daa8772d195c0addb472b57a1839c9b39f7ebd55c3d10d1ceb
Opcode Fuzzy Hash: a25a546ccf9896c4f60bbb5fd23ee220197ed4e8b9b831c8027d033aa9ef23ab
Instruction Fuzzy Hash: F1017574D50248DBCB10EFA8D9815ADBBF0EF19700F5042E9E929A7361EB319A44CF66

Function 00AE9200 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9284

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

cMzO, xrefs: 00AE9216
]EcO, xrefs: 00AE921D
McTaskManager, xrefs: 00AE926C, 00AE928F
\., xrefs: 00AE9232
@OIK, xrefs: 00AE9224

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: @OIK$McTaskManager$\.$]EcO$cMzO
API String ID: 2296764815-1966186115
Opcode ID: e812fb7a1141857c962f418d6d2d6365871156311b66170a2882ed5dcede5c1d
Instruction ID: d392c7b2486f0c771ea7604260d5cd8803f8255d8d1b5fba8af329c2b591f295
Opcode Fuzzy Hash: e812fb7a1141857c962f418d6d2d6365871156311b66170a2882ed5dcede5c1d
Instruction Fuzzy Hash: FA014075D442069BCF20DFA8E9415ADB7F0FB04700F5182BAE92997361EB305A84CB9A

Function 00AE9440 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE94C4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

^\AL, xrefs: 00AE945D
CATW, xrefs: 00AE9456
^., xrefs: 00AE9472
mozyprobackup, xrefs: 00AE94AC, 00AE94CF
OME[, xrefs: 00AE9464

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CATW$OME[$^.$^\AL$mozyprobackup
API String ID: 2296764815-1881610348
Opcode ID: 31c9a4c781b70aafec85a7cefbef3513a86d11ccc97683ecb2fb632427de0fb1
Instruction ID: 9c21ccedb6e8fdc28af757bb1cea7e125200caede9367d0f58be05b59e5f08b7
Opcode Fuzzy Hash: 31c9a4c781b70aafec85a7cefbef3513a86d11ccc97683ecb2fb632427de0fb1
Instruction Fuzzy Hash: DC018074A60309DBCB90FFA8D9415ADB7F0EF08740F104199E81967371EA706A89CB95

Function 00AEF640 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF6C4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

XMMA, xrefs: 00AEF65D
K., xrefs: 00AEF672
xfssvccon.exe, xrefs: 00AEF6AC, 00AEF6CF
@, xrefs: 00AEF664
VH]], xrefs: 00AEF656

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: @$K.$VH]]$XMMA$xfssvccon.exe
API String ID: 2296764815-1874097938
Opcode ID: 56badb7d610261c29d497d27ccb41b4016a7beb431e4cd109c4a7bb74661bd43
Instruction ID: ce0a68f36941487b2cea50ac548501acf128314539eb9bc50109c8624daf0e8f
Opcode Fuzzy Hash: 56badb7d610261c29d497d27ccb41b4016a7beb431e4cd109c4a7bb74661bd43
Instruction Fuzzy Hash: BD0140B4D4424ADBCB10EFA8D9415ADB7F0EF04700F5045BAED29A7361EF305A81CB59

Function 00AE98C0 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9944

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSExchangeMTA, xrefs: 00AE992C, 00AE994F
MFO@, xrefs: 00AE98DD
o., xrefs: 00AE98F2
c}kV, xrefs: 00AE98D6
IKcz, xrefs: 00AE98E4

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IKcz$MFO@$MSExchangeMTA$c}kV$o.
API String ID: 2296764815-4267720735
Opcode ID: 6ff95a3d674ff1055b07201d01466270f43e9b80142e93bfcc74993ea3b2173b
Instruction ID: 53044bc7f57452d0eedd4ee72b80ae3fe90bd01b19471ab5c5c795f00d75883b
Opcode Fuzzy Hash: 6ff95a3d674ff1055b07201d01466270f43e9b80142e93bfcc74993ea3b2173b
Instruction Fuzzy Hash: 24019EB4E54249DFCB00EFA8E8415ADB7F0EB04700F5042A9E819A7361EF309A84CB96

Function 00AEF820 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF8A4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

K., xrefs: 00AEF852
\, xrefs: 00AEF844
m`zo, xrefs: 00AEF836
CNTAoSMgr.exe, xrefs: 00AEF88C, 00AEF8AF
A}cI, xrefs: 00AEF83D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: A}cI$CNTAoSMgr.exe$K.$\$m`zo
API String ID: 2296764815-2628646751
Opcode ID: 1ddb8644418836aec7a2e08103126a8a2a7a1a8e6ea28ec181c74bb24f844b1f
Instruction ID: 8eb061bcaa38d1782c74d317e9f2d746e0606a183b3d15c0de85b76b689b5807
Opcode Fuzzy Hash: 1ddb8644418836aec7a2e08103126a8a2a7a1a8e6ea28ec181c74bb24f844b1f
Instruction Fuzzy Hash: AD019675D11205DBCB40EFA4D9416ADB7F0FB15700F4001ABD91597361EB309E84CF56

Function 00AE9A00 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9A84

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

IK}|, xrefs: 00AE9A24
MFO@, xrefs: 00AE9A1D
MSExchangeSRS, xrefs: 00AE9A6C, 00AE9A8F
c}kV, xrefs: 00AE9A16
}., xrefs: 00AE9A32

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IK}|$MFO@$MSExchangeSRS$c}kV$}.
API String ID: 2296764815-1240814529
Opcode ID: 3c78054d614cd357347864db467f7a0b3214ff48d8a8aa5f04d648d7a1dfa447
Instruction ID: 6556186d32876b7dd0dc5adf710e7da93c8756cf25f1f888a36d31c717bce26c
Opcode Fuzzy Hash: 3c78054d614cd357347864db467f7a0b3214ff48d8a8aa5f04d648d7a1dfa447
Instruction Fuzzy Hash: 5B018C79D50208DBCB90FFA8E84259DB7F0EF54740F0002A9E81567371EB346A48CF56

Function 00AE9C30 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9CB4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

o., xrefs: 00AE9C62
c}ab, xrefs: 00AE9C46
MSOLAP$TPSAMA, xrefs: 00AE9C9C, 00AE9CBF
o~z, xrefs: 00AE9C4D
~}oc, xrefs: 00AE9C54

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSOLAP$TPSAMA$c}ab$o.$o~z$~}oc
API String ID: 2296764815-3713785607
Opcode ID: 30f47ad80056dd6adca4434c70d7e7f9083568d210f685e57bf93416f33aaec5
Instruction ID: 24dd0c52b20d8289cb72e1b5ac747eb8c7051814a14805703a584f87d1fff87b
Opcode Fuzzy Hash: 30f47ad80056dd6adca4434c70d7e7f9083568d210f685e57bf93416f33aaec5
Instruction Fuzzy Hash: 6801CC74D542099BCB00FFA8D9426ADB7F0EB0C700F1045A9E819A7361EB306B84CB59

Function 00B44F80 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,00000000), ref: 00B44FC8
__fassign.LIBCMT ref: 00B451A7
__fassign.LIBCMT ref: 00B451C4
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B4520C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B4524C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B452F8

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: b18d5273d5539ca7e7358423f5ba2baeb055a0fc1bff9cd1d134bf2e0660464d
Instruction ID: 2ee9aef5caaa11078c261c18a16dc8c043e417a3f968b0e4219883911240d0d0
Opcode Fuzzy Hash: b18d5273d5539ca7e7358423f5ba2baeb055a0fc1bff9cd1d134bf2e0660464d
Instruction Fuzzy Hash: A8D19C75D04A589FCF25CFA8C8809EDBBF5EF49310F28019AE855FB242D631AE46DB50

Function 00B2BCFF Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00B2BD06
Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 00B2BD51
Concurrency::details::_CancellationTokenState::_RegisterCallback.LIBCONCRT ref: 00B2BD7C
Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 00B2BE04
Concurrency::details::_StructuredTaskCollection::_CountUp.LIBCMT ref: 00B2BE2C

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_$TaskToken$Base::_CallbackCancellationCollectionCollection::_CountCounter::_H_prolog3_catchRegisterReleaseStateState::_Structured
String ID:
API String ID: 1066115758-0
Opcode ID: 6403adef30dca6fb4b6c9347c917871c7932f8b44cd7b7b329540ed22b87da6a
Instruction ID: 0b94e51c686f7dccbbbc42034f9869c45e31b2b0fa5a1b7fd9a29aad00eb2ae6
Opcode Fuzzy Hash: 6403adef30dca6fb4b6c9347c917871c7932f8b44cd7b7b329540ed22b87da6a
Instruction Fuzzy Hash: 33419371A00325DFCF14DFA9D8819EDFBF5EF44710B1486AEE819A7251DB349941CB90

Function 00B3D0F7 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 375COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B3D1DD
__freea.LIBCMT ref: 00B3D27D
__freea.LIBCMT ref: 00B3D299

Strings

am/pm, xrefs: 00B3D2FD
a/p, xrefs: 00B3D361

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: b09695ae9a516ab7059de3b492f251dead8e66b6ae3603c669629e0ca8636544
Instruction ID: c7b3904e8fe56415e82109a1dc0584f0e39c3e47cbc0781a9b56f25a2af71396
Opcode Fuzzy Hash: b09695ae9a516ab7059de3b492f251dead8e66b6ae3603c669629e0ca8636544
Instruction Fuzzy Hash: 92C1CD75A00216DBCB248FA8E895ABAB7F0FF15700F3841C9E905AB355D335ED41CBA6

Function 00AFB780 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AFB7C9
std::_Lockit::_Lockit.LIBCPMT ref: 00AFB7EB
std::_Lockit::~_Lockit.LIBCPMT ref: 00AFB80B
__Getctype.LIBCPMT ref: 00AFB8A1
std::_Facet_Register.LIBCPMT ref: 00AFB8C0
std::_Lockit::~_Lockit.LIBCPMT ref: 00AFB8D8

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 6f02fcdbbddd4ac2d18e7587fc6377b4dcda424246976108fcc539eb411b4d46
Instruction ID: b4b8d0badf18535fb15f02c01f5b2f4ef90aa0bf56fd20e23e09722df8fad0da
Opcode Fuzzy Hash: 6f02fcdbbddd4ac2d18e7587fc6377b4dcda424246976108fcc539eb411b4d46
Instruction Fuzzy Hash: 1B41C071D00208DFCB11DF94D941BAEBBF8EF48750F1441A9E919AB252EB30AE45CBE1

Function 00B291B5 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 00B291F6
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00B291FE
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B29228
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00B29231
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00B292B4
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00B292BC

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
String ID:
API String ID: 3929269971-0
Opcode ID: 8c074d5d88a446a5de29ce5250634b234b3a9aaf1274a5b956378e2657e80347
Instruction ID: 125fa6ca769040a33f1c8d0dafd28f0f5fffb1ad25a3d4720637ce74132e2821
Opcode Fuzzy Hash: 8c074d5d88a446a5de29ce5250634b234b3a9aaf1274a5b956378e2657e80347
Instruction Fuzzy Hash: 76412075A00619EFCF09DF64D454AADB7B5FF89310F048199E50AA7790CB34AE01CB85

Function 00B21544 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

QueryDepthSList.KERNEL32 ref: 00B215BA
InterlockedPushEntrySList.KERNEL32(?,?), ref: 00B215D3
QueryDepthSList.KERNEL32(?), ref: 00B215DA
InterlockedFlushSList.KERNEL32(?), ref: 00B2160D
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCONCRT ref: 00B21622
InterlockedPushEntrySList.KERNEL32(?,?), ref: 00B2162A

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: List$Interlocked$DepthEntryPointPushQuerySafe$Concurrency::details::FlushInvocation::InvokeNext
String ID:
API String ID: 80210428-0
Opcode ID: ce101ea6269bac6fed88db8a4e5dbedc3c097e1cf78da488138a31215bc1fdb6
Instruction ID: 633fd5330125057063e34d3f7ff97ec7aeb442ef5614975fdc60e9be69fb9ad9
Opcode Fuzzy Hash: ce101ea6269bac6fed88db8a4e5dbedc3c097e1cf78da488138a31215bc1fdb6
Instruction Fuzzy Hash: 0331D031500621EFC716CF29E9849AAB7F1EFA9710B14899DE44BD7650CB30FA42CBA1

Function 00B2163D Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(?,?,?,-00000001,?,?,?,00B2180B,-00000004,?,00000001,?,00B20C66,?,?,00B28EB2), ref: 00B216B3
InterlockedPushEntrySList.KERNEL32(00000000,-00000038,?,00B2180B,-00000004,?,00000001,?,00B20C66,?,?,00B28EB2,00000000,00000000,?,00B2A82F), ref: 00B216CC
QueryDepthSList.KERNEL32(00000000,?,00B2180B,-00000004,?,00000001,?,00B20C66,?,?,00B28EB2,00000000,00000000,?,00B2A82F,?), ref: 00B216D3
InterlockedFlushSList.KERNEL32(00000000,?,00B2180B,-00000004,?,00000001,?,00B20C66,?,?,00B28EB2,00000000,00000000,?,00B2A82F,?), ref: 00B21706
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCONCRT ref: 00B2171B
InterlockedPushEntrySList.KERNEL32(?,-00000038,?,00B2180B,-00000004,?,00000001,?,00B20C66,?,?,00B28EB2,00000000,00000000,?,00B2A82F), ref: 00B21723

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: List$Interlocked$DepthEntryPointPushQuerySafe$Concurrency::details::FlushInvocation::InvokeNext
String ID:
API String ID: 80210428-0
Opcode ID: 2e7550d14c79473582282cad28da77a98735d101d1d6e6a2c3db31c21020444b
Instruction ID: 032920b6dfeeaef4332c99f36cfcd1e9e40aca797f1dd4eda4a37f8ff888a058
Opcode Fuzzy Hash: 2e7550d14c79473582282cad28da77a98735d101d1d6e6a2c3db31c21020444b
Instruction Fuzzy Hash: FC31CF75100621EFC715CF29E9849AAB7F5EF99310B14899DE45AD7620CB30F902CBA0

Function 00B2A847 Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(?,?,?,00000000,?,?,?,00B2A9DE,00000000,00000000,00000000,00000000,?,?,00B2A7B2,00000000), ref: 00B2A8BD
InterlockedPushEntrySList.KERNEL32(?,?,?,00B2A9DE,00000000,00000000,00000000,00000000,?,?,00B2A7B2,00000000), ref: 00B2A8D6
QueryDepthSList.KERNEL32(?,?,00B2A9DE,00000000,00000000,00000000,00000000,?,?,00B2A7B2,00000000), ref: 00B2A8DD
InterlockedFlushSList.KERNEL32(?,?,00B2A9DE,00000000,00000000,00000000,00000000,?,?,00B2A7B2,00000000), ref: 00B2A908
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCONCRT ref: 00B2A91D
InterlockedPushEntrySList.KERNEL32(?,?,?,00B2A9DE,00000000,00000000,00000000,00000000,?,?,00B2A7B2,00000000), ref: 00B2A925

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: List$Interlocked$DepthEntryPointPushQuerySafe$Concurrency::details::FlushInvocation::InvokeNext
String ID:
API String ID: 80210428-0
Opcode ID: de359e6e20022e4753799e9a488d144f56348b47d1e6bfe5b2fb9475839e7454
Instruction ID: ef16aa1bb897b0518f04f8ddde2633005a08cada411cf7076e8af2dfbedacc26
Opcode Fuzzy Hash: de359e6e20022e4753799e9a488d144f56348b47d1e6bfe5b2fb9475839e7454
Instruction Fuzzy Hash: 93310531100621EFCB15DF2AE9D49AAB7F1FF89311711899DE54B97650CB30F942CB91

Function 00B230ED Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(00B20115,?,?,?,00B20115,00B20115,?,00B23068,?,?,00000001,?,?,00B2B380), ref: 00B23163
InterlockedPushEntrySList.KERNEL32(00B2011D,00B70548,?,?,?,00B20115,00B20115,?,00B23068,?,?,00000001,?,?,00B2B380), ref: 00B2317C
QueryDepthSList.KERNEL32(00B2011D,?,?,?,00B20115,00B20115,?,00B23068,?,?,00000001,?,?,00B2B380), ref: 00B23183
InterlockedFlushSList.KERNEL32(00B2011D,?,?,?,00B20115,00B20115,?,00B23068,?,?,00000001,?,?,00B2B380), ref: 00B231AE
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCONCRT ref: 00B231C3
InterlockedPushEntrySList.KERNEL32(00B20115,00B70548,?,?,?,00B20115,00B20115,?,00B23068,?,?,00000001,?,?,00B2B380), ref: 00B231CB

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: List$Interlocked$DepthEntryPointPushQuerySafe$Concurrency::details::FlushInvocation::InvokeNext
String ID:
API String ID: 80210428-0
Opcode ID: 1b2e729df0c46142a7b6f2c129cc4679e61c476fdf8ce109f626682e5ed3f4cd
Instruction ID: 7e13061e76b26250c1b6a7b03a2f90c970de5d3df272b7b25a4811cc48f70c4b
Opcode Fuzzy Hash: 1b2e729df0c46142a7b6f2c129cc4679e61c476fdf8ce109f626682e5ed3f4cd
Instruction Fuzzy Hash: CC31E731200635EFCB15DF25E9C48AAB7F1FF8A712710859DE94AA3550CB34FA52CB50

Function 00B273E6 Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

QueryDepthSList.KERNEL32 ref: 00B2745C
InterlockedPushEntrySList.KERNEL32(?,?), ref: 00B27478
QueryDepthSList.KERNEL32(?), ref: 00B2747F
InterlockedFlushSList.KERNEL32(?), ref: 00B274AA
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCONCRT ref: 00B274BF
InterlockedPushEntrySList.KERNEL32(?,?), ref: 00B274C7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: List$Interlocked$DepthEntryPointPushQuerySafe$Concurrency::details::FlushInvocation::InvokeNext
String ID:
API String ID: 80210428-0
Opcode ID: 6e4b0b8eaed80ccdf02c13ccd3b39d0224c2bc64185443df945c5b7319714956
Instruction ID: 8c5ebcb12398a98d54440b4b9c8409d93d4969b7a62ec3382baab8d3fe7ecc0c
Opcode Fuzzy Hash: 6e4b0b8eaed80ccdf02c13ccd3b39d0224c2bc64185443df945c5b7319714956
Instruction Fuzzy Hash: E831B531104621EFC715EF29E984DAABBF5FF89315710869DE96E97650CF30B902CB60

Function 00B29839 Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

QueryDepthSList.KERNEL32 ref: 00B298AF
InterlockedPushEntrySList.KERNEL32(?,?), ref: 00B298CB
QueryDepthSList.KERNEL32(?), ref: 00B298D2
InterlockedFlushSList.KERNEL32(?), ref: 00B298FD
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCONCRT ref: 00B29912
InterlockedPushEntrySList.KERNEL32(?,?), ref: 00B2991A

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: List$Interlocked$DepthEntryPointPushQuerySafe$Concurrency::details::FlushInvocation::InvokeNext
String ID:
API String ID: 80210428-0
Opcode ID: 1410e268e266c6202708b9d06595c0d813c3384662bf822e1b06271948d38057
Instruction ID: 9023aef0651bf6d90ffcf8358a1649bff6bc8aa7ea55e67a7ced47e492855f58
Opcode Fuzzy Hash: 1410e268e266c6202708b9d06595c0d813c3384662bf822e1b06271948d38057
Instruction Fuzzy Hash: A631B135500621EFCB25CF29E9849AAB7F5FF8A325B10859DE44E97650CB30FA42CB90

Function 00B23D8E Relevance: 9.1, APIs: 6, Instructions: 84threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B23D95
Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::remove.LIBCONCRT ref: 00B23DC5
Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 00B23DD4
__Mtx_unlock.LIBCPMT ref: 00B23DE2
GetCurrentThreadId.KERNEL32 ref: 00B23E16
__Mtx_unlock.LIBCPMT ref: 00B23E55

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Mtx_unlockToken$CancellationContainer::removeCounter::_CurrentH_prolog3RegistrationReleaseState::Thread
String ID:
API String ID: 942166752-0
Opcode ID: 4471638c518939bd9bf28204f6dcd6ddde116fc0f3cb63a660cadeffc79a1d02
Instruction ID: 748a5b2ca94239c4b23e9898a3aea0be1efece30449b0c57429ea37f6a97609e
Opcode Fuzzy Hash: 4471638c518939bd9bf28204f6dcd6ddde116fc0f3cb63a660cadeffc79a1d02
Instruction Fuzzy Hash: 8421D8B3801225AECB25FBA8D985AEEB7F4EF04B10F1141AEE115A7181CF745B85CAD0

Function 00B1ED21 Relevance: 9.1, APIs: 6, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedFlushSList.KERNEL32(?,?,?,?,00B1EE7C,B5607032,?,?,?,00B546BB,000000FF), ref: 00B1ED27
_InternalDeleteHelper.LIBCONCRT ref: 00B1ED37
InterlockedFlushSList.KERNEL32(?,?,?,?,00B1EE7C,B5607032,?,?,?,00B546BB,000000FF), ref: 00B1ED45
_InternalDeleteHelper.LIBCONCRT ref: 00B1ED55
_InternalDeleteHelper.LIBCONCRT ref: 00B1ED6A
_InternalDeleteHelper.LIBCONCRT ref: 00B1ED87

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: DeleteHelperInternal$FlushInterlockedList
String ID:
API String ID: 3190206687-0
Opcode ID: 580f7fc468ae142d6469c53c1aeb21c3232aa0d8b94027a4081f6dff135f9107
Instruction ID: 66fd3364e2cae0175e37e7f57d9137b24bbe50c7493a83fdce28d53bde511bfc
Opcode Fuzzy Hash: 580f7fc468ae142d6469c53c1aeb21c3232aa0d8b94027a4081f6dff135f9107
Instruction Fuzzy Hash: 4C118232941622EBDB259B64E5819D9B7E4FF087603D109FAEC616B651CB20FDD0CAD0

Function 00B29731 Relevance: 9.1, APIs: 6, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedFlushSList.KERNEL32(?,?,?,?,00B297E3,00000000,00B1F767,?,?,?,00B1EE32,B5607032,?,?,?,00B546BB), ref: 00B29737
_InternalDeleteHelper.LIBCONCRT ref: 00B2974A
InterlockedFlushSList.KERNEL32(?,?,?,?,00B297E3,00000000,00B1F767,?,?,?,00B1EE32,B5607032,?,?,?,00B546BB), ref: 00B29758
_InternalDeleteHelper.LIBCONCRT ref: 00B2976B
_InternalDeleteHelper.LIBCONCRT ref: 00B29783
_InternalDeleteHelper.LIBCONCRT ref: 00B297A0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: DeleteHelperInternal$FlushInterlockedList
String ID:
API String ID: 3190206687-0
Opcode ID: 8fcdded2784505f06935410aa37977fddb5b584b254c7f625309a4531f71261e
Instruction ID: a674777658b3e648d14becba35a38fe2c51dc8ccee70b27a610ede1c90818e77
Opcode Fuzzy Hash: 8fcdded2784505f06935410aa37977fddb5b584b254c7f625309a4531f71261e
Instruction Fuzzy Hash: 25110436810631EBCB259F60F886D95B7E8FF08760B5105E9EC8DA7621CB20FC528AD0

Function 00B27951 Relevance: 9.1, APIs: 6, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedFlushSList.KERNEL32(?,?,00000000,?,00B27A00,?,00000000,00B1F73B,?,?,?,00B1EE32,B5607032), ref: 00B27957
_InternalDeleteHelper.LIBCONCRT ref: 00B2796A
InterlockedFlushSList.KERNEL32(?,?,00000000,?,00B27A00,?,00000000,00B1F73B,?,?,?,00B1EE32,B5607032), ref: 00B27978
_InternalDeleteHelper.LIBCONCRT ref: 00B2798B
_InternalDeleteHelper.LIBCONCRT ref: 00B279A3
_InternalDeleteHelper.LIBCONCRT ref: 00B279C0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: DeleteHelperInternal$FlushInterlockedList
String ID:
API String ID: 3190206687-0
Opcode ID: 43258e9f82ba3feee112b4db83c8c22d39449a0754cf1e40f1f26fea8634ccb8
Instruction ID: 0a1a2b65f3082e0cbc98616d2d27e9b60d4c09a496b8c1c8111d2f4e4bc044d0
Opcode Fuzzy Hash: 43258e9f82ba3feee112b4db83c8c22d39449a0754cf1e40f1f26fea8634ccb8
Instruction Fuzzy Hash: 9611B932988732FBDB219B50E496D55B7E8FF0576075105DAEC49A7601CF60FC828AD4

Function 00B30B72 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B30B69,00B2E3C3,00AFF63D,B5607032,?,?,?,00000000,00B540BC,000000FF,?,00AE24DA,?,?), ref: 00B30B80
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B30B8E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B30BA7
SetLastError.KERNEL32(00000000,?,00B30B69,00B2E3C3,00AFF63D,B5607032,?,?,?,00000000,00B540BC,000000FF,?,00AE24DA,?,?), ref: 00B30BF9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9b93a037de7b0bbe695d5d8257dae200b1e93d6ca66e913a5ddf96596e5e2631
Instruction ID: a0f55c51bdebbac9725bdd4d33fa24d34210ba9ff774eb09992af606ececf8dd
Opcode Fuzzy Hash: 9b93a037de7b0bbe695d5d8257dae200b1e93d6ca66e913a5ddf96596e5e2631
Instruction Fuzzy Hash: CC01A732229312AEA625377C7CA9B1777D8EF16B79F3042F9F528460E1FF114C41A150

Function 00B05EEE Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05EF5
std::_Lockit::_Lockit.LIBCPMT ref: 00B05EFF

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

moneypunct.LIBCPMT ref: 00B05F39
std::_Facet_Register.LIBCPMT ref: 00B05F50
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05F70
Concurrency::cancel_current_task.LIBCPMT ref: 00B05F7D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 8e915d97a09d954f67a8c04ca83f50ca4ab9df22d0c5f6c2f8ac256578737432
Instruction ID: 204313f4478d6c8edafe0636a09931e34c009a0f516efb95bd111224b8a16096
Opcode Fuzzy Hash: 8e915d97a09d954f67a8c04ca83f50ca4ab9df22d0c5f6c2f8ac256578737432
Instruction Fuzzy Hash: 2201C4369046199FCB14EBA4C9456BE7BF5EF40310F540489F514AB2D1DF749E418B91

Function 00B1A08D Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 00B1A09B
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 00B1A0A1
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 00B1A0CE
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 00B1A0D8
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 00B1A0EA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B1A100

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID:
API String ID: 2808382621-0
Opcode ID: a2f82406b9d26473577975e009935597ba7eea64020c4b81cf7412df0058cc8b
Instruction ID: a66c80bf2a876167dd38063ad5b434e98a31dd450d11d076f5985e41e41c138e
Opcode Fuzzy Hash: a2f82406b9d26473577975e009935597ba7eea64020c4b81cf7412df0058cc8b
Instruction Fuzzy Hash: 2301D434100225FBCB10AB65EC0DFFF37E8EB44752F5084E5F502E60A1EB24E8408661

Function 00B000C9 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B000D0
std::_Lockit::_Lockit.LIBCPMT ref: 00B000DA

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

codecvt.LIBCPMT ref: 00B00114
std::_Facet_Register.LIBCPMT ref: 00B0012B
std::_Lockit::~_Lockit.LIBCPMT ref: 00B0014B
Concurrency::cancel_current_task.LIBCPMT ref: 00B00158

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 39f69db13038f52544445c1f19aeb064ba5fe44c8325c6653e301620bf0e77c9
Instruction ID: 760270a71fb73d62aa14ee13f41162a68c8208781d5eef6f9bb08302d28c8da4
Opcode Fuzzy Hash: 39f69db13038f52544445c1f19aeb064ba5fe44c8325c6653e301620bf0e77c9
Instruction Fuzzy Hash: 1501C0329102199BCB05FBA4C9457BE7BF5AF80311F644499F9247B3E2DF709E418B81

Function 00B0626E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B06275
std::_Lockit::_Lockit.LIBCPMT ref: 00B0627F

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

numpunct.LIBCPMT ref: 00B062B9
std::_Facet_Register.LIBCPMT ref: 00B062D0
std::_Lockit::~_Lockit.LIBCPMT ref: 00B062F0
Concurrency::cancel_current_task.LIBCPMT ref: 00B062FD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: 3c749efde156d642bcf930c87dd108df110bac019469222a4f52b47122e45297
Instruction ID: f7f5a4b5f2fa605ac3bfd077e39630e33fe9f754e411e8899e723594370d0910
Opcode Fuzzy Hash: 3c749efde156d642bcf930c87dd108df110bac019469222a4f52b47122e45297
Instruction Fuzzy Hash: 9101C0729042199BCB04EBA4C945ABE7BF5EF80710F2444A9F8156B3D1CF709E418B81

Function 00B06303 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B0630A
std::_Lockit::_Lockit.LIBCPMT ref: 00B06314

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

numpunct.LIBCPMT ref: 00B0634E
std::_Facet_Register.LIBCPMT ref: 00B06365
std::_Lockit::~_Lockit.LIBCPMT ref: 00B06385
Concurrency::cancel_current_task.LIBCPMT ref: 00B06392

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: 949bf3c6e34237fb0cf3ff0c1d77989c70502072a53c1acca6b3c9a5a6d2b5b9
Instruction ID: 7296efd4110046193464e937ee24cfe4e337fe77742cfaee3ad95f7cf4857382
Opcode Fuzzy Hash: 949bf3c6e34237fb0cf3ff0c1d77989c70502072a53c1acca6b3c9a5a6d2b5b9
Instruction Fuzzy Hash: 8601AD729042199FCB05EBA8C945ABEBBB5AF80720F244598F8146B2D1DF70AF4187D5

Function 00B13163 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B1316A
std::_Lockit::_Lockit.LIBCPMT ref: 00B13174

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

messages.LIBCPMT ref: 00B131AE
std::_Facet_Register.LIBCPMT ref: 00B131C5
std::_Lockit::~_Lockit.LIBCPMT ref: 00B131E5
Concurrency::cancel_current_task.LIBCPMT ref: 00B131F2

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID:
API String ID: 958335874-0
Opcode ID: c07a7025a659eca64b0c37d835c92616e0f0656bd210889d150536a21209dac2
Instruction ID: 0d693c3a0788a52cdf9299b1840a84e4fb8aaef8cef84859db909afbae8e0089
Opcode Fuzzy Hash: c07a7025a659eca64b0c37d835c92616e0f0656bd210889d150536a21209dac2
Instruction Fuzzy Hash: B801ED72900228AFCB01EBA4C952AFD7BF5AF80710F640098F810A7391DF719F818791

Function 00B133B7 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B133BE
std::_Lockit::_Lockit.LIBCPMT ref: 00B133C8

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

moneypunct.LIBCPMT ref: 00B13402
std::_Facet_Register.LIBCPMT ref: 00B13419
std::_Lockit::~_Lockit.LIBCPMT ref: 00B13439
Concurrency::cancel_current_task.LIBCPMT ref: 00B13446

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: d1c6d9a33b96b71cade66ee3fb40651f8a478ff9b00f067e93eb562a92018424
Instruction ID: a9634b1542c0930e2cd416643980ad80498c74a4993ef23b97f4997d015b9ffb
Opcode Fuzzy Hash: d1c6d9a33b96b71cade66ee3fb40651f8a478ff9b00f067e93eb562a92018424
Instruction Fuzzy Hash: 0501D6729042699BCB05EB64C9456FD77F9EF40B20FA40098F4146B392DF749F858791

Function 00B13322 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B13329
std::_Lockit::_Lockit.LIBCPMT ref: 00B13333

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

moneypunct.LIBCPMT ref: 00B1336D
std::_Facet_Register.LIBCPMT ref: 00B13384
std::_Lockit::~_Lockit.LIBCPMT ref: 00B133A4
Concurrency::cancel_current_task.LIBCPMT ref: 00B133B1

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 4baedc28e57f7585ae5d4c05ecbee55a999ff9920cb8a14d492525f12692fa7c
Instruction ID: dac725f7ccafce51e60ae630569b31aca68c9291c9005aa8bf731237e16e5f1d
Opcode Fuzzy Hash: 4baedc28e57f7585ae5d4c05ecbee55a999ff9920cb8a14d492525f12692fa7c
Instruction Fuzzy Hash: 9A01CC729042699FCB04EBA4D9456FE77F5EF80B20F640098F824AB391EF749F818795

Function 00B056C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B056CF
std::_Lockit::_Lockit.LIBCPMT ref: 00B056D9

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

codecvt.LIBCPMT ref: 00B05713
std::_Facet_Register.LIBCPMT ref: 00B0572A
std::_Lockit::~_Lockit.LIBCPMT ref: 00B0574A
Concurrency::cancel_current_task.LIBCPMT ref: 00B05757

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 919c919bf6a3fec7564cc80c0453ec1cce7521fd8c0dddd097e64e182c7f495a
Instruction ID: 7eae2260f6d304e50a6722db2737b7bc976a6bf9896fca63f688fdaae2581de8
Opcode Fuzzy Hash: 919c919bf6a3fec7564cc80c0453ec1cce7521fd8c0dddd097e64e182c7f495a
Instruction Fuzzy Hash: D801AD36904619DBCB15EBA4C945ABE7BF9EF84710F240189F824673D1CF749E418F91

Function 00B057F2 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B057F9
std::_Lockit::_Lockit.LIBCPMT ref: 00B05803

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

collate.LIBCPMT ref: 00B0583D
std::_Facet_Register.LIBCPMT ref: 00B05854
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05874
Concurrency::cancel_current_task.LIBCPMT ref: 00B05881

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID:
API String ID: 1767075461-0
Opcode ID: 44cb44d2cf240498f3558ccabb26c4d1ad0b07ab96d3747819f31f7d3dd826f7
Instruction ID: 79ab3057595474826913029fd8c75c35689e7f92ff0d1c13f62c1ddbb6d07244
Opcode Fuzzy Hash: 44cb44d2cf240498f3558ccabb26c4d1ad0b07ab96d3747819f31f7d3dd826f7
Instruction Fuzzy Hash: 7C01A1769046299BCB14EB64C9556BE7BB5EF40710F144098F814673D1DF709E42CB81

Function 00B0575D Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05764
std::_Lockit::_Lockit.LIBCPMT ref: 00B0576E

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

codecvt.LIBCPMT ref: 00B057A8
std::_Facet_Register.LIBCPMT ref: 00B057BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00B057DF
Concurrency::cancel_current_task.LIBCPMT ref: 00B057EC

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 5d14a2c718c360348211cae6445f7d2c2844cbf150608aa0df8cea4112b860e5
Instruction ID: cdc353cd9d355a60e9ac2eff33d758b2daeb7197d6bae96579c770789f021506
Opcode Fuzzy Hash: 5d14a2c718c360348211cae6445f7d2c2844cbf150608aa0df8cea4112b860e5
Instruction Fuzzy Hash: 25010076904618DFCB05EBA4C9456BE7BF9AF80310F244089F814672D2CF709E41CB91

Function 00B05887 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B0588E
std::_Lockit::_Lockit.LIBCPMT ref: 00B05898

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

collate.LIBCPMT ref: 00B058D2
std::_Facet_Register.LIBCPMT ref: 00B058E9
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05909
Concurrency::cancel_current_task.LIBCPMT ref: 00B05916

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID:
API String ID: 1767075461-0
Opcode ID: 16dbccf77172d09032b6a8f4c4d76d538f141562bcc00749460ce3758564d986
Instruction ID: 3acfb63c8523f127c73297a4e8bc15b52804c1d7a84ab6e821a47903930bb5a0
Opcode Fuzzy Hash: 16dbccf77172d09032b6a8f4c4d76d538f141562bcc00749460ce3758564d986
Instruction Fuzzy Hash: 92010032900629DFCB14EBA4C9456BE7BF5EF80320F244488F8146B2D1DF709E45CB90

Function 00B059B1 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B059B8
std::_Lockit::_Lockit.LIBCPMT ref: 00B059C2

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

ctype.LIBCPMT ref: 00B059FC
std::_Facet_Register.LIBCPMT ref: 00B05A13
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05A33
Concurrency::cancel_current_task.LIBCPMT ref: 00B05A40

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: 0e37f8d3ccd94611f5da92ba0b7c0414c65345f98eeea34f40386f031f8ebca5
Instruction ID: f5856e7201ed8f8c516f13db19ab9c1c904ecdc9d2874c3c4919e097adf0f128
Opcode Fuzzy Hash: 0e37f8d3ccd94611f5da92ba0b7c0414c65345f98eeea34f40386f031f8ebca5
Instruction Fuzzy Hash: AA012232A046289BCB14EBA4C945BBEBBF4FF80310F640189F8156B2D1CF719E418F80

Function 00B0591C Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05923
std::_Lockit::_Lockit.LIBCPMT ref: 00B0592D

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

ctype.LIBCPMT ref: 00B05967
std::_Facet_Register.LIBCPMT ref: 00B0597E
std::_Lockit::~_Lockit.LIBCPMT ref: 00B0599E
Concurrency::cancel_current_task.LIBCPMT ref: 00B059AB

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: fdf44d0f9ebb611dde2ee6dc2db2196048ff0e9b57911847ca832d3e3367eb9d
Instruction ID: d630dce86e2ede573c3729fc2bc690eedff3a51339e07b1a48cbf85bdcc301a9
Opcode Fuzzy Hash: fdf44d0f9ebb611dde2ee6dc2db2196048ff0e9b57911847ca832d3e3367eb9d
Instruction Fuzzy Hash: 8801C032904619DFCB14EBA8C955ABE7BF5EF80720F240498F8146B2D1CF749E418BD1

Function 00B05ADB Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05AE2
std::_Lockit::_Lockit.LIBCPMT ref: 00B05AEC

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

messages.LIBCPMT ref: 00B05B26
std::_Facet_Register.LIBCPMT ref: 00B05B3D
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05B5D
Concurrency::cancel_current_task.LIBCPMT ref: 00B05B6A

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID:
API String ID: 958335874-0
Opcode ID: 85d83f37bd8c4ff8499e1be34f65d5255109b8043f661a8759ca936218927f4f
Instruction ID: 8c8d95d89927e6e1c298e75869a9fd3fabf4d9ed2e152341b17c328fa43e93e0
Opcode Fuzzy Hash: 85d83f37bd8c4ff8499e1be34f65d5255109b8043f661a8759ca936218927f4f
Instruction Fuzzy Hash: 3401CC329046299FCB14EBA4C945BBE7BF5EF80720F240198F915AB2D1DF74AE41CB91

Function 00B05A46 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05A4D
std::_Lockit::_Lockit.LIBCPMT ref: 00B05A57

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

messages.LIBCPMT ref: 00B05A91
std::_Facet_Register.LIBCPMT ref: 00B05AA8
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05AC8
Concurrency::cancel_current_task.LIBCPMT ref: 00B05AD5

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID:
API String ID: 958335874-0
Opcode ID: 995e0e09186bde6281fbbabc450e19a3a8161c5dc923b873a99165e8ca3b14bd
Instruction ID: d7d1754667bba0e2d2fda059c9b3ebe5ccf57835ea172a35d098104d3c9dd95c
Opcode Fuzzy Hash: 995e0e09186bde6281fbbabc450e19a3a8161c5dc923b873a99165e8ca3b14bd
Instruction Fuzzy Hash: E701C472E046299FCB14EB64C9856BE7BF5EF44320F244189F414673D1DF709E418B91

Function 00B05DC4 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05DCB
std::_Lockit::_Lockit.LIBCPMT ref: 00B05DD5

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

moneypunct.LIBCPMT ref: 00B05E0F
std::_Facet_Register.LIBCPMT ref: 00B05E26
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05E46
Concurrency::cancel_current_task.LIBCPMT ref: 00B05E53

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: c2dc9b74e4fa69e2e940f3a5b1cbfa50a34512125d57a54b500aeba818427211
Instruction ID: 128186b16f4a683832e43a299a4110bab4434f07703fd50a724ee4a300f90e23
Opcode Fuzzy Hash: c2dc9b74e4fa69e2e940f3a5b1cbfa50a34512125d57a54b500aeba818427211
Instruction Fuzzy Hash: 690100329046189BCB04EBA4CA41ABE7BF8EF84310F244498F8146B3D2DF70AF418B91

Function 00B05E59 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05E60
std::_Lockit::_Lockit.LIBCPMT ref: 00B05E6A

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

moneypunct.LIBCPMT ref: 00B05EA4
std::_Facet_Register.LIBCPMT ref: 00B05EBB
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05EDB
Concurrency::cancel_current_task.LIBCPMT ref: 00B05EE8

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 82f4cfb34a3df1967fef605d591cfbaf5de5e585f259459002ddcfc417cd03e1
Instruction ID: 7ff693055d462cdade6c01a59fa52f83c78e4905501865386bc6f3d97fd3a4f7
Opcode Fuzzy Hash: 82f4cfb34a3df1967fef605d591cfbaf5de5e585f259459002ddcfc417cd03e1
Instruction Fuzzy Hash: E301E9729086289BCB04EBA4C9466AE7BB4AF80710F240498F824AB3D1CF709E418B90

Function 00B05F85 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05F8C
std::_Lockit::_Lockit.LIBCPMT ref: 00B05F96

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

moneypunct.LIBCPMT ref: 00B05FD0
std::_Facet_Register.LIBCPMT ref: 00B05FE7
std::_Lockit::~_Lockit.LIBCPMT ref: 00B06007
Concurrency::cancel_current_task.LIBCPMT ref: 00B06014

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 8db85237782a587593666c0dd31bc80f6aa2036fcec3d83a0e36d08b7bdd5bb0
Instruction ID: 16d776c4449f8216a5399081c7a7fbd8cd8b3bdeedbf4206b4ad15f42818c318
Opcode Fuzzy Hash: 8db85237782a587593666c0dd31bc80f6aa2036fcec3d83a0e36d08b7bdd5bb0
Instruction Fuzzy Hash: 56010032900229DFCB00EBA4C9416BEBBF8AF80310F244089F9146B2E1DF709E41CB90

Function 00B25AAE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 276threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::AddVirtualProcessorRoots.LIBCONCRT ref: 00B25D55
Concurrency::details::SchedulerProxy::RemoveCore.LIBCONCRT ref: 00B25D7C
Concurrency::details::SchedulerProxy::CreateExternalThreadResource.LIBCMT ref: 00B25DA3

Strings

4, xrefs: 00B25D3F
4, xrefs: 00B25CCC

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Proxy::Scheduler$CoreCreateExternalProcessorRemoveResourceRootsThreadVirtual
String ID: 4$4
API String ID: 584893117-209682765
Opcode ID: f5a0c9d5b5aeb089787bf4dcd94342b214d6ed9610a56ff04947226763f2a091
Instruction ID: 06d7919160c25fdeb5dc5c2e424765d7fdd6e56a95382436da6ca731d5184647
Opcode Fuzzy Hash: f5a0c9d5b5aeb089787bf4dcd94342b214d6ed9610a56ff04947226763f2a091
Instruction Fuzzy Hash: 5CB13C70E05B29AFCF28CFA8D4946ADBBF1FF45310F1481AAD41967341D7709982CB90

Function 00B498FD Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 00B4994B
_free.LIBCMT ref: 00B49A97

Strings

*?, xrefs: 00B49940

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: c2975a21ad9b77671e98699c63fa40cc431605b571209ead144a58ee1d10f557
Instruction ID: 048ccea452d7e576f812f68e12d37757de2b59fca770a4463671e61093f44807
Opcode Fuzzy Hash: c2975a21ad9b77671e98699c63fa40cc431605b571209ead144a58ee1d10f557
Instruction Fuzzy Hash: B2611E75E00219AFDF14CFA9C8819EEFBF5EF48310B2481AAE855F7340D675AE419B90

Function 00B2C12F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00B2C18A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B2C1A9
Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00B2C1F0

Strings

pContext, xrefs: 00B2C1A1

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1284976207-2046700901
Opcode ID: 66c4dcce1ea9aff4fa6d20edcbb9fcaa65a5c50aa1b07e8ff0f7dbb18615941a
Instruction ID: a8e91dcd8c30c0af9824849a8c36f65ea655bad83f6589690651d6d1c87bead6
Opcode Fuzzy Hash: 66c4dcce1ea9aff4fa6d20edcbb9fcaa65a5c50aa1b07e8ff0f7dbb18615941a
Instruction Fuzzy Hash: DC2127357006359BCB14AB28E896ABD77E9FF84325F0001DAE519D76E2CF64AC52CBC0

Function 00B0C240 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B0C247
_Getvals.LIBCPMT ref: 00B0C299
_Mpunct.LIBCPMT ref: 00B0C2D4
_Mpunct.LIBCPMT ref: 00B0C2EE

Strings

$+xv, xrefs: 00B0C2F9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: 8229211dd7d0d215acb31686bfd4f37a7d0151cc74f5ed3eb87521023678595d
Instruction ID: b70b5f021b0fe9722e509d6ddddac977cebb2107ee810b794ce28c7ea55d8242
Opcode Fuzzy Hash: 8229211dd7d0d215acb31686bfd4f37a7d0151cc74f5ed3eb87521023678595d
Instruction Fuzzy Hash: 8321B2B1804B566FD721DFB4888077BBEF8AB08700F144A9AE499C7A81D730E601CB90

Function 00B31BCE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,00B31C8F,00000000,00000FA0,00B7698C,00000000,?,00B31DBA,00000004,InitializeCriticalSectionEx,00B5EB3C,00B5EB44,00000000), ref: 00B31C5E

Strings

api-ms-, xrefs: 00B31C1E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: d18b1e5ecc3e52f747d278ac7de385685af2fb031902456b12db1dc0027c20e2
Instruction ID: 162b1cea6a4e2634227507adc1fc4955fde739df755c395a3b5a0789ef878e9a
Opcode Fuzzy Hash: d18b1e5ecc3e52f747d278ac7de385685af2fb031902456b12db1dc0027c20e2
Instruction Fuzzy Hash: B4115E31A85621EBDF228B6D9C84B5977E8EF01B61F750991E911FB280EB70ED0086D1

Function 00AEC380 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC40D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

GMfA]Z, xrefs: 00AEC3D9
svcGenericHost, xrefs: 00AEC3EF, 00AEC418
K@K\, xrefs: 00AEC3A0
]XMi, xrefs: 00AEC397

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: GMfA]Z$K@K\$]XMi$svcGenericHost
API String ID: 2296764815-99195005
Opcode ID: fdeb5867418c66b7e8ad30baef1f524d8de3b1337e50436474e12292645dffa7
Instruction ID: 7db741a2aadf8e5af34ef9b55f8c789e0ce5edfa4a9438bcb4fb023e7b9d4efd
Opcode Fuzzy Hash: fdeb5867418c66b7e8ad30baef1f524d8de3b1337e50436474e12292645dffa7
Instruction Fuzzy Hash: EE01C475A54244DBCB00EFACD84699DB7F0EF59710F1041E8E8296B361FF309A98CB51

Function 00AEC9E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AECA6D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

EK\}XM, xrefs: 00AECA39
VeeamBrokerSvc, xrefs: 00AECA4F, 00AECA78
Cl\A, xrefs: 00AECA00
xKKO, xrefs: 00AEC9F7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: Cl\A$EK\}XM$VeeamBrokerSvc$xKKO
API String ID: 2296764815-3874511878
Opcode ID: df48242c176fe7427a1475e0897d6dec29d6d3a9f076a54bc684c409995ef562
Instruction ID: b71504e4e21a312cfcc56a0184e06e0634f45998f67a34f17e9a9d1c511b21bf
Opcode Fuzzy Hash: df48242c176fe7427a1475e0897d6dec29d6d3a9f076a54bc684c409995ef562
Instruction Fuzzy Hash: 1C018E74D502099ACB00EFA8E8429BDB7F0FB05750F4042A8E41857361EF305A84CB96

Function 00AEC930 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC9BD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

ClOM, xrefs: 00AEC950
VeeamBackupSvc, xrefs: 00AEC99F, 00AEC9C8
E[^}XM, xrefs: 00AEC989
xKKO, xrefs: 00AEC947

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ClOM$E[^}XM$VeeamBackupSvc$xKKO
API String ID: 2296764815-1257988969
Opcode ID: 26529553353992cb844a86618d6fef618ebabf1acc1560e6e12b4609c21aeb0f
Instruction ID: 12b0e1ea3387c74bab0ddbe28427fe4b3cd461235e127f5801414995bc3c8ed0
Opcode Fuzzy Hash: 26529553353992cb844a86618d6fef618ebabf1acc1560e6e12b4609c21aeb0f
Instruction Fuzzy Hash: 33016175954244DBCB40EFACD88159DB7F0EF19710F5042D9E8296B361EF309A84CF62

Function 00AEE960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE9ED

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

VK, xrefs: 00AEE995
CW]_, xrefs: 00AEE977
mysqld-opt.exe, xrefs: 00AEE9CF, 00AEE9F8
^Z, xrefs: 00AEE98E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CW]_$VK$^Z$mysqld-opt.exe
API String ID: 2296764815-329785801
Opcode ID: a82c0978155c0e40f15c84739f376b17a03f0cab1c343c92412cc847dfd7d597
Instruction ID: a6db8bc8c910e52074918b7ce3a9a4eb738a2d52649d24274cc828c05783f4aa
Opcode Fuzzy Hash: a82c0978155c0e40f15c84739f376b17a03f0cab1c343c92412cc847dfd7d597
Instruction Fuzzy Hash: F4016175A44648DACB10DFA8E84159CB7F0FF0D710F5042E9E869A73A1EE30DA84CB56

Function 00AECC20 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AECCAD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

CjK^, xrefs: 00AECC40
BAW}XM, xrefs: 00AECC79
VeeamDeploySvc, xrefs: 00AECC8F, 00AECCB8
xKKO, xrefs: 00AECC37

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: BAW}XM$CjK^$VeeamDeploySvc$xKKO
API String ID: 2296764815-908893773
Opcode ID: e5a74da09ab5f3d2382a5c326abca2b235b827447c940435262c675228606088
Instruction ID: f9280b13f425d3c0ecda7267e5a3716c8b8e5b8b11507ab09282de5d91aa449a
Opcode Fuzzy Hash: e5a74da09ab5f3d2382a5c326abca2b235b827447c940435262c675228606088
Instruction Fuzzy Hash: 3701AD74D44249DBCB00EFA9E8415ACB7F0FF19710F5041EAE82967361EF30AA84CB66

Function 00AE9CD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9D5D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

ble, xrefs: 00AE9CF0
{~kv, xrefs: 00AE9CFE
km, xrefs: 00AE9D05
MSSQL$BKUPEXEC, xrefs: 00AE9D3F, 00AE9D68

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQL$BKUPEXEC$ble$km${~kv
API String ID: 2296764815-585898015
Opcode ID: 9690959038ae8c3152ab247e9f3d21f67805b095c116879f9677d0541b66c283
Instruction ID: 1f37220108d0e6a014b511595c5522e6bfb3884c27be884c9d614bb5a42d52a0
Opcode Fuzzy Hash: 9690959038ae8c3152ab247e9f3d21f67805b095c116879f9677d0541b66c283
Instruction Fuzzy Hash: 2D018875940245DBCB10DF98D9816BD77F0FB04700F5041A6F51997372EF709A80DB56

Function 00AE8580 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE860B

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

BackupExecDeviceMediaService, xrefs: 00AE85DD, 00AE8616
XGMK, xrefs: 00AE85DA
cKJG, xrefs: 00AE8597
O}K\, xrefs: 00AE85A0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: BackupExecDeviceMediaService$O}K\$XGMK$cKJG
API String ID: 2296764815-2876972361
Opcode ID: 1d4b222f126ec7db56a63b25c97818740af8cccadac0789efef5105f3ce6514b
Instruction ID: 67819ef4fa72a6563f85ec6ab138d91327426bddca44e2437335cb556f0f8727
Opcode Fuzzy Hash: 1d4b222f126ec7db56a63b25c97818740af8cccadac0789efef5105f3ce6514b
Instruction Fuzzy Hash: 1C01AD74E442459BCB10EB68E9815B8B3F0EB19700F1056A9E81D672B1EF346A88CB55

Function 00AEE2A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE31E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

encsvc.exe, xrefs: 00AEE300, 00AEE329
VK, xrefs: 00AEE2CE
K@M], xrefs: 00AEE2B7
XM, xrefs: 00AEE2C0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K@M]$VK$XM$encsvc.exe
API String ID: 2296764815-4183728285
Opcode ID: f809a16fbe8bcacc050d76182c58d2507add1cd26aa90ebe3bbd2db7504188f5
Instruction ID: c7d5de70167c01c60be8baff4ff1914960a7a76f227bd0f507afd0a734a5c1bb
Opcode Fuzzy Hash: f809a16fbe8bcacc050d76182c58d2507add1cd26aa90ebe3bbd2db7504188f5
Instruction Fuzzy Hash: 5401D474A64645DBC710EFA8E9425ACB7F0EF0D740F5001A9E82D57372EF319A84CB59

Function 00AE8200 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE827D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

oM\A, xrefs: 00AE8217
AcronisAgent, xrefs: 00AE8260, 00AE8288
IK@Z, xrefs: 00AE8258
@G]o, xrefs: 00AE8220

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: @G]o$AcronisAgent$IK@Z$oM\A
API String ID: 2296764815-1771947966
Opcode ID: 9d1aaeca5a5187a615dfd33eb7dd6ae1f81666e3be6622b713533566dec40605
Instruction ID: f7843320b2f9c220561d7ee3a7120d323a4245e3efafad323a4f26ae94c42438
Opcode Fuzzy Hash: 9d1aaeca5a5187a615dfd33eb7dd6ae1f81666e3be6622b713533566dec40605
Instruction Fuzzy Hash: 9301D876A51204DBCB50EFA8D94169EB7F0EB09710F4406E9E52967361EE30AE84CB62

Function 00AEE200 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE27E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

C^, xrefs: 00AEE220
VK, xrefs: 00AEE22E
dbsnmp.exe, xrefs: 00AEE260, 00AEE289
JL]@, xrefs: 00AEE217

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: C^$JL]@$VK$dbsnmp.exe
API String ID: 2296764815-1724149682
Opcode ID: be11425d5a24adab1225bf5d5f9bf673b0ed0daf73a3a4246d844d76191752ff
Instruction ID: 164fe4d1a3a72762cae884f1d3bd3f7e7ee37bcdda26a73d314bb9ad79b055bd
Opcode Fuzzy Hash: be11425d5a24adab1225bf5d5f9bf673b0ed0daf73a3a4246d844d76191752ff
Instruction Fuzzy Hash: 70012475D502499BCB10EFA8A94269C77F0EF0C700F0006D8E5296B360EE309E84CB42

Function 00AEC430 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC4AE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

]YGq, xrefs: 00AEC447
HGBZ, xrefs: 00AEC450
swi_filter, xrefs: 00AEC490, 00AEC4B9
K\, xrefs: 00AEC45E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: HGBZ$K\$]YGq$swi_filter
API String ID: 2296764815-836769703
Opcode ID: 98c83aa3e030fbf8bc6f809bdb94500e60904c045aa858460b3e6d913eacfa67
Instruction ID: 6188ba585b8ea52efd51a210a28e52da138bf517e765cfab32c5963b4112d524
Opcode Fuzzy Hash: 98c83aa3e030fbf8bc6f809bdb94500e60904c045aa858460b3e6d913eacfa67
Instruction Fuzzy Hash: 2901D878A54244DBDB50EFA99C414ACB7F0FF19710F5005D5E8385B3A1EE30A984DB55

Function 00AEE820 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE89E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

mysqld.exe, xrefs: 00AEE880, 00AEE8A9
VK, xrefs: 00AEE84E
CW]_, xrefs: 00AEE837
BJ, xrefs: 00AEE840

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: BJ$CW]_$VK$mysqld.exe
API String ID: 2296764815-2989230
Opcode ID: b100dfbe34ead912b6c08ec16ba18b159235980916e7431788e96128d9bab0e0
Instruction ID: 860cef836e840386400a11b2b1261ba6300fb9c32c00d1c83616b262ee2230d5
Opcode Fuzzy Hash: b100dfbe34ead912b6c08ec16ba18b159235980916e7431788e96128d9bab0e0
Instruction Fuzzy Hash: 1A01B174A942089BCB10EBA8A84159CB7F0FB18744F4049E9E929573B1FE309A88DB55

Function 00AE8BE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8C5D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

[BK\, xrefs: 00AE8C38
FA_Scheduler, xrefs: 00AE8C40, 00AE8C68
MFKJ, xrefs: 00AE8C00
hoq}, xrefs: 00AE8BF7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: FA_Scheduler$MFKJ$[BK\$hoq}
API String ID: 2296764815-2915723811
Opcode ID: b40d3ce820611e4131c4c67b46eb55bce1c708d31d9170cb6b439dd618a1559f
Instruction ID: 82adb7756d723d0bb58c494ec12c8afa0c9ac726586edfe95707dae72261a255
Opcode Fuzzy Hash: b40d3ce820611e4131c4c67b46eb55bce1c708d31d9170cb6b439dd618a1559f
Instruction Fuzzy Hash: 4E01B170A40204DFCB10DFA8E9418ACB7F0EB2D700F6042E8E83967351EF34DA849B62

Function 00AEAC90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEAD0D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

PDVFSService, xrefs: 00AEACF0, 00AEAD18
XGMK, xrefs: 00AEACE8
~jxh, xrefs: 00AEACA7
}}K\, xrefs: 00AEACB0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: PDVFSService$XGMK$}}K\$~jxh
API String ID: 2296764815-3528821785
Opcode ID: 66659d357d3a7b1debc76b7eba1beaf1d9fe49a77a1aec6e412edca8bcb92bd6
Instruction ID: c0a49a29195c6fecbcbc8a18fedbff07abb31920ffeeab5d12b8cbe764bdfa2f
Opcode Fuzzy Hash: 66659d357d3a7b1debc76b7eba1beaf1d9fe49a77a1aec6e412edca8bcb92bd6
Instruction Fuzzy Hash: F501B570E50245ABCB10EF6CE9866BDB7F0BB24350F5002A4E91567361EF309A88C752

Function 00AEEC70 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEECEE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

BK, xrefs: 00AEEC90
VK, xrefs: 00AEEC9E
A\OM, xrefs: 00AEEC87
oracle.exe, xrefs: 00AEECD0, 00AEECF9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: A\OM$BK$VK$oracle.exe
API String ID: 2296764815-593678778
Opcode ID: 7334573b23d0cb7b57d620437ecf7afc99ca39532a4665a3aa4808151704f4f5
Instruction ID: 525a0b8f66b6adaad038997a50dcdb45fd4fd6ae6f03be103fac303be9e03586
Opcode Fuzzy Hash: 7334573b23d0cb7b57d620437ecf7afc99ca39532a4665a3aa4808151704f4f5
Instruction Fuzzy Hash: F901B57494030597C710DFA8E8515AD77F0EF08710F5001E8E8395B361EE3099C4C75A

Function 00AEADC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEAE3D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

|K^A, xrefs: 00AEADD7
\Z}K, xrefs: 00AEADE0
ReportServer, xrefs: 00AEAE20, 00AEAE48
\XK\, xrefs: 00AEAE18

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ReportServer$\XK\$\Z}K$|K^A
API String ID: 2296764815-2148266098
Opcode ID: 5c5eb28b5c30a40d7bff8d498cd8236aa095fbab4abecade324cbef9937ea0c1
Instruction ID: 8b986417892697efc4a46320fbcc373373247e6fc01bb32dc49b1c095336999e
Opcode Fuzzy Hash: 5c5eb28b5c30a40d7bff8d498cd8236aa095fbab4abecade324cbef9937ea0c1
Instruction Fuzzy Hash: 8F01B574A44204DFCB20EFA8E84296DB7F4EB18704F4046E9E42DA7361EE309E848B61

Function 00AECEA0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AECF1D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

xKKO, xrefs: 00AECEB7
VeeamRESTSvc, xrefs: 00AECF00, 00AECF28
C|k}, xrefs: 00AECEC0
z}XM, xrefs: 00AECEF8

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: C|k}$VeeamRESTSvc$xKKO$z}XM
API String ID: 2296764815-1106230417
Opcode ID: 136b531043bd923d1fb83a546ccab5b003376e597e13b767795b9f2f4846a3ad
Instruction ID: ce5edd4c5e0c3e30cfa8204527afa7cd5ee18451687cfeb377b195fc9f726aa8
Opcode Fuzzy Hash: 136b531043bd923d1fb83a546ccab5b003376e597e13b767795b9f2f4846a3ad
Instruction Fuzzy Hash: 42019EB4A543049BCB40EFA8E94156DB7F0EB48350F5006A9E40567361FF306A58DF92

Function 00AEB290 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB30E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

K\XG, xrefs: 00AEB2B0
SAVService, xrefs: 00AEB2F0, 00AEB319
}ox}, xrefs: 00AEB2A7
MK, xrefs: 00AEB2BE

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K\XG$MK$SAVService$}ox}
API String ID: 2296764815-2675872916
Opcode ID: 4314230d5e8e9b4e44115dc95814e23d186e4e1f77cab2ed8421613959fae842
Instruction ID: 038351eb8eb596e89508153c9551d164b8935fb27cd0ace7b213ec6ee4ab6428
Opcode Fuzzy Hash: 4314230d5e8e9b4e44115dc95814e23d186e4e1f77cab2ed8421613959fae842
Instruction Fuzzy Hash: AE01B175A402449BDB10DFA8A88259D77F0EF1C714F5049E8F8395B361EF309A849B92

Function 00AEF2F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF36E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

thebat.exe, xrefs: 00AEF350, 00AEF379
OZ, xrefs: 00AEF310
VK, xrefs: 00AEF31E
ZFKL, xrefs: 00AEF307

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: OZ$VK$ZFKL$thebat.exe
API String ID: 2296764815-2334970971
Opcode ID: 7dcacc8ee3250a747d05bb5698cbad6567b6aa936557fec420aed16308479b6b
Instruction ID: 6276c2ae5bb23c8055ca1bfca0ac289466b6c2dfb6b440ba39279a1885eb329d
Opcode Fuzzy Hash: 7dcacc8ee3250a747d05bb5698cbad6567b6aa936557fec420aed16308479b6b
Instruction Fuzzy Hash: 5C01B1749482099BC704DFA8A95259DB7F0EF0D300F5041E9E8395B3A1FE319E848B52

Function 00AED340 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED3BE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

[^JO, xrefs: 00AED360
]YGq, xrefs: 00AED357
ZK, xrefs: 00AED36E
swi_update, xrefs: 00AED3A0, 00AED3C9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ZK$[^JO$]YGq$swi_update
API String ID: 2296764815-2167801236
Opcode ID: fdd400145564a601d38d434d153fdad452a81c6b2b27b675209f403b6880d6bf
Instruction ID: bab016c1ede983352482c9c8c2add5abe057580092eb6444446ce70e439a804e
Opcode Fuzzy Hash: fdd400145564a601d38d434d153fdad452a81c6b2b27b675209f403b6880d6bf
Instruction Fuzzy Hash: 5301D47494520ADBC710DFA8E9425BDB7F0EB0A700F5045A9E8299B361EF305AC48B9A

Function 00AEB540 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB5BE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MK, xrefs: 00AEB56E
SmcService, xrefs: 00AEB5A0, 00AEB5C9
}CM}, xrefs: 00AEB557
K\XG, xrefs: 00AEB560

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K\XG$MK$SmcService$}CM}
API String ID: 2296764815-4057947759
Opcode ID: 3b2e06a1e363345425360e8c364530350ca60089e020c66b548cf1be772a5c02
Instruction ID: 09e66af502d6cda053c4ca9d07b50f09676b17fc4db401c5233862966756dd2d
Opcode Fuzzy Hash: 3b2e06a1e363345425360e8c364530350ca60089e020c66b548cf1be772a5c02
Instruction Fuzzy Hash: 8001D475A44248DBC710DFA8E8529AD77F0EF19708F0049E9E82957362EF309A948B67

Function 00AE96D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE974D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

c}kV, xrefs: 00AE96E7
MFO@, xrefs: 00AE96F0
MSExchangeES, xrefs: 00AE9730, 00AE9758
IKk}, xrefs: 00AE9728

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IKk}$MFO@$MSExchangeES$c}kV
API String ID: 2296764815-2790495991
Opcode ID: 575c97ca56287f175a1d88fba34df0eb8c264aa908cd8774c344425949b9d171
Instruction ID: d01b06a72e6ba8f9fad255ca1d11a3de4602e07b63b9a76f049833905f709bb7
Opcode Fuzzy Hash: 575c97ca56287f175a1d88fba34df0eb8c264aa908cd8774c344425949b9d171
Instruction Fuzzy Hash: B1019E70E60208DBCB00EF68A9815ADB7F0EB0D700B5042E9E92957361EF309A48CB56

Function 00AE9770 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE97ED

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSExchangeIS, xrefs: 00AE97D0, 00AE97F8
IKg}, xrefs: 00AE97C8
MFO@, xrefs: 00AE9790
c}kV, xrefs: 00AE9787

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IKg}$MFO@$MSExchangeIS$c}kV
API String ID: 2296764815-3057984975
Opcode ID: 4e6a14c968944c7baf394e954abfddf161ff658e63d1aac573eba9ef7c8a287b
Instruction ID: 06fcd2e2f773e14e8b90d86834b23a77709e1cffbf71539a7d973d0817878925
Opcode Fuzzy Hash: 4e6a14c968944c7baf394e954abfddf161ff658e63d1aac573eba9ef7c8a287b
Instruction Fuzzy Hash: 7301B570E5024ADBC700EF78EC8156DB7F0E70D710F4051A9E819973A1EF305A48CB55

Function 00AE9960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE99DD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSExchangeSA, xrefs: 00AE99C0, 00AE99E8
IK}o, xrefs: 00AE99B8
c}kV, xrefs: 00AE9977
MFO@, xrefs: 00AE9980

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IK}o$MFO@$MSExchangeSA$c}kV
API String ID: 2296764815-2044683369
Opcode ID: 3890eb0d05abd4d67bfd1ec194f299b93eea1435046a636f329593f3128af40c
Instruction ID: e250418446df77e8d755f62eb5ed51f49cc807446fb080f76d809e4a63481c3b
Opcode Fuzzy Hash: 3890eb0d05abd4d67bfd1ec194f299b93eea1435046a636f329593f3128af40c
Instruction Fuzzy Hash: 3801B170E45249DBCB50EF68E94296DB7F0AB0A740F4002A9E4296B371EF709A44CB52

Function 00AE9B90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9C0E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSOLAP$TPS, xrefs: 00AE9BF0, 00AE9C19
c}ab, xrefs: 00AE9BA7
~}, xrefs: 00AE9BBE
o~z, xrefs: 00AE9BB0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSOLAP$TPS$c}ab$o~z$~}
API String ID: 2296764815-4167753941
Opcode ID: 9cb4ae5f11582d601f0ca71c11c23b3aa54dba5620aea3cd9129b4a0c03b1e3e
Instruction ID: 92c7a796a8c849849063fec1e55f471c3245e87a2cc515a6b55fb83f35e3be83
Opcode Fuzzy Hash: 9cb4ae5f11582d601f0ca71c11c23b3aa54dba5620aea3cd9129b4a0c03b1e3e
Instruction Fuzzy Hash: F701F175E643059FC700FFA9EA815ADB3F0AB19700F1005A8E4286B361EF305A84CF66

Function 00AEE8C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE944

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

Z, xrefs: 00AEE8E4
K., xrefs: 00AEE8F2
CW]_, xrefs: 00AEE8D6
mysqld-nt.exe, xrefs: 00AEE92C, 00AEE94F

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CW]_$K.$Z$mysqld-nt.exe
API String ID: 2296764815-2222182956
Opcode ID: 718c4649d0ccf317e2ea516f8ce0a54e6be7d92503af05858ea2d155a6c7e485
Instruction ID: 7f0f3858916d0700a71b46f0aef9c596cf3cca3df622960c48d4476c0ef37304
Opcode Fuzzy Hash: 718c4649d0ccf317e2ea516f8ce0a54e6be7d92503af05858ea2d155a6c7e485
Instruction Fuzzy Hash: 3E012474D94209DBCF00EFA8D9515ACB7F0FB08700F5041E9E91967361EB345A88CB9A

Function 00AECAF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AECB74

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

[J}XM., xrefs: 00AECB46
xKKO, xrefs: 00AECB06
CmBA, xrefs: 00AECB0D
VeeamCloudSvc, xrefs: 00AECB5C, 00AECB7F

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CmBA$VeeamCloudSvc$[J}XM.$xKKO
API String ID: 2296764815-3708274696
Opcode ID: 4be9388af442465b190f412f0b6f4a22d36b22009d3f4629ea5200e486939111
Instruction ID: d891a7d04d4f0e988d6ed208a600d620475253f973acbf102f853ced365ba02e
Opcode Fuzzy Hash: 4be9388af442465b190f412f0b6f4a22d36b22009d3f4629ea5200e486939111
Instruction Fuzzy Hash: 1A01B174E54208DBCB00EFA8D94259DB7F0EF48710F1142DAEC2967361EF309A95CB9A

Function 00AECD70 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AECDF4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

CcA[, xrefs: 00AECD8D
@Z}XM., xrefs: 00AECDC6
VeeamMountSvc, xrefs: 00AECDDC, 00AECDFF
xKKO, xrefs: 00AECD86

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: @Z}XM.$CcA[$VeeamMountSvc$xKKO
API String ID: 2296764815-2569746707
Opcode ID: 2200ff6b4f370ee8c216bc835ea58be1c280c64d4a1b3be23f4fa1cef845e36a
Instruction ID: f1bfcaa1f292599d172fc49acc459943a957b22461818e37c4226e62106873f7
Opcode Fuzzy Hash: 2200ff6b4f370ee8c216bc835ea58be1c280c64d4a1b3be23f4fa1cef845e36a
Instruction Fuzzy Hash: 5201D274D10209EBCB10EF98D8416ADB7F0FB44700F5002A9E91967371EB309A94CB55

Function 00AED7E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED864

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

K]_B, xrefs: 00AED7FD
C]HZ, xrefs: 00AED7F6
msftesql$PROD, xrefs: 00AED84C, 00AED86F
~|aj., xrefs: 00AED836

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ~|aj.$C]HZ$K]_B$msftesql$PROD
API String ID: 2296764815-1382501710
Opcode ID: 1d8f47d125ffcd35de85d278bc95d9101f4e7ea3ae3f9aaf0fed9c369fde0d84
Instruction ID: 3bccebd9d5d102ce22a12adf5f77b3df6d13230501b75c5af699587eb120de44
Opcode Fuzzy Hash: 1d8f47d125ffcd35de85d278bc95d9101f4e7ea3ae3f9aaf0fed9c369fde0d84
Instruction Fuzzy Hash: DE01B574E10209DBCB00FFA8D98159CBBF0EF18700F4041E9E82957361EB30AA85CF62

Function 00AE7A80 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE7AFE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

Sophos Device Control Service, xrefs: 00AE7AE4, 00AE7B09
\XGM, xrefs: 00AE7AB6
K., xrefs: 00AE7ABD
@Z\A, xrefs: 00AE7AA1

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: @Z\A$K.$Sophos Device Control Service$\XGM
API String ID: 2296764815-2120237448
Opcode ID: f5189d4c6051c98605cec34825f78593719f99a2fa0a6beba623736aaffb5d56
Instruction ID: 278844012cfef29f5846cabd9f8b45d14804787d094d148ce5c02c8af75e509a
Opcode Fuzzy Hash: f5189d4c6051c98605cec34825f78593719f99a2fa0a6beba623736aaffb5d56
Instruction Fuzzy Hash: EA01B570D44248DBC710DFA8D9429AC73F4EF08300F5081E9E81AA7262EB715E80DB96

Function 00AE7F00 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE7F7B

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

., xrefs: 00AE7F3C
MK, xrefs: 00AE7F36
K\XG, xrefs: 00AE7F2F
Sophos Web Control Service, xrefs: 00AE7F61, 00AE7F86

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$K\XG$MK$Sophos Web Control Service
API String ID: 2296764815-2295121513
Opcode ID: a3a2a613eb376b35f854209198d4929030b15c069361ce1df973e02b6e1552a1
Instruction ID: 149eab67864388650fe6175d194adfea774389e94cc549957930c6f8a3b8800a
Opcode Fuzzy Hash: a3a2a613eb376b35f854209198d4929030b15c069361ce1df973e02b6e1552a1
Instruction Fuzzy Hash: 2201B171D54248DBCB50FBA8D942AACB7F0EB18340F000198EC15772B1EFB06A88CB55

Function 00AE8030 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE80A4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

., xrefs: 00AE8065
MK, xrefs: 00AE805F
SQLsafe Filter Service, xrefs: 00AE808A, 00AE80AF
K\XG, xrefs: 00AE8051

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$K\XG$MK$SQLsafe Filter Service
API String ID: 2296764815-2972806208
Opcode ID: 19a6431e56276f3954fc27217ddd7f8a769b75f0afdeebf67b0bd9a85596b11a
Instruction ID: 09a40e01c5853b8380f715be043f172712026bb25e493391878abe0f6a3bdea0
Opcode Fuzzy Hash: 19a6431e56276f3954fc27217ddd7f8a769b75f0afdeebf67b0bd9a85596b11a
Instruction Fuzzy Hash: C501A770E44249EBC710EB6CD9427BDB7F49B18304F4041E8E919673A2EE349B898B55

Function 00AE84F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8564

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

., xrefs: 00AE8525
BackupExecAgentBrowser, xrefs: 00AE854A, 00AE856F
K\, xrefs: 00AE851F
\AY], xrefs: 00AE8511

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$BackupExecAgentBrowser$K\$\AY]
API String ID: 2296764815-2846957761
Opcode ID: 98a0233b5be0feb264e0477dff37f0b7ab859931fff3369100c7925dfb37056b
Instruction ID: 1a2d2a0220952e73eaec86afe8d313dc5aca8f442bb60a759a5545c4eca3d3d9
Opcode Fuzzy Hash: 98a0233b5be0feb264e0477dff37f0b7ab859931fff3369100c7925dfb37056b
Instruction Fuzzy Hash: 2401FC70D4424C9FC710EB64D94169CB3F0AF14704F4041E4EC69533A1FF346A85DB56

Function 00AE86C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8742

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

GMK., xrefs: 00AE86E4
BackupExecManagementService, xrefs: 00AE871A, 00AE874D
CK@Z, xrefs: 00AE86D6
}K\X, xrefs: 00AE86DD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: BackupExecManagementService$CK@Z$GMK.$}K\X
API String ID: 2296764815-697340830
Opcode ID: 39fa1da321198893fdcdf54257fc47c3e5ba4812c073312fee1b8c4fa2cb3a30
Instruction ID: 18eae0fe7ff0cc6e8bb1546b66927bbd481fa2d7c67267e258a0177b7056912a
Opcode Fuzzy Hash: 39fa1da321198893fdcdf54257fc47c3e5ba4812c073312fee1b8c4fa2cb3a30
Instruction Fuzzy Hash: BE015271E44248DBCB11DFA8D942599B7F0EF28704F5042E5E9295B361EF34AAC09B52

Function 00AEA810 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEA884

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

., xrefs: 00AEA845
co, xrefs: 00AEA83F
z~}o, xrefs: 00AEA831
MSSQLFDLauncher$TPSAMA, xrefs: 00AEA86A, 00AEA88F

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$MSSQLFDLauncher$TPSAMA$co$z~}o
API String ID: 2296764815-936918149
Opcode ID: caca1379866a12968f244fb436a7c598d93988688cd68541240b3cc66da1d825
Instruction ID: 2c5b3ef523fbcdc3927bc69d0e2e8f04d20a257223b2ae3909db73b3f94c7ad9
Opcode Fuzzy Hash: caca1379866a12968f244fb436a7c598d93988688cd68541240b3cc66da1d825
Instruction Fuzzy Hash: 1301A771E442489BCB00EB68D9427AC77F49F58700F4041E9ED1557362EE747B85CB56

Function 00AEA9C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEAA34

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQLServerOLAPService, xrefs: 00AEAA1A, 00AEAA3F
MK, xrefs: 00AEA9EF
K\XG, xrefs: 00AEA9E1
., xrefs: 00AEA9F5

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$K\XG$MK$MSSQLServerOLAPService
API String ID: 2296764815-1809702662
Opcode ID: 4c4a051063b18da5b96ff2d3f2634911f983928553329297b1b5dd4ad63900aa
Instruction ID: c16d9f2dc502c367ad315dfa4f0602dc2533bb27e5bf5b190cba63e3853dfa09
Opcode Fuzzy Hash: 4c4a051063b18da5b96ff2d3f2634911f983928553329297b1b5dd4ad63900aa
Instruction Fuzzy Hash: 7801AC70D442499BC710DF68D9415BCB7F4EF14304F4081F6EC1967361DE346A84DB95

Function 00AECB90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AECC04

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

., xrefs: 00AECBC5
MK, xrefs: 00AECBBF
VeeamDeploymentService, xrefs: 00AECBEA, 00AECC0F
K\XG, xrefs: 00AECBB1

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$K\XG$MK$VeeamDeploymentService
API String ID: 2296764815-3154789995
Opcode ID: 3261ba2f41825221b1952c6641b230af88150a6fac6195f69bd2b45d6fa180e8
Instruction ID: 6ba2b6b6baf7fa9bde4e3f86feaf1537e6407df7ea09d16fb730b55e25f505d2
Opcode Fuzzy Hash: 3261ba2f41825221b1952c6641b230af88150a6fac6195f69bd2b45d6fa180e8
Instruction Fuzzy Hash: 2D01D870E442489BCB00FF68D84269C77F0AF18304F5049E4E829572A1DE309A85CB55

Function 00AECCD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AECD53

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

M., xrefs: 00AECCF4
VeeamEnterpriseManagerSvc, xrefs: 00AECD2A, 00AECD5E
O@OI, xrefs: 00AECCE6
K\}X, xrefs: 00AECCED

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K\}X$M.$O@OI$VeeamEnterpriseManagerSvc
API String ID: 2296764815-447243061
Opcode ID: 604fde2c785ff9faaabf90e50498d913c00ac4e6753e67c41d2af2ce95c6df58
Instruction ID: c3febfc54371ff9d92ba8c3afc760aaf2caba47445fc8042d0bd31918943eed5
Opcode Fuzzy Hash: 604fde2c785ff9faaabf90e50498d913c00ac4e6753e67c41d2af2ce95c6df58
Instruction Fuzzy Hash: 7601B175D10705D7CB04EBA8E8825ACB7F0EF18704F0046A8E93917371EF30AA85CB55

Function 00AED480 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED503

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

h|oc, xrefs: 00AED49D
SQLAgent$CITRIX_METAFRAME, xrefs: 00AED4DA, 00AED50E
ckzo, xrefs: 00AED496
k., xrefs: 00AED4A4

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLAgent$CITRIX_METAFRAME$ckzo$h|oc$k.
API String ID: 2296764815-838170369
Opcode ID: 257e6789e215e25a897e8057b8019bb7d5938b20bff4c92a638a40f6aed79387
Instruction ID: 08d0e669ecb45bda3abd7a72c0d97a884db213ba06d14a1e8e4ce14de64507b0
Opcode Fuzzy Hash: 257e6789e215e25a897e8057b8019bb7d5938b20bff4c92a638a40f6aed79387
Instruction Fuzzy Hash: 7001B135D246099AC750FFA8E9926AC73F0AF09740F401298E80927371FF305AD8CB91

Function 00AEBAE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEBB54

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SQLAgent$SBSMONITORING, xrefs: 00AEBB3A, 00AEBB5F
., xrefs: 00AEBB15
za|g, xrefs: 00AEBB01
`i, xrefs: 00AEBB0F

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$SQLAgent$SBSMONITORING$`i$za|g
API String ID: 2296764815-3138662694
Opcode ID: 55bac2e21ab761fecd5286afc456aab97929c4e18530763c1983bcd28daead10
Instruction ID: b3f9d96e8d998589a79e2c12e09c86466ecfa12f17d2674651b1a098e4f16a8b
Opcode Fuzzy Hash: 55bac2e21ab761fecd5286afc456aab97929c4e18530763c1983bcd28daead10
Instruction Fuzzy Hash: B501D474E44249DBC710FBA8DD466ADB7F0AF05300F0045F8E905532A2EE346A858B66

Function 00AE7FA0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8014

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MK, xrefs: 00AE7FCF
K\XG, xrefs: 00AE7FC1
., xrefs: 00AE7FD5
SQLsafe Backup Service, xrefs: 00AE7FFA, 00AE801F

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$K\XG$MK$SQLsafe Backup Service
API String ID: 2296764815-3025942052
Opcode ID: 70b8f25d6b6a58aacf9c7347d6ed9e06b684bc45e6cf1a2f1ee377ad7ad63765
Instruction ID: e5cf22c5fd74e5c2058d4b0554de96932cfe8624283f0f2e5f6ec4ad71ff86d0
Opcode Fuzzy Hash: 70b8f25d6b6a58aacf9c7347d6ed9e06b684bc45e6cf1a2f1ee377ad7ad63765
Instruction Fuzzy Hash: 4501F730D54648DBC750FF68D8466ACB7F0DF15304F0042E9E819673B2EE746A88CB55

Function 00AEE0E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE154

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

]XM, xrefs: 00AEE0FD
KVK., xrefs: 00AEE104
OI@Z, xrefs: 00AEE0F6
agntsvc.exe, xrefs: 00AEE13D, 00AEE15F

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: KVK.$OI@Z$]XM$agntsvc.exe
API String ID: 2296764815-1606373819
Opcode ID: 76b5843cb76cd7b01dff1349371a7d98b10821851d44d2d048bcec0137bd7f71
Instruction ID: 5af2e6e2b339440d3f9f0f008b57ad75fbbaf9700a1da2a9841005049485262d
Opcode Fuzzy Hash: 76b5843cb76cd7b01dff1349371a7d98b10821851d44d2d048bcec0137bd7f71
Instruction Fuzzy Hash: 8101A271E40249EFCB00FFA8D9426ADB7F1FB45700F4042A9E9295B361EF349A84DB85

Function 00AEE050 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE0C5

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

T, xrefs: 00AEE06D
K., xrefs: 00AEE074
TAAB, xrefs: 00AEE066
zoolz.exe, xrefs: 00AEE0AD, 00AEE0D0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K.$T$TAAB$zoolz.exe
API String ID: 2296764815-237858234
Opcode ID: 1eb480b558a09c8480832628b54d2af9d02eb903931ce2f20235668683a0b1ed
Instruction ID: 44578da085707986d89cd2e9f85be8d77a51b84fb774cbe0207389952c70c6d8
Opcode Fuzzy Hash: 1eb480b558a09c8480832628b54d2af9d02eb903931ce2f20235668683a0b1ed
Instruction Fuzzy Hash: 2F014F7496024496CB50FFA8D9826ACB7F0EB15740F9016A9ED2967371EF306A48CB61

Function 00AEE340 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE3B5

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

K., xrefs: 00AEE364
KVMK, xrefs: 00AEE356
excel.exe, xrefs: 00AEE39D, 00AEE3C0
B, xrefs: 00AEE35D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: B$K.$KVMK$excel.exe
API String ID: 2296764815-3510955798
Opcode ID: 1efc89f21beb98ac98d16fb896a50e55507ff9e7a8c6d4d80bf8ab13ac1eb226
Instruction ID: 7c7d2b501fae411d88dadc8d71c24fd893fddbf0b72f8c10f2b3c0bcd7ccb85a
Opcode Fuzzy Hash: 1efc89f21beb98ac98d16fb896a50e55507ff9e7a8c6d4d80bf8ab13ac1eb226
Instruction Fuzzy Hash: 3201677495020597CB10DF98E9425ACB7F0EF19701F9041E9E92E6B3A1EF3059819755

Function 00AE8340 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE83B5

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

Antivirus, xrefs: 00AE839D, 00AE83C0
]., xrefs: 00AE8364
o@ZG, xrefs: 00AE8356
XG\[, xrefs: 00AE835D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: Antivirus$XG\[$].$o@ZG
API String ID: 2296764815-3072000146
Opcode ID: 9d5a332561606e65cfff08457e7e9be2487783aaa507a67f77815d957d773f16
Instruction ID: 26c7460cf24f079db0ac4ef2a5a2218b2859e6c7ad7e03aa68e03b6067cb7601
Opcode Fuzzy Hash: 9d5a332561606e65cfff08457e7e9be2487783aaa507a67f77815d957d773f16
Instruction Fuzzy Hash: 38018F749642499BCB00FBA8D8419EDB3F0BB05B00F4006A9E8295B361EF305A85CB95

Function 00AEC4D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC544

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

GMK., xrefs: 00AEC525
]K\X, xrefs: 00AEC4ED
swi_service, xrefs: 00AEC52D, 00AEC54F
]YGq, xrefs: 00AEC4E6

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: GMK.$]K\X$]YGq$swi_service
API String ID: 2296764815-2402337137
Opcode ID: 023171be3d64200d59e4625adeee726bd69477d798ca75c29044a9ecf5c2e960
Instruction ID: 0cc36815a16a77efb26d3355d25863dc5037f2be2b53643b391c9478628e7cfa
Opcode Fuzzy Hash: 023171be3d64200d59e4625adeee726bd69477d798ca75c29044a9ecf5c2e960
Instruction Fuzzy Hash: 47018470D50308DBCB40EFA8D8815AC77F0AB55710F9002E9E8295B361FF306A94CF51

Function 00AEE6A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE715

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

mspub.exe, xrefs: 00AEE6FD, 00AEE720
C]^[, xrefs: 00AEE6B6
K., xrefs: 00AEE6C4
L, xrefs: 00AEE6BD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: C]^[$K.$L$mspub.exe
API String ID: 2296764815-22581249
Opcode ID: 7cb67b60c1867ac207f0d3dcc81ea1892685f70e6ff08f1b26b44dfed48391be
Instruction ID: 56eba3c8cbf1247069f07c41520b2339cbf337b56c7bf32054314b0109329fb6
Opcode Fuzzy Hash: 7cb67b60c1867ac207f0d3dcc81ea1892685f70e6ff08f1b26b44dfed48391be
Instruction Fuzzy Hash: F9016774D54204DBCB40EF98D9815AD77F0EF18700F4041D9E9296B362FB305A85DF56

Function 00AEEAC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEEB35

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

C, xrefs: 00AEEADD
ocomm.exe, xrefs: 00AEEB1D, 00AEEB40
AMAC, xrefs: 00AEEAD6
K., xrefs: 00AEEAE4

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: AMAC$C$K.$ocomm.exe
API String ID: 2296764815-3940452268
Opcode ID: 849658876e7c5924b625cddbee9ae193a41be96149ebdc00feb103ce831eb0e3
Instruction ID: 935da99bbc2fe4fa738ca2d67b7bd3dc8f9e3762fbe5ab7e21f266513dc77bbf
Opcode Fuzzy Hash: 849658876e7c5924b625cddbee9ae193a41be96149ebdc00feb103ce831eb0e3
Instruction Fuzzy Hash: EB01A278E6060997CB50EFA8D8425AC73F0EB05700F5042E9E8195B361EF306E84CF56

Function 00AEEBE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEEC54

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

AZK, xrefs: 00AEEBFD
A@K@, xrefs: 00AEEBF6
onenote.exe, xrefs: 00AEEC3D, 00AEEC5F
KVK., xrefs: 00AEEC04

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: A@K@$AZK$KVK.$onenote.exe
API String ID: 2296764815-3074573680
Opcode ID: bffcad97e2ca063bc2e2749c39500ffecc9e8ac7f2769bb3f9d780ec6d9e62ff
Instruction ID: 3c2dc75ab65937e65b0b181f49633694c3b8643b15bcb0bc6b0ac077e980abd4
Opcode Fuzzy Hash: bffcad97e2ca063bc2e2749c39500ffecc9e8ac7f2769bb3f9d780ec6d9e62ff
Instruction Fuzzy Hash: D801A770E502089BC700EFA8D98659DB7F0EB08704F5046D9E92967361EB749A84CB91

Function 00AE8B50 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8BC4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

EsgShKernel, xrefs: 00AE8BAD, 00AE8BCF
@KB., xrefs: 00AE8B74
FeK\, xrefs: 00AE8B6D
k]I}, xrefs: 00AE8B66

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: @KB.$EsgShKernel$FeK\$k]I}
API String ID: 2296764815-867955387
Opcode ID: d609f225e3c9d03b5c8d8948f699846cb2c31f6568df272b2ee53c294e1caa75
Instruction ID: 968ef4e167bd5c90c2fc65705c2979b0a6fe067d0f1ceaa4278d31f66ff5959d
Opcode Fuzzy Hash: d609f225e3c9d03b5c8d8948f699846cb2c31f6568df272b2ee53c294e1caa75
Instruction Fuzzy Hash: BA016270E40645DBCB10EFA8E9829ADB7F0FF58700F5046F9E82A57361EF309A819B55

Function 00AEEB50 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEEBC5

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

J, xrefs: 00AEEB6D
ocssd.exe, xrefs: 00AEEBAD, 00AEEBD0
AM]], xrefs: 00AEEB66
K., xrefs: 00AEEB74

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: AM]]$J$K.$ocssd.exe
API String ID: 2296764815-2497099477
Opcode ID: bf5d98985e47adee9d2ed64cb3840c1068be34940bcd668b05b5a31f767226e5
Instruction ID: 05d4313a955442b4fb2e5d72e4dd52a59dd0e3583414089633b0eea8880df01a
Opcode Fuzzy Hash: bf5d98985e47adee9d2ed64cb3840c1068be34940bcd668b05b5a31f767226e5
Instruction Fuzzy Hash: F201627496420997CB00EFA8D8865ACB7F0EF09700F5046E9E8295F361EF30AAC19B56

Function 00AEED10 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEED84

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

outlook.exe, xrefs: 00AEED6D, 00AEED8F
AAE, xrefs: 00AEED2D
KVK., xrefs: 00AEED34
A[ZB, xrefs: 00AEED26

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: AAE$A[ZB$KVK.$outlook.exe
API String ID: 2296764815-2488248476
Opcode ID: ba318bc633776e14a8a42f383b02f208009aa9f138bea3d9492f83a8bba3d2cc
Instruction ID: 34ffc0efd2f03cf82f90a7fabaa76aa93805b14583369f8869aa69c43661adaf
Opcode Fuzzy Hash: ba318bc633776e14a8a42f383b02f208009aa9f138bea3d9492f83a8bba3d2cc
Instruction Fuzzy Hash: C601AD70E60608DBCB90FFA8D98299CB7F4EB08340F4042E9E81957371EB305A88CB85

Function 00AE8EC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8F34

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

cloc, xrefs: 00AE8ED6
MBAMService, xrefs: 00AE8F1D, 00AE8F3F
GMK., xrefs: 00AE8EE4
}K\X, xrefs: 00AE8EDD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: GMK.$MBAMService$cloc$}K\X
API String ID: 2296764815-2036623344
Opcode ID: 9ace0cb4d7a033a5a2a99b1780700b61799aad82e48ad9a260b38732e10d3687
Instruction ID: 9be185273eb4435fba392145f9c0ade3f79ec78a3e6692c98a86a0f37af75471
Opcode Fuzzy Hash: 9ace0cb4d7a033a5a2a99b1780700b61799aad82e48ad9a260b38732e10d3687
Instruction Fuzzy Hash: E4014470D546049BC710EFA8D841A6D77F0EB08744F4046E9E9395B361EF309A849B51

Function 00AECE10 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AECE84

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

C`h}, xrefs: 00AECE2D
VeeamNFSSvc, xrefs: 00AECE6D, 00AECE8F
}XM., xrefs: 00AECE65
xKKO, xrefs: 00AECE26

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: C`h}$VeeamNFSSvc$xKKO$}XM.
API String ID: 2296764815-1022778863
Opcode ID: fcfc7cd94d148a8d35de9cbceceaaa434b87827c9cdd73a1d5f74abf7f576652
Instruction ID: fa9202d8fac0d361e202f16ba6670a6e829a6442e4faad0246353b4d00c8b582
Opcode Fuzzy Hash: fcfc7cd94d148a8d35de9cbceceaaa434b87827c9cdd73a1d5f74abf7f576652
Instruction Fuzzy Hash: 3B01D6B5D44304DBCB50EFA8D85259D7BF0EB49704F4002E9E9296B361EF30AE84CB85

Function 00AEF160 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF1D5

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

]ZKO, xrefs: 00AEF176
steam.exe, xrefs: 00AEF1BD, 00AEF1E0
C, xrefs: 00AEF17D
K., xrefs: 00AEF184

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: C$K.$]ZKO$steam.exe
API String ID: 2296764815-282855205
Opcode ID: 3422773738f2fd843c0e15dc11c16d04f090e43894ec87a04f37926ebf6dee32
Instruction ID: 9c153c92dd432ee403713d3c62f7f0eb5f93610e8994304344a55d8e6832f316
Opcode Fuzzy Hash: 3422773738f2fd843c0e15dc11c16d04f090e43894ec87a04f37926ebf6dee32
Instruction Fuzzy Hash: BC018F74E60308DBCB40FFA9D8415ACB3F0EB14750F5042A9E91557371FB305A99CB95

Function 00AEF490 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF505

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

visio.exe, xrefs: 00AEF4ED, 00AEF510
XG]G, xrefs: 00AEF4A6
A, xrefs: 00AEF4AD
K., xrefs: 00AEF4B4

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: A$K.$XG]G$visio.exe
API String ID: 2296764815-1974606088
Opcode ID: cd26422a35764305f2e1fbcb7f9fde37893170015fbabe09dd6a9bb9d6f6ff62
Instruction ID: c8a5ff7fbca537304c7ed04f9a26f7ab92deaad92fc3aa2dc4837804ebd4e05a
Opcode Fuzzy Hash: cd26422a35764305f2e1fbcb7f9fde37893170015fbabe09dd6a9bb9d6f6ff62
Instruction Fuzzy Hash: 0A018F74950208ABCB40EFA8E8825BD77F0EF15700F9006A9E8195B372EF305A84DBA5

Function 00AE94E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9554

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MsDtsServer, xrefs: 00AE953D, 00AE955F
XK\., xrefs: 00AE9504
]}K\, xrefs: 00AE94FD
c]jZ, xrefs: 00AE94F6

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MsDtsServer$XK\.$]}K\$c]jZ
API String ID: 2296764815-3641504672
Opcode ID: da39becd673fe864cc4e7b9485a38faf0a4240d46e4ee809fcec6866e308eccf
Instruction ID: c483dd0ad9f939391cad5c799940146d458bbbf512aec526ce3056d4fe04bd97
Opcode Fuzzy Hash: da39becd673fe864cc4e7b9485a38faf0a4240d46e4ee809fcec6866e308eccf
Instruction Fuzzy Hash: CE017C71A543099BCB40EFA8D9459ADB7F0AB08700F8041D8E93957361EB30AA84CF92

Function 00AEB420 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB495

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

}FcA, xrefs: 00AEB436
ShMonitor, xrefs: 00AEB47D, 00AEB4A0
\., xrefs: 00AEB444
@GZA, xrefs: 00AEB43D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: @GZA$ShMonitor$\.$}FcA
API String ID: 2296764815-3446055354
Opcode ID: 180d5953756fd27e4cadb4a4754d3e7222ba09cfe08f7944d976f5e6ec4a5edc
Instruction ID: 2a16a590de79c6ae942292a1631318e4a28ede3aab91b19922928cc178307331
Opcode Fuzzy Hash: 180d5953756fd27e4cadb4a4754d3e7222ba09cfe08f7944d976f5e6ec4a5edc
Instruction Fuzzy Hash: 40018F74E502089ADB00EFA8E8425AD77F0EF08744F4046D8E839AB361FF31AE808B55

Function 00AEF5B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF624

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

YA\J, xrefs: 00AEF5C6
^OJ, xrefs: 00AEF5CD
wordpad.exe, xrefs: 00AEF60D, 00AEF62F
KVK., xrefs: 00AEF5D4

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: KVK.$YA\J$^OJ$wordpad.exe
API String ID: 2296764815-2252408496
Opcode ID: d7370575a9a7dea98712da896ef41bc3fd4a5ea4eda8d2d69b5cc1ca6b22cd65
Instruction ID: 775cd0e57f5887cbbefb9d422c76723f2ff3fa009fc7041f07c048d6f04e4de7
Opcode Fuzzy Hash: d7370575a9a7dea98712da896ef41bc3fd4a5ea4eda8d2d69b5cc1ca6b22cd65
Instruction Fuzzy Hash: 99018F70D44248EBCB00DFA8D9425ADB7F0EB19300F5042E9E82D5B361EF309E809B45

Function 00AEF520 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF594

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

YG@Y, xrefs: 00AEF536
A\J, xrefs: 00AEF53D
winword.exe, xrefs: 00AEF57D, 00AEF59F
KVK., xrefs: 00AEF544

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: A\J$KVK.$YG@Y$winword.exe
API String ID: 2296764815-4158584516
Opcode ID: 86411e33f87228485221348697410fa01651a71f1fc89304cc764d72c3f5ee22
Instruction ID: c9da553d9b7eb82c4b2c97254e6c5a59e0c1df308e3ea3f3d91d02c6e1ae290f
Opcode Fuzzy Hash: 86411e33f87228485221348697410fa01651a71f1fc89304cc764d72c3f5ee22
Instruction Fuzzy Hash: 4B0184B4950604DBC740FFA8D9825DC7BF0EB54740F4045A9E81957361EF309A88CF51

Function 00AEB6F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB764

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SntpService, xrefs: 00AEB74D, 00AEB76F
}K\X, xrefs: 00AEB70D
}@Z^, xrefs: 00AEB706
GMK., xrefs: 00AEB745

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: GMK.$SntpService$}@Z^$}K\X
API String ID: 2296764815-736333655
Opcode ID: 129efcc7dbe8e997aef14e8ad58caf3c780bc95e7ff7f94e73264cba4d89982d
Instruction ID: aea3ac8c39e17070abf7c47376cc46b6af0b627cb08c5514cd0a243bdf55ea37
Opcode Fuzzy Hash: 129efcc7dbe8e997aef14e8ad58caf3c780bc95e7ff7f94e73264cba4d89982d
Instruction Fuzzy Hash: C301A770D503089BC701EFA8D84165D7BF0FB08704F5006D9E8156B371EF305A44DB51

Function 00AEB780 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB7F5

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

]A^F, xrefs: 00AEB796
]., xrefs: 00AEB7A4
A]]^, xrefs: 00AEB79D
sophossps, xrefs: 00AEB7DD, 00AEB800

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: A]]^$].$]A^F$sophossps
API String ID: 2296764815-3073210229
Opcode ID: 8075cc248b8b4705435bbd2428b710c9080f3b78d3ea299375c23ec6869d2f3d
Instruction ID: f840e07cd9345508b3d9ca46b4258d1fdacb622b0a290403774629a2cb8909e2
Opcode Fuzzy Hash: 8075cc248b8b4705435bbd2428b710c9080f3b78d3ea299375c23ec6869d2f3d
Instruction Fuzzy Hash: 1401A274950249DBCB00EBA8DC525AD77F0EF09700F4042E8E83D6B361EF309A849B56

Function 00B3E777 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00B3E76C,?,?,00B3E734,?,?,?), ref: 00B3E78C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B3E79F
FreeLibrary.KERNEL32(00000000,?,?,00B3E76C,?,?,00B3E734,?,?,?), ref: 00B3E7C2

Strings

CorExitProcess, xrefs: 00B3E797
mscoree.dll, xrefs: 00B3E785

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b6934823ed87c81662240632a612f811a44f3a51b3d9a8efdb2469423a9f42d9
Instruction ID: 27f4e5573801dfc8934252222a0bd982006a65106cd5e2d6364b081ed528789b
Opcode Fuzzy Hash: b6934823ed87c81662240632a612f811a44f3a51b3d9a8efdb2469423a9f42d9
Instruction Fuzzy Hash: C9F0FE3154061AFBEB119B51DC4DBDE7AA9EF00756F1400D1E911A21A0CF758E41DB90

Function 00B40441 Relevance: 7.8, APIs: 5, Instructions: 264COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B41B2D: GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
Part of subcall function 00B41B2D: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

_free.LIBCMT ref: 00B4074E
_free.LIBCMT ref: 00B40767
_free.LIBCMT ref: 00B407A5
_free.LIBCMT ref: 00B407AE
_free.LIBCMT ref: 00B407BA

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 42f091e29459616873876a714dec44dc166900c23e11a6e74f2da6d8b417a110
Instruction ID: 8869a788da7d0c65a06a75833f2ad603ddd743cb9d354273e2b93a3ee096fbbf
Opcode Fuzzy Hash: 42f091e29459616873876a714dec44dc166900c23e11a6e74f2da6d8b417a110
Instruction Fuzzy Hash: 6CB14B75A112199FDB24EF28C884AADB3F4FF58304F1045EAE94AA7390D770AE90DF40

Function 00B501E6 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00B504A2,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00B50289
__alloca_probe_16.LIBCMT ref: 00B5033F
__alloca_probe_16.LIBCMT ref: 00B503D5
__freea.LIBCMT ref: 00B50440
__freea.LIBCMT ref: 00B5044C

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 0ba6ff5e2de16447f2d4b94300eb6ca20f2e5cc6cd7103d24a7e31cff69003f6
Instruction ID: f7bf716f287f7d0d56b97bc60ee502a1f8e3b636062f140ca8637f5d80aa680e
Opcode Fuzzy Hash: 0ba6ff5e2de16447f2d4b94300eb6ca20f2e5cc6cd7103d24a7e31cff69003f6
Instruction Fuzzy Hash: 2A81B272D2021AABDF21AF648896BEE7BF5EF49712F1800D9ED04B7241D721DD48C7A1

Function 00AF7A00 Relevance: 7.7, APIs: 5, Instructions: 234COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00AF7AD1
std::_Rethrow_future_exception.LIBCPMT ref: 00AF7B22
std::_Rethrow_future_exception.LIBCPMT ref: 00AF7B32
__Mtx_unlock.LIBCPMT ref: 00AF7BD5
__Mtx_unlock.LIBCPMT ref: 00AF7C3A

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
String ID:
API String ID: 1997747980-0
Opcode ID: aa54f599a6f656ab46759c4f067c5b82953273a1918ed435dfc27a99a32cb091
Instruction ID: f8c76b910df2cb5b2db6041271670ab632ad59163e9b74a5554df24c60a6e001
Opcode Fuzzy Hash: aa54f599a6f656ab46759c4f067c5b82953273a1918ed435dfc27a99a32cb091
Instruction Fuzzy Hash: 2771D5B1D0424C9FDB21EBE4D905BBEBBF8AF05704F000569FA1693641EB35AA44C7A1

Function 00AF63C0 Relevance: 7.7, APIs: 5, Instructions: 209COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AF6478
std::_Lockit::_Lockit.LIBCPMT ref: 00AF649A
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF64BB
std::_Facet_Register.LIBCPMT ref: 00AF654B
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF6563

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 89ecfd5510e7e6d86c6450583e7bf873132b93c42aa97ea1951b26bc3bf341c2
Instruction ID: ddfb281f38c921a9f7c4bc4c2759d8b808962a1e5b3d1d7c5836b40ea6da473f
Opcode Fuzzy Hash: 89ecfd5510e7e6d86c6450583e7bf873132b93c42aa97ea1951b26bc3bf341c2
Instruction Fuzzy Hash: 3E813A75A002499FDB14DFA8C594BAEBBF1AF48304F2480ADE9069B352DB35DD45CB90

Function 00B44D4D Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B44DD1
__alloca_probe_16.LIBCMT ref: 00B44E97
__freea.LIBCMT ref: 00B44F03

Part of subcall function 00B43D62: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B44C98,00001000,?,?,?,?,00B33988,?,?), ref: 00B43D94

__freea.LIBCMT ref: 00B44F0C
__freea.LIBCMT ref: 00B44F2F

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 4d62e2cff88191d75d58e59508f0d3bb1a3444c647f9bb7cd8b8b5cb5ff611c2
Instruction ID: 2ba51e8a4d23c1a4af738164a3ab620662e1b1322633f59ac2bdf0667547003c
Opcode Fuzzy Hash: 4d62e2cff88191d75d58e59508f0d3bb1a3444c647f9bb7cd8b8b5cb5ff611c2
Instruction Fuzzy Hash: 1B51B772A00216AFEF259F54CC41FBB77E9EF84750F2541A9FD08A7140EB31DE64A6A0

Function 00B168D7 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00B16920
__alloca_probe_16.LIBCMT ref: 00B1694C
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00B1698B
__alloca_probe_16.LIBCMT ref: 00B169FF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B16A60

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16
String ID:
API String ID: 2135360126-0
Opcode ID: 9d78fb2269e776fa83ca0cbcc80d78eb4d5bc9be4c0234ef29c119ddc572e35a
Instruction ID: 60ac19620184041094731f57e861e37be67190c524e0403eae9ac9861a8ac1c1
Opcode Fuzzy Hash: 9d78fb2269e776fa83ca0cbcc80d78eb4d5bc9be4c0234ef29c119ddc572e35a
Instruction Fuzzy Hash: 12519E7292020AABDF209F64CC41FEF7BF9EF44790F9585A9F915A6150EB318D908B90

Function 00B283F8 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B2842C

Part of subcall function 00B233F8: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00B23419

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00B2848B
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00B284B1
Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 00B284D1
Concurrency::location::_Assign.LIBCMT ref: 00B28513

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerThrowTraceWork
String ID:
API String ID: 1794448563-0
Opcode ID: 6de6ca0726e73932c4dd25bfd1be691c555d886a0a347a5156ccddce600f465d
Instruction ID: f28636ce9ec5b8610ba93d7890a59f318978ea33ecbd70e99d23881e0e7bc0e9
Opcode Fuzzy Hash: 6de6ca0726e73932c4dd25bfd1be691c555d886a0a347a5156ccddce600f465d
Instruction Fuzzy Hash: 4B41F570700234ABCF19AB28D886BBEBBE9DF55710F0440D9E40A5B382CF74AD45C791

Function 00B1913D Relevance: 7.6, APIs: 5, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00B19144
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00B1916B

Part of subcall function 00B1984A: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00B19867

__alloca_probe_16.LIBCMT ref: 00B191AB
Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00B191F8
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00B19227

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__alloca_probe_16
String ID:
API String ID: 2568206803-0
Opcode ID: 8f32619fe342cd030dd64eb9e0f4c11621e1a68ced9d5990df1aefd3e3d60fd1
Instruction ID: 657ca2123d91bfcd0f2f5ce36b6917bd6feadd2694fd2cef8ad18c9915806fe9
Opcode Fuzzy Hash: 8f32619fe342cd030dd64eb9e0f4c11621e1a68ced9d5990df1aefd3e3d60fd1
Instruction Fuzzy Hash: 55418C71E04255ABDF14DFA8C8A1AEDB7F9EF58310F9400AAE901EB341DB749D81CB90

Function 00AFC430 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AFC466
std::_Lockit::_Lockit.LIBCPMT ref: 00AFC486
std::_Lockit::~_Lockit.LIBCPMT ref: 00AFC4A6
std::_Facet_Register.LIBCPMT ref: 00AFC541
std::_Lockit::~_Lockit.LIBCPMT ref: 00AFC559

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 3bdd12327ba4566f11e334634e62fff1ba44cfc37b4283873928bc3a40f27de8
Instruction ID: c618c20fc06061d3e1027fa9d4c3f2c622a159fe391bc07de5558ca192618334
Opcode Fuzzy Hash: 3bdd12327ba4566f11e334634e62fff1ba44cfc37b4283873928bc3a40f27de8
Instruction Fuzzy Hash: 6341CFB190021D9FCB11CF95DA84BBEB7F4EF44720F1041A9E90AAB351DB31AE41CB81

Function 00B22B91 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 00B22BB6

Part of subcall function 00B18F2D: _SpinWait.LIBCONCRT ref: 00B18F45

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00B22BCA
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00B22BFC
List.LIBCMT ref: 00B22C7F
List.LIBCMT ref: 00B22C8E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 95074410ee3ea01324ffcb8833ad5f3bff40ee23d3c830dc1b6e161654513c44
Instruction ID: d0f819a21e375a24c9dfd9d74d31135d0f371f6dd826d221e3297f92d959789e
Opcode Fuzzy Hash: 95074410ee3ea01324ffcb8833ad5f3bff40ee23d3c830dc1b6e161654513c44
Instruction Fuzzy Hash: 80316871901665EFCB14EFA4E5916EDB7F1FF04304F1441EAD809AB292CB71AE44CBA0

Function 00B24915 Relevance: 7.6, APIs: 5, Instructions: 73threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 00B249CA

Part of subcall function 00B25E01: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 00B25E48

GetCurrentThread.KERNEL32 ref: 00B24962
Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00B2496E

Part of subcall function 00B1A7FA: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 00B1A80C

Part of subcall function 00B1ACB0: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 00B1ACB7

Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 00B249B1

Part of subcall function 00B25DB3: SetEvent.KERNEL32(?,?,00B249B6,00B256CB,00000000,?,00000000,00B256CB,00000004,00B25DA8,00000000,?,?,?,00000000), ref: 00B25DF7

Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 00B249BA

Part of subcall function 00B253B0: __EH_prolog3.LIBCMT ref: 00B253B7
Part of subcall function 00B253B0: List.LIBCONCRT ref: 00B253E6

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AffinityProxy::SchedulerThread$Concurrency::details::platform::__CurrentExecutionGroupHardware$Affinity::BorrowedCoreEventH_prolog3IncrementListResourceResource::StateSubscriptionToggle
String ID:
API String ID: 755934554-0
Opcode ID: 11a5d6045ad49f3dbe2b147f61c2159e7879a8b50e3fff1f618bc244442cc4d1
Instruction ID: 6028950becb0c34b2d6fac011c3204f49ae483a5b7055cd73f7047e7581fae34
Opcode Fuzzy Hash: 11a5d6045ad49f3dbe2b147f61c2159e7879a8b50e3fff1f618bc244442cc4d1
Instruction Fuzzy Hash: 7121AC31900A24AFCB24EF64E9908ABF3F5FF4C700700469DE44A97791CB70BA45CB95

Function 00B04F76 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00B04F96
_Maklocstr.LIBCPMT ref: 00B04FB3
_Maklocstr.LIBCPMT ref: 00B04FD0
_Maklocchr.LIBCPMT ref: 00B04FE2
_Maklocchr.LIBCPMT ref: 00B04FF5

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: 5ec6451ef56d89090d73bacb06c6a927e7612202d8aafc7b644905ca87e681f8
Instruction ID: 8a295881f01cd8d3d663562f4ed33cee3715eaefd26051548933433bab2ec3f1
Opcode Fuzzy Hash: 5ec6451ef56d89090d73bacb06c6a927e7612202d8aafc7b644905ca87e681f8
Instruction Fuzzy Hash: 51118CF1500B857FE320DBA48881F27BBECEF09310F144599F6889BA80D365F9548BA4

Function 00B20DD9 Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00B20DFE

Part of subcall function 00B1FDBF: Concurrency::details::SchedulerBase::FindNodeByLocation.LIBCONCRT ref: 00B1FDE8
Part of subcall function 00B1FDBF: Concurrency::location::_Assign.LIBCMT ref: 00B1FE03
Part of subcall function 00B1FDBF: Concurrency::details::SchedulingNode::FoundAvailableVirtualProcessor.LIBCMT ref: 00B1FE0D
Part of subcall function 00B1FDBF: Concurrency::details::SchedulingNode::FoundAvailableVirtualProcessor.LIBCMT ref: 00B1FEAD

Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00B20E19

Part of subcall function 00B26FD9: Concurrency::details::VirtualProcessor::ExerciseClaim.LIBCONCRT ref: 00B26FF7

InterlockedPushEntrySList.KERNEL32(?,?,?,?,0000000C), ref: 00B20E2E
Concurrency::details::VirtualProcessor::ExerciseClaim.LIBCONCRT ref: 00B20E3C
InterlockedPushEntrySList.KERNEL32(?,?,?,?,0000000C), ref: 00B20E53

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$AvailableClaimExerciseFoundProcessorProcessor::$Base::EntryInterlockedListNode::PushSchedulerScheduling$AssignConcurrency::location::_FindLocationNodeTicket::With
String ID:
API String ID: 1756620875-0
Opcode ID: 80d95d99c5ce5314ec69a6d79e80027d76a60ea28c1f4074e80597677b0be3f6
Instruction ID: 99f2efc43cf3264e6d52530eb6def19ad2fd5ebb5ce145c8b0f57d5a4e38e03e
Opcode Fuzzy Hash: 80d95d99c5ce5314ec69a6d79e80027d76a60ea28c1f4074e80597677b0be3f6
Instruction Fuzzy Hash: F0115E71900218EFDF20BF59E849D9ABBF8EF95305F0184DAE819A7162C6709645CB50

Function 00B24008 Relevance: 7.6, APIs: 5, Instructions: 51threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B2400F
GetCurrentThreadId.KERNEL32 ref: 00B24016
__Mtx_unlock.LIBCPMT ref: 00B2406C
__Cnd_broadcast.LIBCPMT ref: 00B24082
Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 00B24096

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Cnd_broadcastConcurrency::details::_Counter::_CurrentH_prolog3Mtx_unlockReleaseThread
String ID:
API String ID: 1723855335-0
Opcode ID: 4d13a9632dc4ce157f454033fc76637e9ca2a636dc3a60b5de3b063fc285caca
Instruction ID: 0fb420003eeb3d61ae92d295a39ece153779d21d2de89647f724a5cba25d5cdc
Opcode Fuzzy Hash: 4d13a9632dc4ce157f454033fc76637e9ca2a636dc3a60b5de3b063fc285caca
Instruction Fuzzy Hash: FC012671A007119FCF11FB74C98975E77E9AF04311F1045A8F1159B681DF389B85C6C1

Function 00B060AF Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B060B6
std::_Lockit::_Lockit.LIBCPMT ref: 00B060C0

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B06111
std::_Lockit::~_Lockit.LIBCPMT ref: 00B06131
Concurrency::cancel_current_task.LIBCPMT ref: 00B0613E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: a127786e1ac6f9bdc8b84233d78530c81f71b14fce3e96f4b903582c1d61aa37
Instruction ID: d0a1fa8bff3456a7abd11c86096ef9b1437d6b723c3072e558595ed69ce790df
Opcode Fuzzy Hash: a127786e1ac6f9bdc8b84233d78530c81f71b14fce3e96f4b903582c1d61aa37
Instruction Fuzzy Hash: E8010C329042699BCB04EBA8C941BBE7BF5FF80320F240088F810AB2D2DF759E51C780

Function 00B0601A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B06021
std::_Lockit::_Lockit.LIBCPMT ref: 00B0602B

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B0607C
std::_Lockit::~_Lockit.LIBCPMT ref: 00B0609C
Concurrency::cancel_current_task.LIBCPMT ref: 00B060A9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 5288477a5cad1a1a28303e8a2ce4d3c11bae4d5fbbc74a62312e698a8a4679f5
Instruction ID: 1f9d90314d20ab476d45a6944a4bc2d17b2480fa244dde5cffdbf313812f8f9a
Opcode Fuzzy Hash: 5288477a5cad1a1a28303e8a2ce4d3c11bae4d5fbbc74a62312e698a8a4679f5
Instruction Fuzzy Hash: 8801C0729442199FCB04EBA4C985ABE7BF5EF80310F24009DF814AB2D2DF71AE418791

Function 00B061D9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B061E0
std::_Lockit::_Lockit.LIBCPMT ref: 00B061EA

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B0623B
std::_Lockit::~_Lockit.LIBCPMT ref: 00B0625B
Concurrency::cancel_current_task.LIBCPMT ref: 00B06268

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: d1d0ab620111adbbc3a7b29ad3b75abc27a4044508c594d14caa55e05a51689e
Instruction ID: 0b3ca15fd6d6a718a42ba39c3218df653145806183b4ff75ce19154459a898bf
Opcode Fuzzy Hash: d1d0ab620111adbbc3a7b29ad3b75abc27a4044508c594d14caa55e05a51689e
Instruction Fuzzy Hash: A6010C329042289FCB00EBA4C9456BE7BF5AF80320F240188F814AB2D1DF74AE45CB80

Function 00B06144 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B0614B
std::_Lockit::_Lockit.LIBCPMT ref: 00B06155

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B061A6
std::_Lockit::~_Lockit.LIBCPMT ref: 00B061C6
Concurrency::cancel_current_task.LIBCPMT ref: 00B061D3

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 91e2c8b08e389f9fc5fb076ad97f38b15e39e01e56ab729a03a77640bd5fcd9f
Instruction ID: 931b3e135aed1d17c4858345e34bdb978289b0202758ac1ed30a6a8650dc3de3
Opcode Fuzzy Hash: 91e2c8b08e389f9fc5fb076ad97f38b15e39e01e56ab729a03a77640bd5fcd9f
Instruction Fuzzy Hash: 2C01C0329042299BCB04EBA4C945ABE7BF5EF80720F254098F824BB2D2DF709E458791

Function 00B06398 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B0639F
std::_Lockit::_Lockit.LIBCPMT ref: 00B063A9

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B063FA
std::_Lockit::~_Lockit.LIBCPMT ref: 00B0641A
Concurrency::cancel_current_task.LIBCPMT ref: 00B06427

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 848e0a98017ea545c22fe09413829ed2efb2d1fa19c41f9473ca09e225a38fbb
Instruction ID: ad8ab8548136783f36ff466a3a298d1c1fe83e64637c99ba68d221c988f45399
Opcode Fuzzy Hash: 848e0a98017ea545c22fe09413829ed2efb2d1fa19c41f9473ca09e225a38fbb
Instruction Fuzzy Hash: EA01C0729042299FCB04EBA4C9466BE7BF9AF80710F244099F8146B3D2CF709E4187D1

Function 00B064C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B064C9
std::_Lockit::_Lockit.LIBCPMT ref: 00B064D3

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B06524
std::_Lockit::~_Lockit.LIBCPMT ref: 00B06544
Concurrency::cancel_current_task.LIBCPMT ref: 00B06551

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 308ca19a13150aecb72e28dca423f3509460f1130da448f4dda7a109340207d8
Instruction ID: 88a216ddfa3fefe09525f4c9f0f61042174f0f14fb074ada253568f23f22dfd2
Opcode Fuzzy Hash: 308ca19a13150aecb72e28dca423f3509460f1130da448f4dda7a109340207d8
Instruction Fuzzy Hash: 1601C07290461D9BCB14EBA4CD466BD7BF5AF80310F244099F814673D1DF74DE418B91

Function 00B0642D Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B06434
std::_Lockit::_Lockit.LIBCPMT ref: 00B0643E

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B0648F
std::_Lockit::~_Lockit.LIBCPMT ref: 00B064AF
Concurrency::cancel_current_task.LIBCPMT ref: 00B064BC

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 932d93aefc428d2b2b0dff42ca0fcb624947124a9ce5bcf03debc880c01ce59d
Instruction ID: dfbf28c3c6358a04a9dc1811ebf7d95ae45a37ba824a0eb9586fc7bfcd85a318
Opcode Fuzzy Hash: 932d93aefc428d2b2b0dff42ca0fcb624947124a9ce5bcf03debc880c01ce59d
Instruction Fuzzy Hash: 5701C0729042299FCF04EBA4C9856BE7BF5AF84320F254089F914A73D2CF759E458791

Function 00B06557 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B0655E
std::_Lockit::_Lockit.LIBCPMT ref: 00B06568

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B065B9
std::_Lockit::~_Lockit.LIBCPMT ref: 00B065D9
Concurrency::cancel_current_task.LIBCPMT ref: 00B065E6

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 87f6a498c4b230625da9e8842ca09ee16b322b993745c4909347a9b5812c8e40
Instruction ID: b00d00e3444701752177205534ba80a725938921bdfb64d286a151168bb97a0a
Opcode Fuzzy Hash: 87f6a498c4b230625da9e8842ca09ee16b322b993745c4909347a9b5812c8e40
Instruction Fuzzy Hash: 5F01C03290426D9FCF04EBA4CA956BE7BF5AF90720F240089F915A72D1DF749E42C791

Function 00B131F8 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B131FF
std::_Lockit::_Lockit.LIBCPMT ref: 00B13209

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B1325A
std::_Lockit::~_Lockit.LIBCPMT ref: 00B1327A
Concurrency::cancel_current_task.LIBCPMT ref: 00B13287

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: c604b094184867e4e74c2156a50699b99fadaeeded8db19b1d383bc516e5dd81
Instruction ID: dd302d15fe0349fe166a9e2b7e67c59f94aa2b03a2208fa2fa16d67e3885e519
Opcode Fuzzy Hash: c604b094184867e4e74c2156a50699b99fadaeeded8db19b1d383bc516e5dd81
Instruction Fuzzy Hash: 060100729002689BCF04EBA4C941AFDBBF4AF80710F640088F81067391DF709F818BC1

Function 00B1328D Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B13294
std::_Lockit::_Lockit.LIBCPMT ref: 00B1329E

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B132EF
std::_Lockit::~_Lockit.LIBCPMT ref: 00B1330F
Concurrency::cancel_current_task.LIBCPMT ref: 00B1331C

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: b35e411dc928094baae6ee1e3735cdcbe6db2f4fd0c1d50fae30fbf04e0d8ec7
Instruction ID: 0d35a6137e38f897cc858e6b1dacc36958b04eefb308a92d538ebaf17a5c6290
Opcode Fuzzy Hash: b35e411dc928094baae6ee1e3735cdcbe6db2f4fd0c1d50fae30fbf04e0d8ec7
Instruction Fuzzy Hash: 1401C0769002199BCF04EBA4D9456FE7BF5AF80B10F640598F814AB392EF709E858785

Function 00B134E1 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B134E8
std::_Lockit::_Lockit.LIBCPMT ref: 00B134F2

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B13543
std::_Lockit::~_Lockit.LIBCPMT ref: 00B13563
Concurrency::cancel_current_task.LIBCPMT ref: 00B13570

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: b321f609d1070290aff720e8a04840efb18f6f7bcf73596fa945eb7d6094124b
Instruction ID: 3977cf05d91cb8a2577c1d53548c4b791c9f6ecf0523141138ca297d677e957a
Opcode Fuzzy Hash: b321f609d1070290aff720e8a04840efb18f6f7bcf73596fa945eb7d6094124b
Instruction Fuzzy Hash: 5301C07690421D9BCB04EBA4C9456FE7BF5AF90B24F640488F8156B391EF709F818781

Function 00B01521 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B01528
std::_Lockit::_Lockit.LIBCPMT ref: 00B01532

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B01583
std::_Lockit::~_Lockit.LIBCPMT ref: 00B015A3
Concurrency::cancel_current_task.LIBCPMT ref: 00B015B0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: e66003db4e01118020ff21df908053a52b889817c69cd493b9fbd5ef2e19c555
Instruction ID: 520a0e370d8d63e30a68d815309f75c47daff9ed055264bb8481372ebb11eab2
Opcode Fuzzy Hash: e66003db4e01118020ff21df908053a52b889817c69cd493b9fbd5ef2e19c555
Instruction Fuzzy Hash: C101C0329002199FCB08EBA8CD456BE7BF5AF80720F644589F915AB3D2DF709E418781

Function 00B05B70 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05B77
std::_Lockit::_Lockit.LIBCPMT ref: 00B05B81

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B05BD2
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05BF2
Concurrency::cancel_current_task.LIBCPMT ref: 00B05BFF

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: e6bfb8d86082e76185511660014b7b715ba2899d23b7a02b3a67da6f54a7761d
Instruction ID: 164e9aad493014a27611f0028ef04419fcbdd64ddf7fc8694d45006b0a3f23d9
Opcode Fuzzy Hash: e6bfb8d86082e76185511660014b7b715ba2899d23b7a02b3a67da6f54a7761d
Instruction Fuzzy Hash: F001C0329046699FCF14EBA4C945ABE7BF5EF80710F244098F815AB3D1DF70AE818B91

Function 00B05C9A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05CA1
std::_Lockit::_Lockit.LIBCPMT ref: 00B05CAB

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B05CFC
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05D1C
Concurrency::cancel_current_task.LIBCPMT ref: 00B05D29

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 16006a1e5e826459d275bf9fb98b755dd3e6a267e186d7414b5be024839d3df7
Instruction ID: 83fffc87a058f12e3c012368bcd7ec3891443068b923e3f20f9abe29301194fd
Opcode Fuzzy Hash: 16006a1e5e826459d275bf9fb98b755dd3e6a267e186d7414b5be024839d3df7
Instruction Fuzzy Hash: 990100769046299BCB10EBA4C955ABE7BF4EF80310F244199F814AB3D1CF709E418B90

Function 00B05C05 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05C0C
std::_Lockit::_Lockit.LIBCPMT ref: 00B05C16

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B05C67
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05C87
Concurrency::cancel_current_task.LIBCPMT ref: 00B05C94

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: d60084cc7f42010eb8e2475f69ab821501e168b51e959d1effac7d2c448de63e
Instruction ID: 2713fa9cb82fadb84d6ca454443add2ae86d8fb4a8f8cbab31c098933a13aa82
Opcode Fuzzy Hash: d60084cc7f42010eb8e2475f69ab821501e168b51e959d1effac7d2c448de63e
Instruction Fuzzy Hash: AD01C032904629AFCF18EBA4C9856BE7BF5EF84320F250599F8146B2D1DF709E45CB81

Function 00B05D2F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B05D36
std::_Lockit::_Lockit.LIBCPMT ref: 00B05D40

Part of subcall function 00AE2F70: std::_Lockit::_Lockit.LIBCPMT ref: 00AE2F8D
Part of subcall function 00AE2F70: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2FA9

std::_Facet_Register.LIBCPMT ref: 00B05D91
std::_Lockit::~_Lockit.LIBCPMT ref: 00B05DB1
Concurrency::cancel_current_task.LIBCPMT ref: 00B05DBE

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 638580068f67884547cf00ca200989a4aaef6687c7d7494bbdd4dab4a8aeac3e
Instruction ID: 585f98ac27c434607a1fe1c05b67ebb18fa72dd245ec3b05c2e664ab13b72c22
Opcode Fuzzy Hash: 638580068f67884547cf00ca200989a4aaef6687c7d7494bbdd4dab4a8aeac3e
Instruction Fuzzy Hash: 2301C4329046299FCB14EB64C945BBE7BF9EF80710F250599F414672D1DF709E41CB91

Function 00B4B5A4 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B4B5BC

Part of subcall function 00B42B7F: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3F09C), ref: 00B42B95
Part of subcall function 00B42B7F: GetLastError.KERNEL32(?,?,00B3F09C), ref: 00B42BA7

_free.LIBCMT ref: 00B4B5CE
_free.LIBCMT ref: 00B4B5E0
_free.LIBCMT ref: 00B4B5F2
_free.LIBCMT ref: 00B4B604

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2974fa544d17d1d5e13317cff0beacec98dfcbd1713e8861677cae4d7662b012
Instruction ID: d6bf9b94a9edc1995ba6c92c78c44d608b32a41c82b74a570e3472566bb6cfc7
Opcode Fuzzy Hash: 2974fa544d17d1d5e13317cff0beacec98dfcbd1713e8861677cae4d7662b012
Instruction Fuzzy Hash: E5F01D32904210AB8620EF5DE896C1AB3E9EA50B507E51885F54DE7910CF70FFC0BA68

Function 00B1BD4D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::RemoveCore.LIBCONCRT ref: 00B1BE86
Concurrency::details::SchedulerProxy::AddCore.LIBCONCRT ref: 00B1BE9B

Strings

4, xrefs: 00B1BEAC
$, xrefs: 00B1BEB0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::CoreProxy::Scheduler$Remove
String ID: $$4
API String ID: 2117874503-274276925
Opcode ID: 3d1b21a955431b8ce3cca952e8a5df95355f19bcd22038fef45480028c691ea1
Instruction ID: 3cfbb9d467d80f2a8b60068f839544f92cc589a7fc13909fc19cf0a7a0f6e0a7
Opcode Fuzzy Hash: 3d1b21a955431b8ce3cca952e8a5df95355f19bcd22038fef45480028c691ea1
Instruction Fuzzy Hash: 63513776904249DFCF09CFA8D590AEDBBF1BF49304F9485E9E9556B312C3319981CBA0

Function 00B15F84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00B15F8B

Part of subcall function 00AFB780: std::_Lockit::_Lockit.LIBCPMT ref: 00AFB7C9
Part of subcall function 00AFB780: std::_Lockit::_Lockit.LIBCPMT ref: 00AFB7EB
Part of subcall function 00AFB780: std::_Lockit::~_Lockit.LIBCPMT ref: 00AFB80B
Part of subcall function 00AFB780: std::_Lockit::~_Lockit.LIBCPMT ref: 00AFB8D8

_Find_elem.LIBCPMT ref: 00B16025

Strings

0123456789-, xrefs: 00B15FD2
0123456789-, xrefs: 00B15FD7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 3042121994-2494171821
Opcode ID: deec8bd35dab6f276630058fabd3bd3408ceb58e1c699c07184d26e413c322f7
Instruction ID: 43f71100853c6c589376d7899394a6f68dea3e7051ce3433c3fd47645d62c068
Opcode Fuzzy Hash: deec8bd35dab6f276630058fabd3bd3408ceb58e1c699c07184d26e413c322f7
Instruction Fuzzy Hash: 7D414C72900208EFDF09DF94D994AEEBBF5FF08311F500099F811A7291DB759A86CB95

Function 00B11470 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00B11477

Part of subcall function 00B0591C: __EH_prolog3.LIBCMT ref: 00B05923
Part of subcall function 00B0591C: std::_Lockit::_Lockit.LIBCPMT ref: 00B0592D
Part of subcall function 00B0591C: std::_Lockit::~_Lockit.LIBCPMT ref: 00B0599E

_Find_elem.LIBCPMT ref: 00B11513

Strings

%.0Lf, xrefs: 00B114BE
0123456789-, xrefs: 00B114C3

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: %.0Lf$0123456789-
API String ID: 2544715827-3094241602
Opcode ID: 414de8bbf2121df30eb33982dbc3a615bcc843662456e5019ff4a6a95c2e62ab
Instruction ID: ee7dcdb4058615bf5600c53ed20d9c10b68f24b22c0eb0552f4733286ab29802
Opcode Fuzzy Hash: 414de8bbf2121df30eb33982dbc3a615bcc843662456e5019ff4a6a95c2e62ab
Instruction Fuzzy Hash: AD418D32900218DFCF11DF98C881AEEBBF5FF14311F400599E911AB291DB30DA9ACBA1

Function 00B11755 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00B1175C

Part of subcall function 00B059B1: __EH_prolog3.LIBCMT ref: 00B059B8
Part of subcall function 00B059B1: std::_Lockit::_Lockit.LIBCPMT ref: 00B059C2
Part of subcall function 00B059B1: std::_Lockit::~_Lockit.LIBCPMT ref: 00B05A33

_Find_elem.LIBCPMT ref: 00B117F8

Strings

0123456789-, xrefs: 00B117A8
0123456789-, xrefs: 00B117A3

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789-$0123456789-
API String ID: 2544715827-2494171821
Opcode ID: 0bb3383e961cbfdfda8ea4807b4ffe1f923dd6166b729680a64e8aadfed4d5bd
Instruction ID: 4de537841ab60435a8c4e7d410b671f6cda24f50337971579187b065bb8cddf9
Opcode Fuzzy Hash: 0bb3383e961cbfdfda8ea4807b4ffe1f923dd6166b729680a64e8aadfed4d5bd
Instruction Fuzzy Hash: E1418A72900218DFCF11DF98C880AEDBBF5FF04311F500599E901AB2A5DB309E96CBA5

Function 00B1C817 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 00B1C896
Concurrency::details::SchedulerProxy::RemoveCore.LIBCONCRT ref: 00B1C8F1

Strings

4, xrefs: 00B1C8FC
$, xrefs: 00B1C901

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Proxy::Scheduler$BorrowedCoreRemoveStateToggle
String ID: $$4
API String ID: 296243165-274276925
Opcode ID: 4d85d9fd71d71bb7ea1ecba1e9126153d65d7a8f3d16ec425a1fb19412df12fc
Instruction ID: 9fc479784e03ed5fbaa69b13ccc190ff0c32f74a0bce274e9f19cf8ec8dac0d6
Opcode Fuzzy Hash: 4d85d9fd71d71bb7ea1ecba1e9126153d65d7a8f3d16ec425a1fb19412df12fc
Instruction Fuzzy Hash: 4C41F771E4020AEFDB19DFA8C4C1AAEBBF5FF48314F5484A9D855A7241D334EA81CB90

Function 00B30A55 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FindMITargetTypeInstance.LIBVCRUNTIME ref: 00B30AC1
PMDtoOffset.LIBCMT ref: 00B30AE7

Strings

Bad dynamic_cast!, xrefs: 00B30B29

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: FindInstanceOffsetTargetType
String ID: Bad dynamic_cast!
API String ID: 2363274979-2956939130
Opcode ID: 0437022af1488a8be6a0dddd8fcb2db460b9288a81a9409a6cdb50117bc684c5
Instruction ID: de69c47c58325ae716100430849627481367842b5811bc563bc731763f05bdc6
Opcode Fuzzy Hash: 0437022af1488a8be6a0dddd8fcb2db460b9288a81a9409a6cdb50117bc684c5
Instruction Fuzzy Hash: 6E21F972620305AFCB14FE68ED66EAE77F8EF44710F3482D9F81593181E731E90186A0

Function 00AE36C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AE375F

Part of subcall function 00B2E7CB: RaiseException.KERNEL32(E06D7363,00000001,00000003,00AE146C,?,?,?,00AE146C,?,00B71F3C), ref: 00B2E82B

Strings

ios_base::eofbit set, xrefs: 00AE3706
ios_base::failbit set, xrefs: 00AE3701, 00AE3722, 00AE3743
ios_base::badbit set, xrefs: 00AE36F7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 56fdf03eedc28f732fe7b383f7e47af905bbd9a4f9b7207f164b7c445f62eb7d
Instruction ID: c05e718eb7aca41392f4acd28aca423b269612706da3b670f1e13aa7817ffd94
Opcode Fuzzy Hash: 56fdf03eedc28f732fe7b383f7e47af905bbd9a4f9b7207f164b7c445f62eb7d
Instruction Fuzzy Hash: 5E11E7B3900744ABCB10DF6AD806F96B7DCAF44310F1485AAF968DB241FB70EA14CB91

Function 00B0C175 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B0C17C

Part of subcall function 00B04F76: _Maklocstr.LIBCPMT ref: 00B04F96
Part of subcall function 00B04F76: _Maklocstr.LIBCPMT ref: 00B04FB3
Part of subcall function 00B04F76: _Maklocstr.LIBCPMT ref: 00B04FD0
Part of subcall function 00B04F76: _Maklocchr.LIBCPMT ref: 00B04FE2
Part of subcall function 00B04F76: _Maklocchr.LIBCPMT ref: 00B04FF5

_Mpunct.LIBCPMT ref: 00B0C209
_Mpunct.LIBCPMT ref: 00B0C223

Strings

$+xv, xrefs: 00B0C22E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: 960a25c73cc60564ca47a2ba5fa77be0082095768d35acdfeee6bc99c256c7e4
Instruction ID: d8c7fdb94180cae6308d687d967ca9819b6c38aceaf8315e6b15f78fce4520e0
Opcode Fuzzy Hash: 960a25c73cc60564ca47a2ba5fa77be0082095768d35acdfeee6bc99c256c7e4
Instruction Fuzzy Hash: 0621A1B1904B566ED725DF74888077FBFF8AB0C700F144A9AE599C7A82D734EA05CB90

Function 00B14815 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B1481C
_Mpunct.LIBCPMT ref: 00B148A9
_Mpunct.LIBCPMT ref: 00B148C3

Strings

$+xv, xrefs: 00B148CE

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: e7b71df78605459934e38a6683f6b45a09096acf7fcad0a27383e521a3efca27
Instruction ID: a6bbd98dbb0aee2768ddf93afa4382eb5ddfd6c197dcb869f20e6b73504213c2
Opcode Fuzzy Hash: e7b71df78605459934e38a6683f6b45a09096acf7fcad0a27383e521a3efca27
Instruction Fuzzy Hash: 5721CFB1808B966ED725DF74C89077BBFF8AB08701F144A9AE499C7A41D730EA41CB90

Function 00AEC080 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC10D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SQLSERVERAGENT, xrefs: 00AEC0EF, 00AEC118
|oik`z, xrefs: 00AEC0D9
k|xk, xrefs: 00AEC0A0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLSERVERAGENT$k|xk$|oik`z
API String ID: 2296764815-2312964868
Opcode ID: d7eda9ba7bdde69da50a096364ede9a628455ba69025871c246946b193108ff7
Instruction ID: e4006e8c22a798663596798aa22a786a11c154a4e26001683f208bcdd0bdde5b
Opcode Fuzzy Hash: d7eda9ba7bdde69da50a096364ede9a628455ba69025871c246946b193108ff7
Instruction Fuzzy Hash: 5B018E74A50308DBCB80FFA8A88659D77F0AB08750F5002A8E81557371EB746A88CB9A

Function 00AE8AA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8B2D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

k\O], xrefs: 00AE8AB7
EraserSvc11710, xrefs: 00AE8B0F, 00AE8B38
K\}X, xrefs: 00AE8AC0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: EraserSvc11710$K\}X$k\O]
API String ID: 2296764815-293742129
Opcode ID: 56b5c0b023c234098411f818f02f60f21bbb14d58570279168cd5fbfbdb1aac8
Instruction ID: 64b9140f71a4b07aec07f1823a7f3a51988f790929f74a7560d222b608560b9e
Opcode Fuzzy Hash: 56b5c0b023c234098411f818f02f60f21bbb14d58570279168cd5fbfbdb1aac8
Instruction Fuzzy Hash: DE010474A4024ADBCB00DFA8D9914ADB7F0FB14700F4041E9E91EA7361EF345A84CB59

Function 00AE9570 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE95FD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

c]jZ, xrefs: 00AE9587
MsDtsServer100, xrefs: 00AE95DF, 00AE9608
]}K\, xrefs: 00AE9590

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MsDtsServer100$]}K\$c]jZ
API String ID: 2296764815-4292412238
Opcode ID: ad45d208711d0b3893a16bd8c33c13fda1157c62b626589c05f5caa5e3d17ad8
Instruction ID: b4949fb4baf1876547f689eb4706dc1d9a6044bdee165256a97477b00f396b19
Opcode Fuzzy Hash: ad45d208711d0b3893a16bd8c33c13fda1157c62b626589c05f5caa5e3d17ad8
Instruction Fuzzy Hash: 8601C8B4A44345DBCB10DF94E8515ADB7F4EB08704F4045E5E42D67361EF309A80CBA5

Function 00AE9620 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE96AD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MsDtsServer110, xrefs: 00AE968F, 00AE96B8
]}K\, xrefs: 00AE9640
c]jZ, xrefs: 00AE9637

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MsDtsServer110$]}K\$c]jZ
API String ID: 2296764815-1685868321
Opcode ID: b8c69557898608595e74c00b66dcec9c5c3fe5f63bf6edb09d2391d703593a77
Instruction ID: cf0e7b7196203a18133bbae151c8f647f8a1764b597a22bfd3ab38410b4c01b9
Opcode Fuzzy Hash: b8c69557898608595e74c00b66dcec9c5c3fe5f63bf6edb09d2391d703593a77
Instruction Fuzzy Hash: 6401A574A45345DBCB00DFA4D8419ADB7F0EB1A700F4041E5E82DAB361EE309A84CF56

Function 00AEC130 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC1AD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

kz|w, xrefs: 00AEC188
SQLTELEMETRY, xrefs: 00AEC190, 00AEC1B8
kbkc, xrefs: 00AEC150

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLTELEMETRY$kbkc$kz|w
API String ID: 2296764815-1775143861
Opcode ID: ec47db9e736648b5e2c9b6bb9e91d41cd8342fe1a517fb6e4761e97feff37a1f
Instruction ID: 9f414ca549033dd7705df241994b193b34935f8056fe2e6e854a9c52f13f20b8
Opcode Fuzzy Hash: ec47db9e736648b5e2c9b6bb9e91d41cd8342fe1a517fb6e4761e97feff37a1f
Instruction Fuzzy Hash: 6301D476AA4208DBC750FFA8E942D9D77F0FB09750F500299E9195B372EE30AA48CF51

Function 00AE82A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE831E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

oM\}, xrefs: 00AE82B7
XM, xrefs: 00AE82CE
AcrSch2Svc, xrefs: 00AE8300, 00AE8329

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: AcrSch2Svc$XM$oM\}
API String ID: 2296764815-1058953379
Opcode ID: 8639d49c3c9cd7a0bb97b6556742bbe14c7b17b8222077a6673bd5ee7689f3a7
Instruction ID: 82770b7ef34a10cfac7b3a76e8163baeaaf71d69a3682214effc1d078c968af8
Opcode Fuzzy Hash: 8639d49c3c9cd7a0bb97b6556742bbe14c7b17b8222077a6673bd5ee7689f3a7
Instruction Fuzzy Hash: 5601D874D44206DBCB10DFA8DD419BC77F0EB18B00F5046A9E82D57361EF3059848B6A

Function 00AEA270 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEA2ED

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

}oco, xrefs: 00AEA2C8
bz~, xrefs: 00AEA290
MSSQL$TPSAMA, xrefs: 00AEA2D0, 00AEA2F8

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQL$TPSAMA$bz~$}oco
API String ID: 2296764815-3981306348
Opcode ID: 062284c5fe9eecc99977755ff5364c8ccc1f2d748a30873bf3bc2a7a548a5cd7
Instruction ID: 679c59f56c007054d5f26c22030006d8177eeca954925e2b03e099c616930126
Opcode Fuzzy Hash: 062284c5fe9eecc99977755ff5364c8ccc1f2d748a30873bf3bc2a7a548a5cd7
Instruction Fuzzy Hash: FB01F575A50208EFC700EFBCD9419AC73F0FB49710F5042A8E819673A1FE319A84CB52

Function 00AEE460 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE4DD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

^OZF, xrefs: 00AEE480
infopath.exe, xrefs: 00AEE4C0, 00AEE4E8
G@HA, xrefs: 00AEE477

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: G@HA$^OZF$infopath.exe
API String ID: 2296764815-2602616379
Opcode ID: cb7d61a2d2d996cb19d6c9a3dcab1857106d9b5e090a4810985cd0944a4fe110
Instruction ID: e8c6c3fc2ad7c6c089a8b26cfe8b0194ef171e1539519049dc3bbcae3c2a4c5f
Opcode Fuzzy Hash: cb7d61a2d2d996cb19d6c9a3dcab1857106d9b5e090a4810985cd0944a4fe110
Instruction Fuzzy Hash: EB01B170A49206AFCB10DFACE94277D77F0EB49310F4041A8E61D9B361EE319A80CB56

Function 00AEE560 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE5DD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MK]], xrefs: 00AEE580
msaccess.exe, xrefs: 00AEE5C0, 00AEE5E8
C]OM, xrefs: 00AEE577

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: C]OM$MK]]$msaccess.exe
API String ID: 2296764815-1770661819
Opcode ID: fcaae905dc329afdfb397ecf49ef12a2bd971e9ef2abd536ac7264f5c426f82c
Instruction ID: 03967d392efd453962d08c324ef8cad5f81860ba460fa0b6dfb4ea82cc2e6f29
Opcode Fuzzy Hash: fcaae905dc329afdfb397ecf49ef12a2bd971e9ef2abd536ac7264f5c426f82c
Instruction Fuzzy Hash: BE017571948249AFCB00DFB8E94156DB7F0E719700F4041B9E81E6B361EF309A84CB66

Function 00AEE600 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE67D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

C]HZ, xrefs: 00AEE617
msftesql.exe, xrefs: 00AEE660, 00AEE688
K]_B, xrefs: 00AEE620

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: C]HZ$K]_B$msftesql.exe
API String ID: 2296764815-485809658
Opcode ID: 832886b7fe243cc29ac2337c3e9643d80fbcbeea6ec9cb4c11ddcac0e504ed27
Instruction ID: 0c6a514cc7e38c39bfec065705249437c37f9174a8eab58856a352eb990bdfbe
Opcode Fuzzy Hash: 832886b7fe243cc29ac2337c3e9643d80fbcbeea6ec9cb4c11ddcac0e504ed27
Instruction Fuzzy Hash: D201F775E44245DBCB00DFA8E9515ADB7F0EB19700F4042E8E4296B361EF309A84DB57

Function 00AEEDA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEEE1D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

^AYK, xrefs: 00AEEDB7
\^@Z, xrefs: 00AEEDC0
powerpnt.exe, xrefs: 00AEEE00, 00AEEE28

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: \^@Z$^AYK$powerpnt.exe
API String ID: 2296764815-16785639
Opcode ID: 67f8839990ed2cd2d801e7bb0e13f7733563c2bbc88e007a5167e4b731351cef
Instruction ID: ecd88629b1c7ca7d640b947140f8c96fd1fa69f4c19f7e2b22abc53db1ae233a
Opcode Fuzzy Hash: 67f8839990ed2cd2d801e7bb0e13f7733563c2bbc88e007a5167e4b731351cef
Instruction Fuzzy Hash: 1E01B170E842049BCB10EFA8ED425BDB7F0E709700F5041A9F52957361FE306A88DB52

Function 00AEEED0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEEF4D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

]_BO, xrefs: 00AEEEE7
sqlagent.exe, xrefs: 00AEEF30, 00AEEF58
IK@Z, xrefs: 00AEEEF0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IK@Z$]_BO$sqlagent.exe
API String ID: 2296764815-1002289084
Opcode ID: 375f58c6666a88320c539955a16868c939bfe66fde7b3012c9c1ed65c43d1881
Instruction ID: fbcb505dda08cf9e1ee236630aaae771ecd17f63823af208858956b71c5b7d7e
Opcode Fuzzy Hash: 375f58c6666a88320c539955a16868c939bfe66fde7b3012c9c1ed65c43d1881
Instruction Fuzzy Hash: 0001D471A84204DBCB40EFA8E94155DB7F0EB09740F5145E9E92D5B3A1EE309A88CB95

Function 00AEF020 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF09D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

sqlservr.exe, xrefs: 00AEF080, 00AEF0A8
]_B], xrefs: 00AEF037
K\X\, xrefs: 00AEF040

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K\X\$]_B]$sqlservr.exe
API String ID: 2296764815-1381817937
Opcode ID: 1bd5822ee34e9b10958f3393e84dc9c2ccf91eadaf37c7f7d150b632dc6e822c
Instruction ID: 477b6f743c8081385a25a8df38e7656c910ecda9ef9cf1de5144ca02db04ca24
Opcode Fuzzy Hash: 1bd5822ee34e9b10958f3393e84dc9c2ccf91eadaf37c7f7d150b632dc6e822c
Instruction Fuzzy Hash: D701B5B09442059BCB10EF68EC4197DB7F0F719700F6045B5E42D57361EF305A80CB55

Function 00AEF1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF26D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

synctime.exe, xrefs: 00AEF250, 00AEF278
]W@M, xrefs: 00AEF207
ZGCK, xrefs: 00AEF210

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ZGCK$]W@M$synctime.exe
API String ID: 2296764815-3012282437
Opcode ID: ae3eb987654d9cecdcdba9a65bc07bb520f2a1224a6c70fe2d3e204316f5bd06
Instruction ID: d383b85ecd79eef696551a00a384cbef088f020ed21f9aa9580def446547eae7
Opcode Fuzzy Hash: ae3eb987654d9cecdcdba9a65bc07bb520f2a1224a6c70fe2d3e204316f5bd06
Instruction Fuzzy Hash: 08019EB4A84209DBCB10EFBCEC425A8B7F0EB09300F4041B9E92967361EF305A84CB51

Function 00AED5B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED62E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQL$PROD, xrefs: 00AED610, 00AED639
b~|, xrefs: 00AED5D0
aj, xrefs: 00AED5DE

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQL$PROD$aj$b~|
API String ID: 2296764815-2966077123
Opcode ID: 1ba4efa86731c3d6b9e1d6d5f28e30f237c01e2d9d7c20533d2747d2073048e1
Instruction ID: c16afa2a6871b8174ceeb2d90c977ba47999b862bfb3878d5393042f17e79fab
Opcode Fuzzy Hash: 1ba4efa86731c3d6b9e1d6d5f28e30f237c01e2d9d7c20533d2747d2073048e1
Instruction Fuzzy Hash: 1401D475A54208DBC710DFA8E842AAC77B0FF19704F4046E9E52857361FE309A819B96

Function 00AEF6E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF75D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

]ZK@, xrefs: 00AEF700
ZCBG, xrefs: 00AEF6F7
tmlisten.exe, xrefs: 00AEF740, 00AEF768

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ZCBG$]ZK@$tmlisten.exe
API String ID: 2296764815-683356205
Opcode ID: e7f92ffd31b80f047211717b2deab027f71277586905100b70b85a536e825644
Instruction ID: 5849820ea5f4017743d11c09c1c732ddee1245e237e49dca4e04c7f1d6ad1f62
Opcode Fuzzy Hash: e7f92ffd31b80f047211717b2deab027f71277586905100b70b85a536e825644
Instruction Fuzzy Hash: 8101F170A40249DBCB00EF68E9819ACB7F0FB18700F4042E8E92D57350EF34DA84AB51

Function 00AEF780 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF7FD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

~MM`, xrefs: 00AEF797
zcA@, xrefs: 00AEF7A0
PccNTMon.exe, xrefs: 00AEF7E0, 00AEF808

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: PccNTMon.exe$zcA@$~MM`
API String ID: 2296764815-201088995
Opcode ID: 9194460cb331cb5692a54ebe02006c88664de14415d7b9047aeef25eb4d02b5a
Instruction ID: 53c36270bb23a1e9e419ffbce525a029371a68a98970a16546662c910561cae6
Opcode Fuzzy Hash: 9194460cb331cb5692a54ebe02006c88664de14415d7b9047aeef25eb4d02b5a
Instruction Fuzzy Hash: 8701D470A90605DBCB50FFA8E95299DB7F0EB09750F4042A9F81967371EF309E48CB51

Function 00AE78B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE792D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

}A^F, xrefs: 00AE78C7
Sophos Agent, xrefs: 00AE7910, 00AE7938
IK@Z, xrefs: 00AE7908

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IK@Z$Sophos Agent$}A^F
API String ID: 2296764815-821892096
Opcode ID: 4959f588796f0e460f2f5120c8eeb8121f2fed32ab77789d40ceddfb03a78a9a
Instruction ID: 7d1b6afcbb63fabd895616145a8d235091d458e3fb197ea1522e9f668a6217c7
Opcode Fuzzy Hash: 4959f588796f0e460f2f5120c8eeb8121f2fed32ab77789d40ceddfb03a78a9a
Instruction Fuzzy Hash: 9B01B175A44245EFCB10DFB8DC419ADB7F0EB09300F4082B8E41D9B361EF305A849B96

Function 00AEF8C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF93D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

Ntrtscan.exe, xrefs: 00AEF920, 00AEF948
]MO@, xrefs: 00AEF8E0
`Z\Z, xrefs: 00AEF8D7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: Ntrtscan.exe$]MO@$`Z\Z
API String ID: 2296764815-327958180
Opcode ID: 48e4c96931137ffab4fdc93fafca9b635139cc347e3e3cc4fc278b88e4a8fff5
Instruction ID: c1a5fd05c10c221a00cc812406aa480d3ea4b68509cf2f9cca03b5719af06679
Opcode Fuzzy Hash: 48e4c96931137ffab4fdc93fafca9b635139cc347e3e3cc4fc278b88e4a8fff5
Instruction Fuzzy Hash: F601B571A44205DBCB10DFA8EC8156DB7F4EB09710F5041E4E52DAB361EE34AA84CB51

Function 00AEF960 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF9DD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

Z\OW, xrefs: 00AEF980
mbamtray.exe, xrefs: 00AEF9C0, 00AEF9E8
CLOC, xrefs: 00AEF977

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CLOC$Z\OW$mbamtray.exe
API String ID: 2296764815-1276417565
Opcode ID: d6e42bef67a2beb8b97f22aeae8ff86988e97ac53eff3c941afe056bcc52c697
Instruction ID: 241d2a741fed1b8fab95a3cfe77528161e89297335ab046c918ea1c50ad18987
Opcode Fuzzy Hash: d6e42bef67a2beb8b97f22aeae8ff86988e97ac53eff3c941afe056bcc52c697
Instruction Fuzzy Hash: 37017170A442499BCB20DFA9E98259DB7F0EF1D700F5045E9E82DA7361EE309A84DB61

Function 00AEDA80 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEDAFD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQL$SOPHOS, xrefs: 00AEDAE0, 00AEDB08
~fa}, xrefs: 00AEDAD8
b}a, xrefs: 00AEDAA0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQL$SOPHOS$b}a$~fa}
API String ID: 2296764815-180848774
Opcode ID: b051b497c7ae97f856c7bb1606ea5331c76171461c9eddfe6090f3ebcbfb50dd
Instruction ID: dd0548fcef2fbdc94d6a7ec2bda61a1b2b9c7ecd8e1a61cb61a0568c9a4946a0
Opcode Fuzzy Hash: b051b497c7ae97f856c7bb1606ea5331c76171461c9eddfe6090f3ebcbfb50dd
Instruction Fuzzy Hash: 19017575E44209EBCB10DFA9E9416BD77F0E708710F5082B9E51997351EF309B84CB9A

Function 00AEBD20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEBD9D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

IK@Z, xrefs: 00AEBD40
z~}, xrefs: 00AEBD78
SQLAgent$TPS, xrefs: 00AEBD80, 00AEBDA8

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: z~}$IK@Z$SQLAgent$TPS
API String ID: 2296764815-2469359120
Opcode ID: bd42d4cb8566cf53567cf9d268b67772531455ae9989a1fe573ad240a04bf7b9
Instruction ID: 07ce44371b30278e920f1fa2d029276ef97d3012d4765bcfbda5a3dcf0844d6c
Opcode Fuzzy Hash: bd42d4cb8566cf53567cf9d268b67772531455ae9989a1fe573ad240a04bf7b9
Instruction Fuzzy Hash: 0201B1B0E44206DBC710DFA9ED4196DB7F0EB08310B6041B9E829A73A1EF315B818B96

Function 00AEBF50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEBFCE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

K\, xrefs: 00AEBF7E
\AY], xrefs: 00AEBF70
SQLBrowser, xrefs: 00AEBFB0, 00AEBFD9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K\$SQLBrowser$\AY]
API String ID: 2296764815-4151680171
Opcode ID: bb9e332ed5db61e4f0c4374fe13bd086bfbf191e8dbccffcec38084e79e350aa
Instruction ID: 23c31ac4b009011c99af379084b064c9bb7903056bddde8254713591497d8857
Opcode Fuzzy Hash: bb9e332ed5db61e4f0c4374fe13bd086bfbf191e8dbccffcec38084e79e350aa
Instruction Fuzzy Hash: 3D01B5B5A5424497C720EFA49C829DDB7B0EB19700F5011D4E42957371FF309984CB66

Function 00AE80C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE813C

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

|KMA, xrefs: 00AE80D7
Symantec System Recovery, xrefs: 00AE8113, 00AE8147
XK\W, xrefs: 00AE80E0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: Symantec System Recovery$XK\W$|KMA
API String ID: 2296764815-54157118
Opcode ID: bd014cf7216cd0813fa3ed90c5679fbdafb424805320d5ea3749f8626e6241c3
Instruction ID: 3bc4f63dedd704f3cc55144a6e5b5c684f54adbcf97f71857437465285ab3dbd
Opcode Fuzzy Hash: bd014cf7216cd0813fa3ed90c5679fbdafb424805320d5ea3749f8626e6241c3
Instruction Fuzzy Hash: DA01DF70AA0344DBC780FBA8ED825A9B3F0AF19754F4403A9E91967372EF305A88C755

Function 00AEC560 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC5E4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

swi_update_64, xrefs: 00AEC5CC, 00AEC5EF
[^JO, xrefs: 00AEC57D
]YGq, xrefs: 00AEC576

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: [^JO$]YGq$swi_update_64
API String ID: 2296764815-3194141416
Opcode ID: 74594e980f06df7d9356ca1cd9c4144b2de685497f617ac390fab1713fd3b8a8
Instruction ID: b96760986c57637900343d9e528cb8765a02805b58c9d2779f4bbbf8c4cfae9e
Opcode Fuzzy Hash: 74594e980f06df7d9356ca1cd9c4144b2de685497f617ac390fab1713fd3b8a8
Instruction Fuzzy Hash: 15018078E51309DBCB50EFA8D9415ADB7F0FB09710F1041A9E829AB3A1EE306B84CF55

Function 00AE92A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9312

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

CHKC, xrefs: 00AE92B7
mfemms, xrefs: 00AE92EE, 00AE931D
C], xrefs: 00AE92C0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CHKC$C]$mfemms
API String ID: 2296764815-2793281164
Opcode ID: 4d9239ffe1ea7b893d12ceff5d13ed0f80e3b8a7a819fb512b2ee321966744ae
Instruction ID: c45a8487be8f3a9fabba9b326bfb36b3c682836447ce0b2ac825ec38ed8d135e
Opcode Fuzzy Hash: 4d9239ffe1ea7b893d12ceff5d13ed0f80e3b8a7a819fb512b2ee321966744ae
Instruction Fuzzy Hash: 9701F235A94304ABC740FFB9E84159C77F0EF29740F6001E9E8158B372EE305A88CB59

Function 00AED3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED464

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

mvjl., xrefs: 00AED436
SQLAgent$CXDB, xrefs: 00AED44C, 00AED46F
IK@Z, xrefs: 00AED3FD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: mvjl.$IK@Z$SQLAgent$CXDB
API String ID: 2296764815-779384931
Opcode ID: 13d699a8fae81e076368be484d5db0e02c81703f3560bee59ec0b92621e46e79
Instruction ID: b829db3a1896409f9818cea91ccf1d83daf55187de66c3c5c48f108f96e05c5a
Opcode Fuzzy Hash: 13d699a8fae81e076368be484d5db0e02c81703f3560bee59ec0b92621e46e79
Instruction Fuzzy Hash: C2015274950209DBCB44EFA8D942AADB7F4FF18700F5041E9EC25573A1EB34AA84DF52

Function 00AE9330 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE93A2

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

Z^, xrefs: 00AE9350
CHKX, xrefs: 00AE9347
mfevtp, xrefs: 00AE937E, 00AE93AD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CHKX$Z^$mfevtp
API String ID: 2296764815-3074364153
Opcode ID: 689652454d10ff03fad984f953587fc3a278bafd81b115d0d460aefe581c9c17
Instruction ID: 136ce5f4dcbd0f795778abedd62f3738dda8ec008ee63b3a9d91338b73123196
Opcode Fuzzy Hash: 689652454d10ff03fad984f953587fc3a278bafd81b115d0d460aefe581c9c17
Instruction Fuzzy Hash: 9301A275A54204EBC700EBA8E8819ACB7F0EB19741F4052E8E81A877B1EE315A89C759

Function 00AED740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED7C4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SQLAgent$PROD, xrefs: 00AED7AC, 00AED7CF
~|aj., xrefs: 00AED796
IK@Z, xrefs: 00AED75D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ~|aj.$IK@Z$SQLAgent$PROD
API String ID: 2296764815-3615797606
Opcode ID: 7bcf2f104ef97ec8ce55cfffedc66ff4a5090cba192ee677116674e90c59de0f
Instruction ID: 0159c30251d3bd4318fa83c7143118e2d4ad6d8cf01374b0bbec7ff0e086a682
Opcode Fuzzy Hash: 7bcf2f104ef97ec8ce55cfffedc66ff4a5090cba192ee677116674e90c59de0f
Instruction Fuzzy Hash: 19019274E50208DFCB40EFA8D94169DB7F0EF48700F5041E9E91567361EA30AA84CF52

Function 00AEBA40 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEBABC

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

ck`z, xrefs: 00AEBA60
SQLAgent$PROFXENGAGEMENT, xrefs: 00AEBA93, 00AEBAC7
ioik, xrefs: 00AEBA57

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLAgent$PROFXENGAGEMENT$ck`z$ioik
API String ID: 2296764815-2176214190
Opcode ID: 561e854bc5ecd07bd3dee2b2f16da9f0d1ac172b16b72a799a93b2cd629596f5
Instruction ID: 36afc73e22e3a40c6212096de346a98698898f47d6ba0243c6ec1cd7098f13f0
Opcode Fuzzy Hash: 561e854bc5ecd07bd3dee2b2f16da9f0d1ac172b16b72a799a93b2cd629596f5
Instruction Fuzzy Hash: 2C01D4B0A94248DBC710EF69AC425A973F0EF29704F0057D8E819572B1FF34AA94CF61

Function 00AE7810 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE7893

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

K., xrefs: 00AE7834
Enterprise Client Service, xrefs: 00AE786A, 00AE789E
\XGM, xrefs: 00AE782D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: Enterprise Client Service$K.$\XGM
API String ID: 2296764815-3865679301
Opcode ID: e76c471dfdd12f4134390769c59cf3e99a52e13f16b668f121160e10b8e37627
Instruction ID: 4830267f79d4497e7f640d1445135c472aa5e16668542a0f7697640b877eff4d
Opcode Fuzzy Hash: e76c471dfdd12f4134390769c59cf3e99a52e13f16b668f121160e10b8e37627
Instruction Fuzzy Hash: 7A018C74D046089AEB04DBA8A9425AC77F0EF18700F4056E8E92D2B361EF309AC1DB52

Function 00AE7950 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE79D3

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

\XGM, xrefs: 00AE796D
Sophos AutoUpdate Service, xrefs: 00AE79AA, 00AE79DE
K., xrefs: 00AE7974

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K.$Sophos AutoUpdate Service$\XGM
API String ID: 2296764815-712333110
Opcode ID: fd0ce4ed15f2df722ed356559d726e6399a8d1efe5de34d3e597da2250dce42c
Instruction ID: aa415be2fa51410e4b0a5266a1d856ea7eb8e79c913c37667b6d0d4cb9da4ab0
Opcode Fuzzy Hash: fd0ce4ed15f2df722ed356559d726e6399a8d1efe5de34d3e597da2250dce42c
Instruction Fuzzy Hash: 4601B134D54A099BC750EFA9E8425AC77F0EF05700F5042A9E92D6B371EF705A84CB95

Function 00AE7B20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE7BA2

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

Sophos File Scanner Service, xrefs: 00AE7B7A, 00AE7BAD
GMK., xrefs: 00AE7B44
}K\X, xrefs: 00AE7B3D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: GMK.$Sophos File Scanner Service$}K\X
API String ID: 2296764815-2233495876
Opcode ID: 335eb1d7a60eaa0603ca5adbed164df20365bb5ec0e2dce281180120bfc8ff38
Instruction ID: 7e204eab2d80ae4ff5033775e36c43037e60fca4a13299c365e922c620ba64e2
Opcode Fuzzy Hash: 335eb1d7a60eaa0603ca5adbed164df20365bb5ec0e2dce281180120bfc8ff38
Instruction Fuzzy Hash: 05011270D547049BC710EFA8D9429ADB7F0FB18744F4046D9E92967261EF309AC5CF91

Function 00AEC690 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC6FE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

tmlisten, xrefs: 00AEC6E6, 00AEC709
]ZK@, xrefs: 00AEC6B0
ZCBG, xrefs: 00AEC6A7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ZCBG$]ZK@$tmlisten
API String ID: 2296764815-1580831520
Opcode ID: 13821038167b3ca21d4c9e3e58b90765d51f00c6874fa0a7d315ebe0d4e607cb
Instruction ID: e5dcc944c707b6ddd5c27e04fce2d9e918213b2f66b1219e3929b690b28940a3
Opcode Fuzzy Hash: 13821038167b3ca21d4c9e3e58b90765d51f00c6874fa0a7d315ebe0d4e607cb
Instruction Fuzzy Hash: BA01D671A84205DBCB10EF78AC5297DB3F0E719310F4086F8E42E5B391EF3059859B55

Function 00AE87F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8867

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

XGJK, xrefs: 00AE8806
BackupExecVSSProvider, xrefs: 00AE8850, 00AE8872
\., xrefs: 00AE880D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: BackupExecVSSProvider$XGJK$\.
API String ID: 2296764815-3267403809
Opcode ID: e4084b104e7d6a1385197c0fe30114a5d876fe650d2acfe809a71aabc69e23b9
Instruction ID: 7bcf95ae84c0ef80fb43aa8a6cfb2996082f4272d7c115792d3c7e398b67a082
Opcode Fuzzy Hash: e4084b104e7d6a1385197c0fe30114a5d876fe650d2acfe809a71aabc69e23b9
Instruction Fuzzy Hash: 1D017178A50245EBC700DF68E8526AC73F0EF08704F4041B4ED2D97361EF309E819B59

Function 00AEAB70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEABDE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

ntrtscan, xrefs: 00AEABC6, 00AEABE9
]MO@, xrefs: 00AEAB90
@Z\Z, xrefs: 00AEAB87

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: @Z\Z$]MO@$ntrtscan
API String ID: 2296764815-1643966791
Opcode ID: bca8fa807b6aa735fc40f449eff7e2b49bb71a71c36f18a35547fbb3c59c113d
Instruction ID: e8d5fa7d1b28b9dbc2abc08a75083d2a0c1164ffd97694a4944ac7dab4286bf0
Opcode Fuzzy Hash: bca8fa807b6aa735fc40f449eff7e2b49bb71a71c36f18a35547fbb3c59c113d
Instruction Fuzzy Hash: 2601D670A482099BC720DBA8ED4196D73F4EB1A700F5085F8E4295B351FE30AA84CB66

Function 00AE8C80 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8CEE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

JCG@, xrefs: 00AE8CA0
gg}o, xrefs: 00AE8C97
IISAdmin, xrefs: 00AE8CD6, 00AE8CF9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IISAdmin$JCG@$gg}o
API String ID: 2296764815-1549501776
Opcode ID: a468ef6e57ff48d8d7382706256340ef29bc4984616ea12328bf43b694865470
Instruction ID: b9e78c3143b2baf90e5d88b446c7869f05e3694641e298e9add7cd1849596569
Opcode Fuzzy Hash: a468ef6e57ff48d8d7382706256340ef29bc4984616ea12328bf43b694865470
Instruction Fuzzy Hash: 4E0121B1A483449BC700EFA8AD529BD77F0FB49340F4042E8E819673A1EF345A48CB51

Function 00AE8DA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8E0E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

@]XM, xrefs: 00AE8DC0
COMC, xrefs: 00AE8DB7
macmnsvc, xrefs: 00AE8DF6, 00AE8E19

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: @]XM$COMC$macmnsvc
API String ID: 2296764815-2160665527
Opcode ID: 373225b1447b352504924c2eee8190f37606b9b07a2ebf258c958cace2eff3fe
Instruction ID: 1181b880f46175f99334192708a3e479ccf3d82e4818bcb06596af42a6e43bbd
Opcode Fuzzy Hash: 373225b1447b352504924c2eee8190f37606b9b07a2ebf258c958cace2eff3fe
Instruction Fuzzy Hash: 7D01A270A442449BC710DF69A84156973F0BB18700F900AE8E5295B3B2EF75AA949781

Function 00AED060 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED0CE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

IG@K, xrefs: 00AED080
YLK@, xrefs: 00AED077
wbengine, xrefs: 00AED0B6, 00AED0D9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IG@K$YLK@$wbengine
API String ID: 2296764815-1519817186
Opcode ID: 52f2ca8a0a13e56b681d2e82d23265604718340cc6e85d390e5cb2128d766513
Instruction ID: ad478ae2bc1d5953cd48b417f10025b1501c330822fd5f5b90f4258429c5fec2
Opcode Fuzzy Hash: 52f2ca8a0a13e56b681d2e82d23265604718340cc6e85d390e5cb2128d766513
Instruction Fuzzy Hash: D901F470A50248DBC710EBA9EC425AE77F0EB49700F8546E9E4295B361EF319988DB92

Function 00AE9170 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE91DE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

GKBJ, xrefs: 00AE9190
cM}F, xrefs: 00AE9187
McShield, xrefs: 00AE91C6, 00AE91E9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: GKBJ$McShield$cM}F
API String ID: 2296764815-1435600963
Opcode ID: eb5ec63daea4069cd14bc3cb5768324b2309404fc43a1bd3fccaab3a0c20f750
Instruction ID: e43751d4cc6148d371ed5593ee3433adbe466ec7143ced8808b0ae0ebc08fb26
Opcode Fuzzy Hash: eb5ec63daea4069cd14bc3cb5768324b2309404fc43a1bd3fccaab3a0c20f750
Instruction Fuzzy Hash: 4401D171A843049BC714DFA8EC429AD77F0EB1C755F404AD8E43967351EE30AE84CB81

Function 00AED8E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED94E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

EhttpSrv, xrefs: 00AED936, 00AED959
kFZZ, xrefs: 00AED8F7
^}\X, xrefs: 00AED900

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: EhttpSrv$^}\X$kFZZ
API String ID: 2296764815-57104636
Opcode ID: 503c83b7ee404e963f7a48df6fe22e411c40f9516324bb4d830eda136c122585
Instruction ID: edfe815bc5670248fb508e9b917ca6cfa71f2e0226ef5e241a95e873211d695f
Opcode Fuzzy Hash: 503c83b7ee404e963f7a48df6fe22e411c40f9516324bb4d830eda136c122585
Instruction Fuzzy Hash: 3501AD71A586059BC710FFA8AD869A8B3F0AB05751F4006B8E429573A2EF705948CB51

Function 00AE7BC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE7C37

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

\XGM, xrefs: 00AE7BD6
Sophos Health Service, xrefs: 00AE7C20, 00AE7C42
K., xrefs: 00AE7BDD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K.$Sophos Health Service$\XGM
API String ID: 2296764815-1820530979
Opcode ID: a65e19d9eb37ea5907f1782cb371c5992e3db1ee2e6a227e09d9e38067dcf5d7
Instruction ID: 5ee7aa89fd33e0f996ff4a2f89ab97ed2735e290a173efb307b1bf602e987406
Opcode Fuzzy Hash: a65e19d9eb37ea5907f1782cb371c5992e3db1ee2e6a227e09d9e38067dcf5d7
Instruction Fuzzy Hash: B101BC34E68308ABC780FFA8D84259C73F0EB08744F5005E9E919573B2EF305A89DB55

Function 00AEDC00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEDC6E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

klnagent, xrefs: 00AEDC56, 00AEDC79
IK@Z, xrefs: 00AEDC20
EB@O, xrefs: 00AEDC17

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: EB@O$IK@Z$klnagent
API String ID: 2296764815-463034762
Opcode ID: 08a80b4a11c65f32ab02ee06eacc9ba32ad8652e13a20337b941e6ffbd534fff
Instruction ID: 57e0784a3987df8979bd3e3425300c2daf9716403e174117f538fe7939674189
Opcode Fuzzy Hash: 08a80b4a11c65f32ab02ee06eacc9ba32ad8652e13a20337b941e6ffbd534fff
Instruction Fuzzy Hash: E20121B0A802049BC750EBBCAC8256EB3F0EF45340F4016A8E42947372EE309988CB41

Function 00AEDD80 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEDDEE

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

wbengine, xrefs: 00AEDDD6, 00AEDDF9
IG@K, xrefs: 00AEDDA0
YLK@, xrefs: 00AEDD97

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IG@K$YLK@$wbengine
API String ID: 2296764815-1519817186
Opcode ID: d1f1299b380321ec669e98462342d7815711b71b524e0823adb3feba6316f121
Instruction ID: b8820c7c592d04cb751234bfdd6f5507bcbafd35eaeef6a7b992b9a031e3b5ff
Opcode Fuzzy Hash: d1f1299b380321ec669e98462342d7815711b71b524e0823adb3feba6316f121
Instruction Fuzzy Hash: 4801F470A94204DBC710EFA8ED9256E77F0F745740F8006E9E52967361FF309998CB51

Function 00AE7D50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE7DC7

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

A[ZK, xrefs: 00AE7D66
\., xrefs: 00AE7D6D
Sophos Message Router, xrefs: 00AE7DB0, 00AE7DD2

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: A[ZK$Sophos Message Router$\.
API String ID: 2296764815-3602741884
Opcode ID: 46779504ef6d8607abe699693fd1696cf4da7d2d4614d7d6e6badd214d03aff6
Instruction ID: e1c66fa57ea44664b5f271fa0bafc1f7c62f3bab68751b305ca73d8000a8677b
Opcode Fuzzy Hash: 46779504ef6d8607abe699693fd1696cf4da7d2d4614d7d6e6badd214d03aff6
Instruction Fuzzy Hash: F2017135A542049BC740FF68E84669CB3F0EF09700F4082E8E91957371EF746A85CB56

Function 00AEDE10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEDE7E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

]]B^, xrefs: 00AEDE30
kavfsslp, xrefs: 00AEDE66, 00AEDE89
EOXH, xrefs: 00AEDE27

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: EOXH$]]B^$kavfsslp
API String ID: 2296764815-267865359
Opcode ID: 45d857fb3e99fdbdfe902db8f0c175390a72a4cc7424df77d5720b644dfa622c
Instruction ID: 72fb5511b401770c4cf00d9f52428ee5a4461ae5eb49c0462e73bf84e4a97383
Opcode Fuzzy Hash: 45d857fb3e99fdbdfe902db8f0c175390a72a4cc7424df77d5720b644dfa622c
Instruction Fuzzy Hash: FF01F471A51309EBC710FFB8AC4656DB3F0EB19700F5046ECE829AB361EE309A44CB51

Function 00AE9F40 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9FB7

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQL$PROFXENGAGEMENT, xrefs: 00AE9FA0, 00AE9FC2
z., xrefs: 00AE9F5D
kck`, xrefs: 00AE9F56

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQL$PROFXENGAGEMENT$kck`$z.
API String ID: 2296764815-3768006708
Opcode ID: 3e20a786b040ef328828b211944fbb18a460281f1f536dcf99090b88b52eb0fd
Instruction ID: a6dd5a84442561ae7bfcd33d871442a9e143e2790bdfd7a5db4fef429dffd807
Opcode Fuzzy Hash: 3e20a786b040ef328828b211944fbb18a460281f1f536dcf99090b88b52eb0fd
Instruction Fuzzy Hash: B60171759546059BC710FF68E9426A8B7F0EF18700F4041A5EC0997372FE705A95CB59

Function 00AEA1E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEA255

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQL$TPS, xrefs: 00AEA23D, 00AEA260
bz~, xrefs: 00AEA1FD
}., xrefs: 00AEA204

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQL$TPS$bz~$}.
API String ID: 2296764815-3318066024
Opcode ID: 8bb156723ddb7b336b6c3d61e5cb89dff7230a5f2108780430b9c629e382fd21
Instruction ID: cc737eca1d4a3951ee933cdb04762dbcc1d852a7397546acba23c06fa7a33002
Opcode Fuzzy Hash: 8bb156723ddb7b336b6c3d61e5cb89dff7230a5f2108780430b9c629e382fd21
Instruction Fuzzy Hash: 4A018F75D60609D7CB40FBA898415AC77B0BF44740F5006D8EA2567372EF305A48CB56

Function 00AEE170 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE1E4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

KVK., xrefs: 00AEE194
JLK@, xrefs: 00AEE186
dbeng50.exe, xrefs: 00AEE1CD, 00AEE1EF

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: JLK@$KVK.$dbeng50.exe
API String ID: 2296764815-2683184397
Opcode ID: f886e9b4ec88789300d42d25b01cfd8e2d84fab4cc1c0fb3c32ebfc0ec812a10
Instruction ID: fb8acffa8905b98cf80c2242ad348cfc6c122c5ad6a0f6fa7d9d7e6f9b5be9cd
Opcode Fuzzy Hash: f886e9b4ec88789300d42d25b01cfd8e2d84fab4cc1c0fb3c32ebfc0ec812a10
Instruction Fuzzy Hash: 3301A274E50204DBCB10EFA9ED8259DBBF0EB18704F4042D9E9295B361EF30AA84CF55

Function 00AEC260 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC2D5

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SQLWriter, xrefs: 00AEC2BD, 00AEC2E0
\., xrefs: 00AEC284
\GZK, xrefs: 00AEC27D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLWriter$\.$\GZK
API String ID: 2296764815-1985094325
Opcode ID: c46ca6e83d9c097079637368065bc40724c36ffa9e1ae87d246a8636184dd219
Instruction ID: a29b7347d3800b61f2f138851dd044b9123bb7c137cc50d6e03f6669f9efa645
Opcode Fuzzy Hash: c46ca6e83d9c097079637368065bc40724c36ffa9e1ae87d246a8636184dd219
Instruction Fuzzy Hash: C801DF359602089BCB40FFE8A8415DCB7F0BB18740F400298E82517360EB709A49CB9A

Function 00AEC8A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC915

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

UI0Detect, xrefs: 00AEC8FD, 00AEC920
Z., xrefs: 00AEC8C4
KZKM, xrefs: 00AEC8BD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: KZKM$UI0Detect$Z.
API String ID: 2296764815-789511009
Opcode ID: c80f40b1948fdbf0fb23edd1dbbe37496b10e029dfe07518a88dc3f6d9cf3ad2
Instruction ID: c48ff02e95a19170aee560c3fad4afdf5bb02624cda1fa9f1e008c1ae0761cfd
Opcode Fuzzy Hash: c80f40b1948fdbf0fb23edd1dbbe37496b10e029dfe07518a88dc3f6d9cf3ad2
Instruction Fuzzy Hash: FF01A775954209DBCB00EFA8D982AECB7F0EB14700F4041A4ED29673A1EF345A85CF55

Function 00AEA8A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEA914

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQLSERVER, xrefs: 00AEA8FD, 00AEA91F
b}k|, xrefs: 00AEA8BD
xk|., xrefs: 00AEA8C4

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQLSERVER$b}k|$xk|.
API String ID: 2296764815-2707110321
Opcode ID: fb332686c06bcff34f492cfe6639f106eda4f793ca3ecbcf7423dcb78183ba53
Instruction ID: fb8610891c0d3699edbc4937eda417472396f2b04a1643468eb875a51a407394
Opcode Fuzzy Hash: fb332686c06bcff34f492cfe6639f106eda4f793ca3ecbcf7423dcb78183ba53
Instruction Fuzzy Hash: D501A271E54209DBCB40EFA8D9829ACBBF0EB15740F5042A9E8156B361EF706E88CB55

Function 00B249DD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 00B249F1
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 00B24A15
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B24A28

Strings

pScheduler, xrefs: 00B24A20

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 246774199-923244539
Opcode ID: 6b35535b817ef58edd09d28efabc2191d125b8b001148275d22370b2717703da
Instruction ID: f587590064bf5b8d120d3c478462ab197949118c36fdc6e23bf3232efe08f2f7
Opcode Fuzzy Hash: 6b35535b817ef58edd09d28efabc2191d125b8b001148275d22370b2717703da
Instruction Fuzzy Hash: 9DF09E39540124A7C330FA94F852C9FB3FCEE81B2035081EDF51A13191EB34ED4AC691

Function 00AED520 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED594

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SQL Backups, xrefs: 00AED57D, 00AED59F
lOME, xrefs: 00AED53D
[^]., xrefs: 00AED575

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQL Backups$[^].$lOME
API String ID: 2296764815-1540004484
Opcode ID: 22584bb636c2d0e006e6f8c10fcfc1843c608f06b954447f8fc594cbc2d84a0b
Instruction ID: 5b51ed2e6fa95ebef14ae5780967340460faa128e919a202a5fa047022fb9d06
Opcode Fuzzy Hash: 22584bb636c2d0e006e6f8c10fcfc1843c608f06b954447f8fc594cbc2d84a0b
Instruction Fuzzy Hash: 0201DF74E20204DBC740FFA8D8429ACB7F4EB18710F4002A8E81567361EA306A48CF41

Function 00AE8890 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE88F9

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

LKJL, xrefs: 00AE88A6
I., xrefs: 00AE88AD
bedbg, xrefs: 00AE88DB, 00AE8904

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: I.$LKJL$bedbg
API String ID: 2296764815-2842323120
Opcode ID: 2d9e8b89b08357f012c7581ada9d6b7d54967cb97aedf231ef16fd02e97a54c1
Instruction ID: bd059953a703bfeed113880f711284108e1a990498106722b3c543a6b8d632c5
Opcode Fuzzy Hash: 2d9e8b89b08357f012c7581ada9d6b7d54967cb97aedf231ef16fd02e97a54c1
Instruction Fuzzy Hash: 57018179E54208DBCB00EBA8E9829ACB7F0EB04700F4041E5ED1D97361EE316E84DF56

Function 00AE8920 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8988

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

K@Z., xrefs: 00AE893D
jmoI, xrefs: 00AE8936
DCAgent, xrefs: 00AE896C, 00AE8993

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: DCAgent$K@Z.$jmoI
API String ID: 2296764815-2719802742
Opcode ID: 32f427c249f03c14c6ec2ef11eafe399f3e9b5a84f97a2ee860cca41b8bc66bb
Instruction ID: 4347e1dab65c8d7961fe6db208d576ab934dcad890a5c258e9f1060674cabc58
Opcode Fuzzy Hash: 32f427c249f03c14c6ec2ef11eafe399f3e9b5a84f97a2ee860cca41b8bc66bb
Instruction Fuzzy Hash: B6018171E40208DBC700DFA8E88696C77F0FB18704F5085F5E92D97362EE34AE849B86

Function 00AE8E30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8E99

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

masvc, xrefs: 00AE8E7B, 00AE8EA4
CO]X, xrefs: 00AE8E46
M., xrefs: 00AE8E4D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CO]X$M.$masvc
API String ID: 2296764815-591847306
Opcode ID: 8ffdda5b527d3b7e8bbdd966217934d170500a5472cb90d23bb045d68da1c1c6
Instruction ID: 0874c6b8839b61baa1929982c72f96a77998afdfea18de8cc3379c9e4aa6661f
Opcode Fuzzy Hash: 8ffdda5b527d3b7e8bbdd966217934d170500a5472cb90d23bb045d68da1c1c6
Instruction Fuzzy Hash: 19011DB4E54208ABCB10EFA8E84259C77F0AF18B04F4045E5E92A57361EF30DA859F55

Function 00AEAF00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEAF73

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

zkcq, xrefs: 00AEAF16
ReportServer$SYSTEM_BGC, xrefs: 00AEAF50, 00AEAF7E
lim., xrefs: 00AEAF1D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ReportServer$SYSTEM_BGC$lim.$zkcq
API String ID: 2296764815-2755370133
Opcode ID: 52b2e3e4f8c6ec812311f1a51762a789be27517bf8e16235837cc804573412e0
Instruction ID: 0a8ddb4276f7eaee8a70650d70fa80e0d5b00a878c8f542aab95a5182f6f3328
Opcode Fuzzy Hash: 52b2e3e4f8c6ec812311f1a51762a789be27517bf8e16235837cc804573412e0
Instruction Fuzzy Hash: A801A270E94608DBC710EF68E9425AC77F0EB15700F4042A4F90A572B2EF316A99DB85

Function 00B44194 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B4421B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 5aa7411b558301040df0d4c8c6e2d4d6128bd91e592f3e864197088cba61e62c
Instruction ID: b788d105a3a95a6c9e064c1f4d67a4905d00f52c694c156224511ec395c91303
Opcode Fuzzy Hash: 5aa7411b558301040df0d4c8c6e2d4d6128bd91e592f3e864197088cba61e62c
Instruction Fuzzy Hash: A3B13332A102869FDB15CF68C8817AEBBF5EF95350F2481EAE854EB341D7748E11DB60

Function 00B06DC5 Relevance: 6.3, APIs: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00B06DCC
_strcspn.LIBCMT ref: 00B06E34
_strcspn.LIBCMT ref: 00B06E54
ctype.LIBCPMT ref: 00B06EC2

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 7850e8b398bc231f502029132e3658894295cd972d79f76177374bccdf9b775c
Instruction ID: f8bb8006b1b533f9f068818df83fbfe5f49d4bc2361b57256d4956801c83cb89
Opcode Fuzzy Hash: 7850e8b398bc231f502029132e3658894295cd972d79f76177374bccdf9b775c
Instruction Fuzzy Hash: EEC125B59002599FDF14DFA8C984AEEBFF9FF08310F144199E845AB291D730AE55CBA0

Function 00B07111 Relevance: 6.3, APIs: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00B07118
_strcspn.LIBCMT ref: 00B07180
_strcspn.LIBCMT ref: 00B071A0
ctype.LIBCPMT ref: 00B0720E

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 35225f8e25ff80a90156c338c1d990c0eaec96c43404134aa095b02a15ad4b10
Instruction ID: d7c5575e81e7b00b278cfc636140620aff07a5f384d593c79afce586a60edf74
Opcode Fuzzy Hash: 35225f8e25ff80a90156c338c1d990c0eaec96c43404134aa095b02a15ad4b10
Instruction Fuzzy Hash: FFC13971D042499FDF14DFA8C985AEEBFF9EF09310F144099E805AB291DB30AE55CBA4

Function 00B2502D Relevance: 6.2, APIs: 4, Instructions: 180threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B25034

Part of subcall function 00B2452C: std::bad_exception::bad_exception.LIBCMT ref: 00B2454E

GetCurrentThread.KERNEL32 ref: 00B2510D

Part of subcall function 00B1A264: GetThreadPriority.KERNEL32(?), ref: 00B1A26A

Concurrency::details::ResourceManager::GetCoreCount.LIBCMT ref: 00B25139
Concurrency::details::HillClimbing::HillClimbing.LIBCONCRT ref: 00B25229

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::HillThread$ClimbingClimbing::CoreCountCurrentH_prolog3Manager::PriorityResourcestd::bad_exception::bad_exception
String ID:
API String ID: 213062931-0
Opcode ID: ccc7ec7c514e6bc155c50ae40745d72b4ccf4894bd1f4b2092b556b4498a2367
Instruction ID: db1574e7f737c8c22919038297a58cd6acf8320c1a1a0bd3398833ce654f6605
Opcode Fuzzy Hash: ccc7ec7c514e6bc155c50ae40745d72b4ccf4894bd1f4b2092b556b4498a2367
Instruction Fuzzy Hash: 4171F771A102118FDF48DF78D8967A97AE5BF48710F1881BAD84DDF28ADB748940CBA1

Function 00B30C89 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B30D50
___AdjustPointer.LIBCMT ref: 00B30D73
___AdjustPointer.LIBCMT ref: 00B30E0F

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c7f5574eba7a93a40a3b1789d09189ad2af246ed88b07f9615422f9feb12324e
Instruction ID: 7a6c6a23aa983acb3baa5f622e4619a96695a8a538093436a810232627dacfbc
Opcode Fuzzy Hash: c7f5574eba7a93a40a3b1789d09189ad2af246ed88b07f9615422f9feb12324e
Instruction Fuzzy Hash: FB51E376611216AFDB29AF94E8A1BBA77E4FF04310F3445A9ED0647291EB31FD80C790

Function 00B30850 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 00B308A1
TypeidsEqual.LIBVCRUNTIME ref: 00B308C6
PMDtoOffset.LIBCMT ref: 00B308DC
PMDtoOffset.LIBCMT ref: 00B3095D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction ID: 510f6d18862487c9abe51d9f502f8655ab47f27a542d070a5ee353452866cbc6
Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction Fuzzy Hash: 4E518D359242099FEF11EF6CC4A06AEBBF4EF45310F24469AD890A7352D772AA44CB91

Function 00B5170E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B517DE
_free.LIBCMT ref: 00B51807
SetEndOfFile.KERNEL32(00000000,00B4E800,00000000,00B439D5,?,?,?,?,?,?,?,00B4E800,00B439D5,00000000), ref: 00B51839
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B4E800,00B439D5,00000000,?,?,?,?,00000000), ref: 00B51855

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: e9ba3b224120a4a524d951117cb167f590021061b00187764fc20fa03f473e7a
Instruction ID: dd3c9111f0f10d31120e6fa39430002203fe4a5c573fc9b7fea34808d4f0f098
Opcode Fuzzy Hash: e9ba3b224120a4a524d951117cb167f590021061b00187764fc20fa03f473e7a
Instruction Fuzzy Hash: F941B276900605ABDB21ABBCCC42B9E37F5EF48362F2409D0FC25E7291EA34CD488761

Function 00B1D184 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00B1D197
Concurrency::details::ResourceManager::PopulateCommonAllocationData.LIBCONCRT ref: 00B1D1CA
Concurrency::details::HillClimbing::Update.LIBCONCRT ref: 00B1D21E
Concurrency::details::SchedulerProxy::AdjustAllocationIncrease.LIBCMT ref: 00B1D231

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AllocationManager::Resource$AdjustBuffersClimbing::CommonDataHillIncreaseInitializePopulateProxy::SchedulerUpdate
String ID:
API String ID: 2493744444-0
Opcode ID: bbfda9545b9ee6449f75a4613f2e92742200c09364e9e6e7bf40a38e7af96d34
Instruction ID: 0721b3d489cf263d79aa3feab352fb6f3a5bb9f4bcb4e8ed95418d8a2b277aea
Opcode Fuzzy Hash: bbfda9545b9ee6449f75a4613f2e92742200c09364e9e6e7bf40a38e7af96d34
Instruction Fuzzy Hash: 97411575A00309AFCF10DF94C8C0BAEBBF9EB45310F5401AAD915AB246D770EA84DBA0

Function 00B4982E Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00B37549: _free.LIBCMT ref: 00B37557

Part of subcall function 00B4720B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00B44EF9,?,00000000,00000000), ref: 00B472AD

GetLastError.KERNEL32 ref: 00B49896
__dosmaperr.LIBCMT ref: 00B4989D
GetLastError.KERNEL32 ref: 00B498DC
__dosmaperr.LIBCMT ref: 00B498E3

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 2e5b116de2e7908a2bc9ea3be30d6901e3701e9421fb121e4a3919dae66959df
Instruction ID: 856cbd6e2eebe3148d2feac44caf3b4698c81bf2877e91280739853752d75196
Opcode Fuzzy Hash: 2e5b116de2e7908a2bc9ea3be30d6901e3701e9421fb121e4a3919dae66959df
Instruction Fuzzy Hash: 5D21B371604319FFDB206F698CC196BB7ECEF163B872085A8F92597151DB31ED00ABA0

Function 00B24580 Relevance: 6.1, APIs: 4, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00B24587
Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00B245D3
std::bad_exception::bad_exception.LIBCMT ref: 00B245F2
std::bad_exception::bad_exception.LIBCMT ref: 00B24655

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_SchedulerValidValue
String ID:
API String ID: 2033596534-0
Opcode ID: ef30d37953814414444d49fac8790856084168a0b7492ca53068825d73b3e05f
Instruction ID: 52e1c0ccbf17727c8fd1ea6ba2077eea9735285360cdfb784c2cfbc6f889b59c
Opcode Fuzzy Hash: ef30d37953814414444d49fac8790856084168a0b7492ca53068825d73b3e05f
Instruction Fuzzy Hash: CE219032900124EFDB06EFA4E8869ADB7F4EF0A310B1040D9F459AB691DB31AE42CB54

Function 00B37409 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a058977e6d6c07dc2806bd399917f28ee284c312f8c73908ef4b692ef7b4757c
Instruction ID: 099888fcb998e3b1e0f199a20c01434b1fa17509928825e3c31813d5e071e25a
Opcode Fuzzy Hash: a058977e6d6c07dc2806bd399917f28ee284c312f8c73908ef4b692ef7b4757c
Instruction Fuzzy Hash: FB2153B1648216BF9B30AF65DC85D6B7BEDEF10368B318594F92897251DF20EC109BA0

Function 00B2B3B2 Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?), ref: 00B2B403
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B2B3EB

Part of subcall function 00B233F8: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00B23419

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B2B466
SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,00B7124C), ref: 00B2B46B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
String ID:
API String ID: 2734100425-0
Opcode ID: c9d696b04a6dc39cea895d1dcf4fac95e710141c288c3096711a5c1fc65a22b6
Instruction ID: 9453a3812a2231f47196a04ce03d03cd24d2d35295a242cc1ac86832193185f2
Opcode Fuzzy Hash: c9d696b04a6dc39cea895d1dcf4fac95e710141c288c3096711a5c1fc65a22b6
Instruction Fuzzy Hash: 2C21CC75600224EFCB04F758DC85EADB7ECEF48720B144595F929E3392DF70AD018AA5

Function 00B41B2D Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B32C42,00B71890,0000000C), ref: 00B41B32
_free.LIBCMT ref: 00B41B8F
_free.LIBCMT ref: 00B41BC5
SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B32C42,00B71890,0000000C), ref: 00B41BD0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: ecebdd98a5cc6576e7849d2233b854ed36407c64acc665fc0ea838d071222b00
Instruction ID: da7dbfa3879cef5ba7e03d6ca5f70c41b9f8fd799aae5731aeafb6e0a21779c3
Opcode Fuzzy Hash: ecebdd98a5cc6576e7849d2233b854ed36407c64acc665fc0ea838d071222b00
Instruction Fuzzy Hash: DE110A32B082047E9711277D6C86E2623DADBC1BB57680BE4F624931D1FD628F407121

Function 00B41C84 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B36778,00B42BA5,?,?,00B3F09C), ref: 00B41C89
_free.LIBCMT ref: 00B41CE6
_free.LIBCMT ref: 00B41D1C
SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,00B36778,00B42BA5,?,?,00B3F09C), ref: 00B41D27

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: fe124f893612e5401d03e58467c98e31d2546f6c53dcd976414dadb73a3d02ce
Instruction ID: 0a92f56689f89bd67b15b652cf9d9977108b74330d4d3bbae422657bf61c8b86
Opcode Fuzzy Hash: fe124f893612e5401d03e58467c98e31d2546f6c53dcd976414dadb73a3d02ce
Instruction Fuzzy Hash: 8311C632B482047F97112B6DACC6E2623DAEBC1BB5B2847A4F528D71D2DE228F817111

Function 00B27715 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00B27751

Part of subcall function 00B18EA4: _SpinWait.LIBCONCRT ref: 00B18EBA

Concurrency::details::ScheduleGroupSegmentBase::GetInternalContext.LIBCMT ref: 00B2778D
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00B2779E
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00B277A8

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$AvailableDeferredGroupMakePrepareProcessor::ScheduleSchedulerSegmentSpinVirtualWait
String ID:
API String ID: 3863322203-0
Opcode ID: a5f7cf5053266e8985b30de8d5e30e0a3209042ca5cf4494033ae556b0425b3e
Instruction ID: fc99ac3318d390e2aa9c8d4556ea9e3da0f27607eb4934470ee33e0e145365a5
Opcode Fuzzy Hash: a5f7cf5053266e8985b30de8d5e30e0a3209042ca5cf4494033ae556b0425b3e
Instruction Fuzzy Hash: 3D11B235A00220EBCF25AF65D8859AE77F5EF8575070000DAEC155B362CE70AD41CB95

Function 00B1975A Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00B1977C

Part of subcall function 00B1993D: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00B1F97C

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00B1979D

Part of subcall function 00B1A624: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00B1A640

Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 00B197B9
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 00B197C0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
String ID:
API String ID: 1684785560-0
Opcode ID: 8e9bce9ef35b51d5b1048f021bd081bc0c11d9ad730beec93677cbc1336674c4
Instruction ID: f171f637ef2130341320b18ea3664a2693dc44acaeda3aed723eb1b8459425cf
Opcode Fuzzy Hash: 8e9bce9ef35b51d5b1048f021bd081bc0c11d9ad730beec93677cbc1336674c4
Instruction Fuzzy Hash: D701D671500305ABC7207FA4CC959EBBBECEF11790B9045AEB565D2191D770DD8087A1

Function 00B2DCB2 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00B2DCCC
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00B2DCE0
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00B2DCF8
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00B2DD10

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: 9c2dee5ba38bc2879b3e4d3a98a9b200d19dd3a897066c3654dba4b9c6ad8392
Instruction ID: 7307ce98bfea50563bf67a8ad2e44e809d230cf62549291e56e044ac75da3ad9
Opcode Fuzzy Hash: 9c2dee5ba38bc2879b3e4d3a98a9b200d19dd3a897066c3654dba4b9c6ad8392
Instruction Fuzzy Hash: CF01D632600524ABCF15AE55A851AEF77E9EF94750F0000A6FC19AB282DA70ED0096E0

Function 00AFEAED Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B190C6
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00B190D9

Part of subcall function 00B1984A: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00B19867

Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00B190F2
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00B19113

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
String ID:
API String ID: 3258792471-0
Opcode ID: ac0a86cec1dd2658d30751cac4b1d9c85d10798b3018cf04014db7933740697f
Instruction ID: 12c175b307d67bd5a046d2dff41b0bb4ad5ab8970bbe9235fc2798ebd70a1355
Opcode Fuzzy Hash: ac0a86cec1dd2658d30751cac4b1d9c85d10798b3018cf04014db7933740697f
Instruction Fuzzy Hash: 9F018036900255DBDF11AB60C8A97ED73F1FF45310F9840D4D811AB345CF31A981CB91

Function 00B22AD1 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B22AD8

Part of subcall function 00B2A47B: ListArray.LIBCONCRT ref: 00B2A499

InterlockedPopEntrySList.KERNEL32(?,00000004,00B2390B,?,00B23AA6,00000004,00B23B68,?,?,?,?,00B239F6,00000000,?,?,?), ref: 00B22AF5
Concurrency::details::WorkQueue::WorkQueue.LIBCONCRT ref: 00B22B24
Concurrency::details::WorkQueue::Reinitialize.LIBCMT ref: 00B22B34

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Work$Concurrency::details::ListQueue::$ArrayEntryH_prolog3InterlockedQueueReinitialize
String ID:
API String ID: 3655822757-0
Opcode ID: a3283765111649dc4b82db48845a46e7f8b5237b8f2c5f3d73f7f0e1552b3b75
Instruction ID: 51ed15c0d5e738f5f8e9bf73091df0c40fcb8f013f45f3376e648f8c14b01a75
Opcode Fuzzy Hash: a3283765111649dc4b82db48845a46e7f8b5237b8f2c5f3d73f7f0e1552b3b75
Instruction Fuzzy Hash: 56019EB1940B119BCB25EF74A899A2A77F0FF44310710069DE59ADB391EF34E8428B54

Function 00B1F4D7 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B1A3D8: TlsGetValue.KERNEL32(?,?,00B19959,00B19781,?,?), ref: 00B1A3DE

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 00B1F501

Part of subcall function 00B28BDE: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00B28C05
Part of subcall function 00B28BDE: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00B28C1E
Part of subcall function 00B28BDE: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00B28C94
Part of subcall function 00B28BDE: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00B28C9C

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00B1F50F
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00B1F519
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00B1F523

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
String ID:
API String ID: 2616382602-0
Opcode ID: c064be2fef4dbd257eee19429b0def7308ed4b303653e719d336a1e3124e9bc4
Instruction ID: 69b1de9bb5bd93800303b8f658b405dc5b4bbcb1970a60c89ebf78ca96f2e307
Opcode Fuzzy Hash: c064be2fef4dbd257eee19429b0def7308ed4b303653e719d336a1e3124e9bc4
Instruction Fuzzy Hash: 42F04631600238B7CA25B725A8128BDB7EACFA0B10F4401EAF809D3262DF249E41C7C2

Function 00B03C9B Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B19D83
Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00B19DB6
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00B19DC2
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00B19DCB

Part of subcall function 00B1975A: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00B1977C
Part of subcall function 00B1975A: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00B1979D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Concurrency::critical_section::_Timer$Acquire_lockAsyncBase::ContextCurrentDerefH_prolog3LibraryLoadLockNodeNode::QueueRegisterSchedulerSwitch_to_active
String ID:
API String ID: 2559503089-0
Opcode ID: c5854e2350c28a962ba7f95b24910e66f63171de4f2391e9d9e1a93bd0db44f0
Instruction ID: 8b48ebda146c6e944975a3082bda4b67254af6cabbd36049f08b5425cf911307
Opcode Fuzzy Hash: c5854e2350c28a962ba7f95b24910e66f63171de4f2391e9d9e1a93bd0db44f0
Instruction Fuzzy Hash: A0F0B431648289AB9F18BE7458B26FE36E69F41360B8441F9F5215B3C2CE618D819294

Function 00B51D62 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,?,00B501D2,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B51D79
GetLastError.KERNEL32(?,00B501D2,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 00B51D85

Part of subcall function 00B51D4B: CloseHandle.KERNEL32(FFFFFFFE,00B51D95,?,00B501D2,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B51D5B

___initconout.LIBCMT ref: 00B51D95

Part of subcall function 00B51D0D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B51D3C,00B501BF,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00B51D20

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00B501D2,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00B51DAA

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ed67016203e4cb243f8f5c1109b26c40c4b6e193958179587c58d91114568cbe
Instruction ID: c0ad7f7795f58cf6c4a7f6cc310fb84c440b53de2437ec27203c8bf1ebf1605f
Opcode Fuzzy Hash: ed67016203e4cb243f8f5c1109b26c40c4b6e193958179587c58d91114568cbe
Instruction Fuzzy Hash: 13F01236000264BBCF121F95DC04F8A3F75FB04762B0444A0FE1996160CB728964DB91

Function 00B17582 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00B1751F,00000064), ref: 00B175A5
LeaveCriticalSection.KERNEL32(00B7646C,?,?,00B1751F,00000064,?,00AE1048,00B7E824), ref: 00B175AF
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00B1751F,00000064,?,00AE1048,00B7E824), ref: 00B175C0
EnterCriticalSection.KERNEL32(00B7646C,?,00B1751F,00000064,?,00AE1048,00B7E824), ref: 00B175C7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 509d3b0ae64a83c3c754f00ee2bf86a44de281c1dbd670478d2a0c829a8930f7
Instruction ID: 04966934160c853d2e8f572243fc6a3c51b2999f4ee9a576bda889753b303cd4
Opcode Fuzzy Hash: 509d3b0ae64a83c3c754f00ee2bf86a44de281c1dbd670478d2a0c829a8930f7
Instruction Fuzzy Hash: 3AE01236545724FBCA112B50EC08BC93F69DB18752B048091F90F672718F6159818BD0

Function 00B3F1DA Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3F1E3

Part of subcall function 00B42B7F: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3F09C), ref: 00B42B95
Part of subcall function 00B42B7F: GetLastError.KERNEL32(?,?,00B3F09C), ref: 00B42BA7

_free.LIBCMT ref: 00B3F1F6
_free.LIBCMT ref: 00B3F207
_free.LIBCMT ref: 00B3F218

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: db1e6bde87ca473b9214ecda71c0ab2c024734620a4d323da0c25b216ce3fbe0
Instruction ID: 58a118ada3b435a63f24a7f7db7149f1aba54eea9db5afeb8fd25daf03bbb648
Opcode Fuzzy Hash: db1e6bde87ca473b9214ecda71c0ab2c024734620a4d323da0c25b216ce3fbe0
Instruction Fuzzy Hash: 1CE0B671810A21AE8B226F39BC0184E3BA1E7957103814046F48C6B239DF7206D2FF89

Function 00B02397 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 348COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00B0239E

Part of subcall function 00AFC8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00AFC8EF
Part of subcall function 00AFC8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00AFC911
Part of subcall function 00AFC8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AFC931
Part of subcall function 00AFC8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AFCA89

_Find_elem.LIBCPMT ref: 00B025B0

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00B02406

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 3042121994-2799312399
Opcode ID: 09445fae7be2be45e0939be4fe0f855aa826e19ebbfc23300fcb2ae013e6a818
Instruction ID: 2ea6712dd24f29244842ae6d1766ae031545190fed8878c1a39b9599e165ad8e
Opcode Fuzzy Hash: 09445fae7be2be45e0939be4fe0f855aa826e19ebbfc23300fcb2ae013e6a818
Instruction Fuzzy Hash: 3DD17B31D042888EDF15DBA8C9997ECBFF2AF15300F6440D9E8956B2C2DA719D49CB50

Function 00B0A005 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00B0A00F

Part of subcall function 00B0626E: __EH_prolog3.LIBCMT ref: 00B06275
Part of subcall function 00B0626E: std::_Lockit::_Lockit.LIBCPMT ref: 00B0627F
Part of subcall function 00B0626E: std::_Lockit::~_Lockit.LIBCPMT ref: 00B062F0

_Find_elem.LIBCPMT ref: 00B0A25F

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00B0A086

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: c8990f0fbb508fea6d1d02e7755328623e434dd514f217e5fd2dfb1323eb9496
Instruction ID: e57deba1a8cb5361ea2c27fa12abff3b341e80ad829af5b1b190ae704d89da25
Opcode Fuzzy Hash: c8990f0fbb508fea6d1d02e7755328623e434dd514f217e5fd2dfb1323eb9496
Instruction Fuzzy Hash: B0D18D71D043688ADF25DBA8C8857ACBFF2AB15300F5484D9E849AB2C2DB359C85CB56

Function 00B0A428 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00B0A432

Part of subcall function 00B06303: __EH_prolog3.LIBCMT ref: 00B0630A
Part of subcall function 00B06303: std::_Lockit::_Lockit.LIBCPMT ref: 00B06314
Part of subcall function 00B06303: std::_Lockit::~_Lockit.LIBCPMT ref: 00B06385

_Find_elem.LIBCPMT ref: 00B0A682

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00B0A4A9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: 0f7023d5fb9e6197af7ba505abd864e12c495a2a8afda9d9bcd5fc0cfca375d6
Instruction ID: 2ab0c0d3d12931fe3be958379e017fee525f2df6664f3ffee72f33d5a58ca290
Opcode Fuzzy Hash: 0f7023d5fb9e6197af7ba505abd864e12c495a2a8afda9d9bcd5fc0cfca375d6
Instruction Fuzzy Hash: 7FD1AE71D043588ADF25DBA8C8917ACBFF2BB11300F5888D9E449AB2C2DB759C85CB52

Function 00B3B87D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B3B90D

Strings

pow, xrefs: 00B3B8E5, 00B3B902

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5b752dbb6e91835a46526a6252f08ba610896d962a5e2c6e5acf9167e7b4bd3a
Instruction ID: ea8366987ef5ecc48f6a220042f3a57466bca2f94086d6f3d910f30cc2ccf6ca
Opcode Fuzzy Hash: 5b752dbb6e91835a46526a6252f08ba610896d962a5e2c6e5acf9167e7b4bd3a
Instruction Fuzzy Hash: 4451A1A1E082029ACB117B18CD417BE7BD4EB40711F348ED9E2D5422EDEF758DD1AA46

Function 00B16700 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00B16861

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00B167BF, 00B167F6, 00B167FB
-, xrefs: 00B1688F

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: c104d4ac2e88baec5bdaad53b018995eff9fa3241f5303021e0ec1a6512b3f42
Instruction ID: 8c03e96f7c1670cb69819d111e7ba17afa424b75be0e06da8ee18738d972311d
Opcode Fuzzy Hash: c104d4ac2e88baec5bdaad53b018995eff9fa3241f5303021e0ec1a6512b3f42
Instruction Fuzzy Hash: 6351D370B04249AADF298E6C84917FEBFF9DF45314FA440EAE891D7281C6749DC1CB61

Function 00B3E849 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\QyzM5yhuwd.exe, xrefs: 00B3E88C, 00B3E893, 00B3E8C9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\QyzM5yhuwd.exe
API String ID: 0-397000512
Opcode ID: 751a740048bcff7d8828c17e894b24a519245ba3154ddc52ea3248978807a7f4
Instruction ID: 30f10c1c9ec5b9b0dcc1e1979d59b69e81dd5ad85607c143868e859bbc4700ed
Opcode Fuzzy Hash: 751a740048bcff7d8828c17e894b24a519245ba3154ddc52ea3248978807a7f4
Instruction Fuzzy Hash: 2B419271E00219AFDB21DFA9DC81AAEBBF8EB84310F2001E7F454E7291DA70DA44D750

Function 00B304B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B304EF
__IsNonwritableInCurrentImage.LIBCMT ref: 00B305A3

Strings

csm, xrefs: 00B3058D

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: b52be91dc7d53236143300ce21884b4779e60d1bb1144f8959a036e8500acf78
Instruction ID: 72ea95096dd3d7f547828008cf091f05fafe8d71169acdeb8a69bcc9165fcf4b
Opcode Fuzzy Hash: b52be91dc7d53236143300ce21884b4779e60d1bb1144f8959a036e8500acf78
Instruction Fuzzy Hash: CB419234A10208ABCF10EF68C8D1A9EBBF5EF55314F2581D5E8189B392E731DA45CF91

Function 00B3EEBB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3EF29
_free.LIBCMT ref: 00B3EF49

Strings

$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ |$$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ |, xrefs: 00B3EECC

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: _free
String ID: $$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ |$$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ |
API String ID: 269201875-4069761618
Opcode ID: 87846b613f22a6ccd928a821080378c8dc475d6e9496c52393f5fa1ae659968b
Instruction ID: c11b810368ac2ccce6c538d22f03798ab9afdc35a05b0c9aded68390d07bf42f
Opcode Fuzzy Hash: 87846b613f22a6ccd928a821080378c8dc475d6e9496c52393f5fa1ae659968b
Instruction Fuzzy Hash: 3541C432A002049FDB14DF68C891A5EB7F6EF88714F2545E9E525EB391EB71EE05CB80

Function 00B31296 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00B312BB

Strings

RCC, xrefs: 00B312D5
MOC, xrefs: 00B312CD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 0140735f423fcea9940c799faf755f9973069e7fb7c16b0d7a8ce19c412f0d03
Instruction ID: e4046b14d589a5c04ef6ae48d492c416900a0b40eb8a9a7e2c0e3246a556cd0c
Opcode Fuzzy Hash: 0140735f423fcea9940c799faf755f9973069e7fb7c16b0d7a8ce19c412f0d03
Instruction Fuzzy Hash: 4F412472900209BFCF16DF98CD81AAEBBF9EF48304F248599F905A7261D3359950DB54

Function 00B126C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00B126C7
__cftoe.LIBCMT ref: 00B12743

Strings

!%x, xrefs: 00B126D8

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 52b0090b244a16e2efde7891c2928c0d1112a95845caa4d19e9076b3b70dd85a
Instruction ID: e471c7860181e84d1ef586a00c734ebd40c8567e2af2689f103902942a59c5da
Opcode Fuzzy Hash: 52b0090b244a16e2efde7891c2928c0d1112a95845caa4d19e9076b3b70dd85a
Instruction Fuzzy Hash: A3313572D00249ABCF08EF94E981ADEB7F6EF08304F504499F504A7291E735AE95CB64

Function 00AFF6FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00AFF786
RaiseException.KERNEL32(?,?,?,?,?,00000000), ref: 00AFF7AB

Part of subcall function 00B2E7CB: RaiseException.KERNEL32(E06D7363,00000001,00000003,00AE146C,?,?,?,00AE146C,?,00B71F3C), ref: 00B2E82B

Part of subcall function 00B371F8: IsProcessorFeaturePresent.KERNEL32(00000017,00B41BE9,?,?,00B32C42,00B71890,0000000C), ref: 00B37214

Strings

csm, xrefs: 00AFF73A

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 115b431e17f82a4603804549706b875cdefbf397154d11d501b39d8e50dec7c8
Instruction ID: 8511458d6973ae35943f79ef69789ee6ca46e4d864fc99600c6283a4ab4d016a
Opcode Fuzzy Hash: 115b431e17f82a4603804549706b875cdefbf397154d11d501b39d8e50dec7c8
Instruction Fuzzy Hash: B2215C31D0021CAFCF24EFD4D941AAEF7B9AF00710F54082AFA45AB250CB70AD45CB81

Function 00B2C009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00B2C069
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B2C0B4

Strings

pContext, xrefs: 00B2C0AC

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 3390424672-2046700901
Opcode ID: 3d0f8d669564738facb54a8da2c25a646f2027b516dcd22eb062317f9e44991b
Instruction ID: effc0301d1dd3f87f4a5b939cc715e885aaa386d2fb35f32a3bb1ca7e92072fd
Opcode Fuzzy Hash: 3d0f8d669564738facb54a8da2c25a646f2027b516dcd22eb062317f9e44991b
Instruction Fuzzy Hash: 16110636600220DBCF15EF28E8849AE7BE9EF84360B1545E9E91A97352DF74ED05CBC1

Function 00AE2DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AE2E0B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AE2E5A

Strings

bad locale name, xrefs: 00AE2E76

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 8c37ab1031ee52072d727c51873d7def37e7ff97d3597f24243bfbb04f1bb893
Instruction ID: c8ada8f0da92275f1871085737c43968a27f547455ecba9df1de928b5137dc3c
Opcode Fuzzy Hash: 8c37ab1031ee52072d727c51873d7def37e7ff97d3597f24243bfbb04f1bb893
Instruction Fuzzy Hash: 11119E71504B849FD320CF69C90175BBBE8EF19710F008A5EE889C3B81D775A6048B91

Function 00B2C994 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00B2C9C1
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00B2CA04

Strings

e, xrefs: 00B2C9D2

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Work$Concurrency::details::ItemItem::
String ID: e
API String ID: 3733161840-4024072794
Opcode ID: cca9163df7ba71250267e51924f2c1187ede1661a3d9018c9e575caf3fd2a546
Instruction ID: 6671318d7e8e31e36d7ae171e9159398c8042c073d68177ceb71740a4e44965f
Opcode Fuzzy Hash: cca9163df7ba71250267e51924f2c1187ede1661a3d9018c9e575caf3fd2a546
Instruction Fuzzy Hash: 661186315001289BDB15DF69E4816AE7BE4EF423A4F14C1E9EC0A9F207DB71DD01CBA8

Function 00AEF390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEF40D

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

thebat64.exe, xrefs: 00AEF3F0, 00AEF418
ZFKL, xrefs: 00AEF3A7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ZFKL$thebat64.exe
API String ID: 2296764815-513041835
Opcode ID: acfc1cf40f47c80daea55c87b7961c6d64fb9fff2e9898f193159798613263af
Instruction ID: 009fbd7f29fe1f072cc273b673f628948954c9a74c84c79a57381448308ecbd4
Opcode Fuzzy Hash: acfc1cf40f47c80daea55c87b7961c6d64fb9fff2e9898f193159798613263af
Instruction Fuzzy Hash: D301D8B095420A9BCB00DF78ED815BD77F0FB09704F5041B4E91D57362EF315A858B55

Function 00AE9D80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9DFD

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQL$ECWDB2, xrefs: 00AE9DE0, 00AE9E08
bkm, xrefs: 00AE9DA0

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQL$ECWDB2$bkm
API String ID: 2296764815-2428866809
Opcode ID: b45365af779cf8f8b6b36a46777894ae2e546fb6776f937ef711874d478e157f
Instruction ID: 91f40f7785df6e18c71f8ff97990afe0c1e66a6b4c3bdfde5dd506a9b376aef5
Opcode Fuzzy Hash: b45365af779cf8f8b6b36a46777894ae2e546fb6776f937ef711874d478e157f
Instruction Fuzzy Hash: 6901B570A40309DBCB10DFA9E94156D77F0EB0D710F5042E9E82997361EF309A809B66

Function 00AEC600 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC672

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

TmCCSF, xrefs: 00AEC64E, 00AEC67D
zCmm}h, xrefs: 00AEC64B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: TmCCSF$zCmm}h
API String ID: 2296764815-806587354
Opcode ID: d9b8f3e4ec5ad43e1e58efee5858c8f0d58758d92e5169c6c4f270633e43b6db
Instruction ID: 59153462600b55e9897b57df7b0f398ec1754a9fbc9aba13b948111cc786e08a
Opcode Fuzzy Hash: d9b8f3e4ec5ad43e1e58efee5858c8f0d58758d92e5169c6c4f270633e43b6db
Instruction Fuzzy Hash: F601D474A402459BC700EFA8E84265D77F0FB19710F4060E5E429873F1DA30DA85CB1A

Function 00AEB110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB182

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

sacsvr, xrefs: 00AEB15E, 00AEB18D
]OM]X\, xrefs: 00AEB15B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ]OM]X\$sacsvr
API String ID: 2296764815-860625250
Opcode ID: 85ce6db9717788d4a63837488e9c580ee4b6bcbb03727c68eed4033b6bf3d0f6
Instruction ID: cf656334b61f599ac1883583f9d2bebea369e64883608fa69e01ec1a0b3b7612
Opcode Fuzzy Hash: 85ce6db9717788d4a63837488e9c580ee4b6bcbb03727c68eed4033b6bf3d0f6
Instruction Fuzzy Hash: A1018474A60344ABC790FB68E88159DB7F0EB15750F9041A4E41997371EA306D49CF61

Function 00AEB330 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB3A2

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SDRSVC, xrefs: 00AEB37E, 00AEB3AD
}j|}xm, xrefs: 00AEB37B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SDRSVC$}j|}xm
API String ID: 2296764815-2853393326
Opcode ID: 24e5519e708cfebadc52edc6e16f0bc9904aa2a0b33523393cf7c190c0b32047
Instruction ID: a23e86b3bd05eab737fe3a13eda85b9b05dbe42b0eae5512e3171ec365578cb3
Opcode Fuzzy Hash: 24e5519e708cfebadc52edc6e16f0bc9904aa2a0b33523393cf7c190c0b32047
Instruction Fuzzy Hash: 5A018475A552099BC700EB68ED4256D77F0EB18710F5041A8E8299B371EF305945C75A

Function 00AE7DF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE7E6C

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

XGMK, xrefs: 00AE7E10
Sophos Safestore Service, xrefs: 00AE7E43, 00AE7E77

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: Sophos Safestore Service$XGMK
API String ID: 2296764815-1442661894
Opcode ID: fa0f817016e2c28a121d3aca0a1ab287cd3d833675a2645bf6772b0eea9fd4fb
Instruction ID: c7149704d16eff4aa3a9525b1caf31f5a0691521d73e32838b8c14038245facf
Opcode Fuzzy Hash: fa0f817016e2c28a121d3aca0a1ab287cd3d833675a2645bf6772b0eea9fd4fb
Instruction Fuzzy Hash: DD0124B1E506088BC740FB6CEC428BCB3F0AB4A350F4043D4E82427272EF305A98CB51

Function 00AE8760 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE87D0

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

XGMK, xrefs: 00AE87AC
BackupExecRPCService, xrefs: 00AE87B4, 00AE87DB

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: BackupExecRPCService$XGMK
API String ID: 2296764815-2765711953
Opcode ID: 383c83ec12963d1f2202e17d337e59f702a78ba46413a9cdeb79a0e1e2b7b87f
Instruction ID: 3050d5a97d2195962130644e2565acef15fc55226c7b50ca38339f7cdea35a70
Opcode Fuzzy Hash: 383c83ec12963d1f2202e17d337e59f702a78ba46413a9cdeb79a0e1e2b7b87f
Instruction Fuzzy Hash: 4501F271A402459BC700DB68AD825A877F4AB19700F4442E4F92D673B2EF319A84D702

Function 00AEC810 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC880

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

B^K\, xrefs: 00AEC85C
TrueKeyServiceHelper, xrefs: 00AEC864, 00AEC88B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: B^K\$TrueKeyServiceHelper
API String ID: 2296764815-3933329315
Opcode ID: 233c3bed03ca6ef51928f2a61842286d3ed1bb5e1ff23e851f3cfd8b8dd15479
Instruction ID: 59673a117a7b336e652429c9a968f03e467929518560fc3bc9b8f87b0e2305b9
Opcode Fuzzy Hash: 233c3bed03ca6ef51928f2a61842286d3ed1bb5e1ff23e851f3cfd8b8dd15479
Instruction Fuzzy Hash: 8901A771A45244DBD700EB68ED8299CB7F0EB2D710F5041E4E85957371DE30AA89CF61

Function 00AEA930 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEA9A4

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

., xrefs: 00AEA965
MSSQLServerADHelper100, xrefs: 00AEA98A, 00AEA9AF

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .$MSSQLServerADHelper100
API String ID: 2296764815-3744829036
Opcode ID: 99400e5fbe5dc28e6af1490d282ea0e1e5cf37a61977bdd10eaab77092eadbd0
Instruction ID: 902476b6852e61c8e74d70cf208cc551a7080055cf28baddd4eb6d3fbe97ade6
Opcode Fuzzy Hash: 99400e5fbe5dc28e6af1490d282ea0e1e5cf37a61977bdd10eaab77092eadbd0
Instruction Fuzzy Hash: 2101F771E443499BCB10FFA8D906AACB7F0DB05300F4081E9E82657372EF706A88CB52

Function 00AEEE40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEEEB1

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

sqbcoreservice.exe, xrefs: 00AEEE94, 00AEEEBC
VK, xrefs: 00AEEE57

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: VK$sqbcoreservice.exe
API String ID: 2296764815-2887994934
Opcode ID: e8a20664e1f2fa47bcfa102430f7d54bd983d94554b876c887d50044408f2be8
Instruction ID: 078fbbc613a066ca1439a99359771397075cd9e293f99c4270fc1fa7730617fa
Opcode Fuzzy Hash: e8a20664e1f2fa47bcfa102430f7d54bd983d94554b876c887d50044408f2be8
Instruction Fuzzy Hash: 6D01F235A942049BC610EB68AD4299873F4EF1D310F4001D5E9289B3B2EE31AA88C392

Function 00AE7780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE77F0

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

Acronis VSS Provider, xrefs: 00AE77D4, 00AE77FB
GJK\, xrefs: 00AE77CC

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: Acronis VSS Provider$GJK\
API String ID: 2296764815-1091954119
Opcode ID: 74203aac60c003764454d5adaad44e6f96a27bfa021d0247c1e34aefb0b5f9c3
Instruction ID: e4d6647ba2310f17e1ca09c2e4ec0bb3b12604b2b4d68c7e58fe071ab3b68a8f
Opcode Fuzzy Hash: 74203aac60c003764454d5adaad44e6f96a27bfa021d0247c1e34aefb0b5f9c3
Instruction Fuzzy Hash: 8E01F270A942449BC340FB68AE8299C77F0AB28340F4046E8E81457371EF356A88CFA1

Function 00AE79F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE7A60

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

XGMK, xrefs: 00AE7A3C
Sophos Clean Service, xrefs: 00AE7A44, 00AE7A6B

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: Sophos Clean Service$XGMK
API String ID: 2296764815-3076323126
Opcode ID: 3375a0dc939ad588ee2b7a74c4ce40d2c8a8072d0dbcabe576f9eef6dccc2940
Instruction ID: 483aabb4f651fbe8e034b6783822a4d7b299dfc0a2e6e72b7b42575c43b90007
Opcode Fuzzy Hash: 3375a0dc939ad588ee2b7a74c4ce40d2c8a8072d0dbcabe576f9eef6dccc2940
Instruction Fuzzy Hash: E901A771E542449BC700EB68E98299C77F8EB2D780F4052E4E82997371EF30AF88CB51

Function 00AE9EB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9F21

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQL$PRACTTICEBGC, xrefs: 00AE9F04, 00AE9F2C
im, xrefs: 00AE9EC7

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQL$PRACTTICEBGC$im
API String ID: 2296764815-2811965043
Opcode ID: bf523982ac5030cd0ecb7f7f520fad156209a325a68014634aa6254793f4b29c
Instruction ID: 9503199971c67f947a52ca53569546985e8c9e29bd0740cf94ed38d653209473
Opcode Fuzzy Hash: bf523982ac5030cd0ecb7f7f520fad156209a325a68014634aa6254793f4b29c
Instruction Fuzzy Hash: 4A01F226A55245DBC600EF68ED826A8B7F0AF1D700F4012D9E91987371EE30AAC8C751

Function 00AE8D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8D7E

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

IMAP4Svc, xrefs: 00AE8D66, 00AE8D89
gco~, xrefs: 00AE8D27

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: IMAP4Svc$gco~
API String ID: 2296764815-287821554
Opcode ID: cd80e41e734f851b6ba83c3c5b5dff0b12ac28d5fe41bd4b6eb4e186ee158bcd
Instruction ID: b4d44a8d3b71d40573a4aa8e4bf1edcf1ee248405f219b11486d93f65bb27697
Opcode Fuzzy Hash: cd80e41e734f851b6ba83c3c5b5dff0b12ac28d5fe41bd4b6eb4e186ee158bcd
Instruction Fuzzy Hash: 0C01F971A51244DBC710FF68AC8187C73F0FB1A710F4046E9E4195B3E1EE345984CB95

Function 00AED2A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED317

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

A@}XM., xrefs: 00AED2E8
VeeamHvIntegrationSvc, xrefs: 00AED300, 00AED322

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: A@}XM.$VeeamHvIntegrationSvc
API String ID: 2296764815-256894815
Opcode ID: c1dd921ba4214f43896817ccbcea79a0ded8469b79cc6149d4ed9c6e03999a09
Instruction ID: 4ba9f76136ddb16b4c015ecbc0eead4a01264436cd2e613e103539ed6fd8ada1
Opcode Fuzzy Hash: c1dd921ba4214f43896817ccbcea79a0ded8469b79cc6149d4ed9c6e03999a09
Instruction Fuzzy Hash: 77018436941646EBC740DF68D9426AC73F0EF48704F4041E9EE2D97361EF309A85CB55

Function 00AEB9A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEBA17

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

mkciz., xrefs: 00AEB9E8
SQLAgent$PRACTTICEMGT, xrefs: 00AEBA00, 00AEBA22

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLAgent$PRACTTICEMGT$mkciz.
API String ID: 2296764815-2771177741
Opcode ID: 6c494165f9b0aeba950e62dec937258e891863bcf2babe98096149fa36aedc57
Instruction ID: 264e1c1f489082d184c2c8e191d0900b55370f2c0659547c66d11e047a2883ec
Opcode Fuzzy Hash: 6c494165f9b0aeba950e62dec937258e891863bcf2babe98096149fa36aedc57
Instruction Fuzzy Hash: 8901DF76A60244DBCB80FFA8E9426A877F0EF94740F4042A8E91567372EF305A98DB55

Function 00AEB900 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB977

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

mklim., xrefs: 00AEB948
SQLAgent$PRACTTICEBGC, xrefs: 00AEB960, 00AEB982

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLAgent$PRACTTICEBGC$mklim.
API String ID: 2296764815-2142840434
Opcode ID: f891e5281445391561b40181a5c8bfea2ac948e84a575e5f0c81777fa7ec8b5a
Instruction ID: e9eef4c93de833739576d35f7eda70e1bf5bb054938be041bb7f82d626743c72
Opcode Fuzzy Hash: f891e5281445391561b40181a5c8bfea2ac948e84a575e5f0c81777fa7ec8b5a
Instruction Fuzzy Hash: 33018438954245DBC700EF68D9526A877F0EB14740F5042A5ED2957371EF306E84CB95

Function 00AE8160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE81D6

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

Veeam Backup Catalog Data Service, xrefs: 00AE81AC, 00AE81E1
K., xrefs: 00AE8176

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K.$Veeam Backup Catalog Data Service
API String ID: 2296764815-1208734644
Opcode ID: d424e7ec3756176a13b555ae9fdf880fe7e28729339064d544abf35d83e0ccfd
Instruction ID: fc65c74cdcf108e5509bb7b0a8f2a1860052b570d057fd0a6b160637a86375e6
Opcode Fuzzy Hash: d424e7ec3756176a13b555ae9fdf880fe7e28729339064d544abf35d83e0ccfd
Instruction Fuzzy Hash: 9301DF74A04644D7C714EB68AC42AA873F0EF19306F409698EC29132F2EF306AC9CB41

Function 00AE83D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8432

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

ARSM, xrefs: 00AE841D, 00AE843D
o|}c, xrefs: 00AE8415

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ARSM$o|}c
API String ID: 2296764815-3722302773
Opcode ID: e783d62c99aec06854ad5276a89af6b51704c0cb549cdc90bb264ecb4e06e0a9
Instruction ID: 817ca4f181b278f6d37386cbc4c481666bb63068dc7e613b9f8e47f0e7674f92
Opcode Fuzzy Hash: e783d62c99aec06854ad5276a89af6b51704c0cb549cdc90bb264ecb4e06e0a9
Instruction Fuzzy Hash: E5F0A470A94248EBC700EBA8B8D295877F0EB1C714F8041E8F819873A1EE349A48DB55

Function 00AEB670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB6D2

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

}`om, xrefs: 00AEB6B5
SNAC, xrefs: 00AEB6BD, 00AEB6DD

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SNAC$}`om
API String ID: 2296764815-3470061541
Opcode ID: 9fc489330a83ec267ca509df96b21ab7701c33f8ba9a1ab03549dfb295376d20
Instruction ID: 398c27d0780b89abe301bc762d870e53e220f0e0efce53ab337758543164dd0b
Opcode Fuzzy Hash: 9fc489330a83ec267ca509df96b21ab7701c33f8ba9a1ab03549dfb295376d20
Instruction Fuzzy Hash: 64F02871A88204DFC340FF68ED4296877F1EB08300F4841F5E519973E1DE309989CB56

Function 00AED970 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED9D2

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

ekrn, xrefs: 00AED9BD, 00AED9DD
KE\@, xrefs: 00AED9B5

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: KE\@$ekrn
API String ID: 2296764815-4221972813
Opcode ID: dfd78975aa90fd0a1723d3de82ad8c8c6b0fffcd07ffffebcf15360290654814
Instruction ID: 83f84162453ff9a7f91b749db324cc45369da50a24ef2f2cbea0859eeb7efa4c
Opcode Fuzzy Hash: dfd78975aa90fd0a1723d3de82ad8c8c6b0fffcd07ffffebcf15360290654814
Instruction Fuzzy Hash: 47F0A4B4A55209DBC700FB78AD8295877F0E715710F5046F4E8198B3B1EE309A58CB61

Function 00AEC2F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC358

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

}]Z^}XM., xrefs: 00AEC339
SstpSvc, xrefs: 00AEC33C, 00AEC363

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SstpSvc$}]Z^}XM.
API String ID: 2296764815-3592017567
Opcode ID: 328ad93454d1db23e59d3175ca1fc5600e1489f728646dea67453290acbc56d5
Instruction ID: 05bc04405522d7052448d96ccb5abf0ab8725b61716c75e7d83b465168966d16
Opcode Fuzzy Hash: 328ad93454d1db23e59d3175ca1fc5600e1489f728646dea67453290acbc56d5
Instruction Fuzzy Hash: 61016D74E40209DBC700DFA8E882A5CB7F0FB08714F5045F5E9299B361EB30AA849B56

Function 00AEC720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC788

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

TrueKey, xrefs: 00AEC76C, 00AEC793
z\[KeKW., xrefs: 00AEC769

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: TrueKey$z\[KeKW.
API String ID: 2296764815-1606318124
Opcode ID: 21977b83d00f8c6db483e248d0fad3be28e5f19820f9fdf1ca2a09a7d40f3aec
Instruction ID: 0716234dbd9ba73f83b4a5ee4f80a4b09c3fe7c2f760a911a8358d61cf52ed38
Opcode Fuzzy Hash: 21977b83d00f8c6db483e248d0fad3be28e5f19820f9fdf1ca2a09a7d40f3aec
Instruction Fuzzy Hash: 57018675E54205DFC740EF68E881A9C7BF0EB08750F4045B8E81997362DF305A45CF55

Function 00AEAD30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEAD98

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

}XM., xrefs: 00AEAD4D
POP3Svc, xrefs: 00AEAD7C, 00AEADA3

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: POP3Svc$}XM.
API String ID: 2296764815-545117663
Opcode ID: 4aaf97514d52b8fdd94cd8ce825f3c4a668d119bb05d69fbcfcccd8bbb9b8204
Instruction ID: a839af5543b449b8673d168557837467ede017bd5fb50c005d25c60ceb21fd54
Opcode Fuzzy Hash: 4aaf97514d52b8fdd94cd8ce825f3c4a668d119bb05d69fbcfcccd8bbb9b8204
Instruction Fuzzy Hash: EC018174E44208DBC700DFA8E996A5C77F0EB18705F4049E5F82997361FF30BA948B46

Function 00AECFD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED039

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

M., xrefs: 00AECFED
W3Svc, xrefs: 00AED01B, 00AED044

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: M.$W3Svc
API String ID: 2296764815-2139895643
Opcode ID: b0783c20bad2127176b9002a06b79e62eadc5847542c5bb534849500a4e46211
Instruction ID: 955529f1a88405b4b7f97b984d68e2ade7411b8e1eb3eabaed6def9713be6fa8
Opcode Fuzzy Hash: b0783c20bad2127176b9002a06b79e62eadc5847542c5bb534849500a4e46211
Instruction Fuzzy Hash: F301F935E54209DBCB80EF98E84199C77F0EF08704F8045E5ED2A573A1EB30AE95CB51

Function 00AEB080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB0E9

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

|k}XM., xrefs: 00AEB0C8
RESvc, xrefs: 00AEB0CB, 00AEB0F4

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: RESvc$|k}XM.
API String ID: 2296764815-1216297658
Opcode ID: 0da0a7d68937df1ea8f186a2055e9cbc3141c3496b67ca23b2255017a93cedcf
Instruction ID: dffdc13c1edffd9de697e49afb0679d5f507e31a76b0514e0c8e6ebfb8d0158b
Opcode Fuzzy Hash: 0da0a7d68937df1ea8f186a2055e9cbc3141c3496b67ca23b2255017a93cedcf
Instruction Fuzzy Hash: 84016D75A48245EFCB00DBA9E9825AD77F0FB08700F5041B9EC2997772EF316A848B59

Function 00AED0F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED159

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

y|}xm., xrefs: 00AED138
WRSVC, xrefs: 00AED13B, 00AED164

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: WRSVC$y|}xm.
API String ID: 2296764815-55755892
Opcode ID: 92dfedcbb3e9d006265b6196a759b4872b052e5b6d39340fada21765876cddd9
Instruction ID: e6cf7f16f4f5039eee2cd099fc36ae59c4e16f865db4ac4e0ddea611104114a2
Opcode Fuzzy Hash: 92dfedcbb3e9d006265b6196a759b4872b052e5b6d39340fada21765876cddd9
Instruction Fuzzy Hash: 6A01A475E54204DBCB00EFA8E9929AC77F0EB08780F4041E9ED29573A1EF305A88DF65

Function 00AEB1A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB209

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

}OC}]., xrefs: 00AEB1E8
SamSs, xrefs: 00AEB1EB, 00AEB214

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SamSs$}OC}].
API String ID: 2296764815-3168111973
Opcode ID: 40fc0a58a01a8a737a2aa224a6ea18d7daf96ce42e1edeb8d8dc02108c7273ac
Instruction ID: 785a8672fd0201d7fbb4e1d7514100dd6fa61ba27e8210bc476f6874db577bec
Opcode Fuzzy Hash: 40fc0a58a01a8a737a2aa224a6ea18d7daf96ce42e1edeb8d8dc02108c7273ac
Instruction Fuzzy Hash: C4016275AB0208DBC740FB98E84259C77F0EF08780F5041A8ED1967371EB305A48DB56

Function 00AEB4B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB518

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

}CMG@]Z., xrefs: 00AEB4F9
Smcinst, xrefs: 00AEB4FC, 00AEB523

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: Smcinst$}CMG@]Z.
API String ID: 2296764815-881667136
Opcode ID: 7354b24bd2e32cabca460ca46aeff51621602544c0d6d72a6eeb7f2072a39331
Instruction ID: b92ad6296704c22289ca453ea3805bbb811a22564c64611c77d87b27f2f7584c
Opcode Fuzzy Hash: 7354b24bd2e32cabca460ca46aeff51621602544c0d6d72a6eeb7f2072a39331
Instruction Fuzzy Hash: 88018174A602089BC790FFACE88699DB7F0EB08740F5005A4E9199B371EB30AE48CF51

Function 00AEB5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB648

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SMTPSvc, xrefs: 00AEB62C, 00AEB653
}cz~}XM., xrefs: 00AEB629

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SMTPSvc$}cz~}XM.
API String ID: 2296764815-3085346859
Opcode ID: 77b2dc294111c2077352118d4f3323209e0e5386cb8633bedbc12a7c6321b469
Instruction ID: e8f17827521494abff57025aa6bb894d8bab77da794bb067d688f176798b5b90
Opcode Fuzzy Hash: 77b2dc294111c2077352118d4f3323209e0e5386cb8633bedbc12a7c6321b469
Instruction Fuzzy Hash: 20018675E45205DBC700EFA8E84196C77F0E705701F5081B5E91D97361DE309A94CB59

Function 00AE76F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE7758

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

.MEDUSA, xrefs: 00AE773C, 00AE7763
{}o., xrefs: 00AE7741

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: .MEDUSA${}o.
API String ID: 2296764815-1308556338
Opcode ID: 1d1f62c0e8e6c0f510c97226c506fa6cc868a3ea9fb2eb4ce2699e5f171832f9
Instruction ID: 4d9cf4682924ed6f6ea9928a1c41d0e78bc90b860d0123a94ebe7796eb3f7a55
Opcode Fuzzy Hash: 1d1f62c0e8e6c0f510c97226c506fa6cc868a3ea9fb2eb4ce2699e5f171832f9
Instruction Fuzzy Hash: 9B013674E54208DFC710DFA8E986A5D77F0EF08704F4046F5E92997351DF30AA459B46

Function 00AED9F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEDA58

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

ESHASRV, xrefs: 00AEDA3C, 00AEDA63
k}fo}|x., xrefs: 00AEDA39

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ESHASRV$k}fo}|x.
API String ID: 2296764815-266113083
Opcode ID: 6d79d9b53e02180f247914538445942b54199cb9c783d7d8daa9c4f64d2bf22d
Instruction ID: 843a4dbf5032b69992e18d2d954c5e54e0dbd84bdd586f7041f146b3fd644f2c
Opcode Fuzzy Hash: 6d79d9b53e02180f247914538445942b54199cb9c783d7d8daa9c4f64d2bf22d
Instruction Fuzzy Hash: F8013175E48209DBC710DF69E982A6CB7F0E704740F5045B9E81AD73A2DE30ABC49F49

Function 00AEDEA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEDF08

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

eoxh}iz., xrefs: 00AEDEE9
KAVFSGT, xrefs: 00AEDEEC, 00AEDF13

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: KAVFSGT$eoxh}iz.
API String ID: 2296764815-2388180089
Opcode ID: 80fb406d44c881f569206098565e48870799351bb560fb6b0b17437eea8ec0df
Instruction ID: 6eed4f0d7913725c3eff2f8cd855dcb2a4aa636c1253996c730c2400e4194b6a
Opcode Fuzzy Hash: 80fb406d44c881f569206098565e48870799351bb560fb6b0b17437eea8ec0df
Instruction Fuzzy Hash: 35018670A54244AFCB40EF68D84265C77F0EB44710F5045B9E91997361EA309A94DF45

Function 00AEDFC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE028

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

mfefire, xrefs: 00AEE00C, 00AEE033
CHKHG\K., xrefs: 00AEE009

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CHKHG\K.$mfefire
API String ID: 2296764815-2097022887
Opcode ID: ec8b37ba63c52e75e1b270eb7395a0467528a043e6e1f01e0aaf6e265973c468
Instruction ID: fbba5764575d652c3c829bac690c03e1828f61f85219fb324ae3505b7dd67378
Opcode Fuzzy Hash: ec8b37ba63c52e75e1b270eb7395a0467528a043e6e1f01e0aaf6e265973c468
Instruction Fuzzy Hash: BA018174E94204DFCB54FFA8D942A5C77F0EB04744F5005A9E905973A1DB70AA48DB51

Function 00AEDF30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEDF99

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

eoxh}., xrefs: 00AEDF78
KAVFS, xrefs: 00AEDF7B, 00AEDFA4

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: KAVFS$eoxh}.
API String ID: 2296764815-963121276
Opcode ID: 8af0981ed2109eda4cf368ac3e47c2cad97fd16d67a18fd85a31b26b8f510765
Instruction ID: cc82aae8431b5bd1e46bfb7bf8dba1855c8c690f27cc286854da52610f5afec1
Opcode Fuzzy Hash: 8af0981ed2109eda4cf368ac3e47c2cad97fd16d67a18fd85a31b26b8f510765
Instruction Fuzzy Hash: 00016274A502089BCB10FB58D88259C77F0FB08700F4045E5EC25973A1EB709A48CB55

Function 00AEE3D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEE438

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

firefoxconfig.exe, xrefs: 00AEE421, 00AEE443
K., xrefs: 00AEE3E6

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K.$firefoxconfig.exe
API String ID: 2296764815-2384296781
Opcode ID: fb977365efb27cc8ec37b6757ae46e4c71118eb636b0b2e876c0eae133c014b5
Instruction ID: ab664aadab613f1e1c2895cf80c8b8893ae8825d72a72f66bc9c6dc892d520d4
Opcode Fuzzy Hash: fb977365efb27cc8ec37b6757ae46e4c71118eb636b0b2e876c0eae133c014b5
Instruction Fuzzy Hash: FAF0A474A50245DBC720EB68D8525AC73F0EF08704F4082E9ED1D973A1EE31AED58F5A

Function 00AE8630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8697

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

G@K., xrefs: 00AE8646
BackupExecJobEngine, xrefs: 00AE8681, 00AE86A2

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: BackupExecJobEngine$G@K.
API String ID: 2296764815-957901243
Opcode ID: b54b70de99e0ee973296ec927b65292112b0f43736a72e24976cf983a9c02c46
Instruction ID: 1a9422d008d8448cf68a3ae94148e1c7f20eb00d24aaec84572ec4ed12926ece
Opcode Fuzzy Hash: b54b70de99e0ee973296ec927b65292112b0f43736a72e24976cf983a9c02c46
Instruction Fuzzy Hash: C0F0A970E442899BC700EF68E84256C77F0AB19704F5051E5E91D9B3E1EF349EC4CB55

Function 00AEA780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEA7E7

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQLFDLauncher$TPS, xrefs: 00AEA7D1, 00AEA7F2
z~}., xrefs: 00AEA796

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQLFDLauncher$TPS$z~}.
API String ID: 2296764815-3702047516
Opcode ID: 0a278ad06c5af7355462f5b0959db51be2d04bef512747b96af4c89f6f0f8c09
Instruction ID: 336b543920cf1c92417e5a5008d02e27d662fb9c48126f3f998057fd07e24234
Opcode Fuzzy Hash: 0a278ad06c5af7355462f5b0959db51be2d04bef512747b96af4c89f6f0f8c09
Instruction Fuzzy Hash: 9CF08174A54248DBC680FB68E94299877F0EB18740F4042E9EC05A7771FF306AC8CB91

Function 00AE89B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE8A18

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

K., xrefs: 00AE89C6
EPSecurityService, xrefs: 00AE8A01, 00AE8A23

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: EPSecurityService$K.
API String ID: 2296764815-2609705360
Opcode ID: 320a906c7c4cafec63b6a61098a83cfa4a588f88258ec489a29adc0a254371d7
Instruction ID: 06b863902a65071ae00394c2384266d5c657394e5533177821a47c6ff240d917
Opcode Fuzzy Hash: 320a906c7c4cafec63b6a61098a83cfa4a588f88258ec489a29adc0a254371d7
Instruction Fuzzy Hash: 83F0A934A94209A7C610EB68E9425AC73F0EB09700F5042F5ED1D57371EF305A859799

Function 00AEAFF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB057

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

ReportServer$TPSAMA, xrefs: 00AEB041, 00AEB062
oco., xrefs: 00AEB039

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: ReportServer$TPSAMA$oco.
API String ID: 2296764815-3204080075
Opcode ID: eac626b0bf52e69583d33e3b765a3b430bae130ae57b142d0477eed72d20731e
Instruction ID: ce482a283aca226e1d6bb20a18b80eecc3c8d8495c6a6ac0901440515e2c1fd7
Opcode Fuzzy Hash: eac626b0bf52e69583d33e3b765a3b430bae130ae57b142d0477eed72d20731e
Instruction Fuzzy Hash: 00F0D174E442449FC710EF68E9469AC73F5EB09700F4042E8EC2D573A2EE30AA809B82

Function 00AE8FC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9027

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

McAfeeEngineService, xrefs: 00AE9011, 00AE9032
GMK., xrefs: 00AE8FD6

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: GMK.$McAfeeEngineService
API String ID: 2296764815-1150921893
Opcode ID: 6ea0682d79a687cc2c268cba09d3e8bea9aa2a4aecce0aac564c201d8e91f24d
Instruction ID: a8741b5746068e1e5cdbeaf9380027e28807167eec07c9becbed569f3ae577ad
Opcode Fuzzy Hash: 6ea0682d79a687cc2c268cba09d3e8bea9aa2a4aecce0aac564c201d8e91f24d
Instruction Fuzzy Hash: DAF08674E443049BC750EB68ED426A877F4EB09700F4042A9E919573B2EE30AE84CB45

Function 00AECF40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AECFA8

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

VeeamTransportSvc, xrefs: 00AECF91, 00AECFB3
M., xrefs: 00AECF56

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: M.$VeeamTransportSvc
API String ID: 2296764815-1328396404
Opcode ID: 2e5dd1047925013cc17e14a9bd94f9cf4b1b2a9485028a3f436b2a0c4647e669
Instruction ID: 68f5f004d7fff85e11b73c3ec621147f79169c3c1c55884e788ac5dcb8e0c465
Opcode Fuzzy Hash: 2e5dd1047925013cc17e14a9bd94f9cf4b1b2a9485028a3f436b2a0c4647e669
Instruction Fuzzy Hash: 53F0F434950304D7C710EB68E8825A873F0AF18710F9046D9ED295B3B1EE30ABC5CB9A

Function 00AED6B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AED717

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

^K\., xrefs: 00AED6F9
MSSQLServerADHelper, xrefs: 00AED701, 00AED722

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQLServerADHelper$^K\.
API String ID: 2296764815-3246946091
Opcode ID: 33d84ab9bc472e70fed64820012eebd331ad029f90efbb1adbcd8fa388391db7
Instruction ID: 5ba397fb8ee49a4df03a79e9b7c3268e2995c2f4b6d4664d37e837131f59be1d
Opcode Fuzzy Hash: 33d84ab9bc472e70fed64820012eebd331ad029f90efbb1adbcd8fa388391db7
Instruction Fuzzy Hash: 5EF08175A44246DBC720EFA8D952ABCB7F0EB04700F4042B9E91D973A1EE306E848B45

Function 00AEB810 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEB878

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

m., xrefs: 00AEB826
SQLAgent$BKUPEXEC, xrefs: 00AEB861, 00AEB883

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLAgent$BKUPEXEC$m.
API String ID: 2296764815-1245913668
Opcode ID: 23225d0a77e870928a6e4ddb59e233d52821bba3ddb0041d85c5139b82cbd47a
Instruction ID: 29bb36189a0fdb9b5a16667e9e4ac9406d53fbdcab1e7885a31bc3643f38c55c
Opcode Fuzzy Hash: 23225d0a77e870928a6e4ddb59e233d52821bba3ddb0041d85c5139b82cbd47a
Instruction Fuzzy Hash: F3F0F435A4430897D604EF6CE9825A873F0EF48700F9006E4FC295B3A1EE30AEC48796

Function 00AE9B00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9B68

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

m., xrefs: 00AE9B16
MSOLAP$SYSTEM_BGC, xrefs: 00AE9B51, 00AE9B73

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSOLAP$SYSTEM_BGC$m.
API String ID: 2296764815-2325299553
Opcode ID: 06731755e83effa34fb5077ad310ed9e675d407439beab166cd8cc1321a1e9c2
Instruction ID: 9f884df2ee83d13a3431fa36099615654548dc0a083139198649960317eaf378
Opcode Fuzzy Hash: 06731755e83effa34fb5077ad310ed9e675d407439beab166cd8cc1321a1e9c2
Instruction Fuzzy Hash: A7F08664A442459BC604DBA8A9429A973F0EF19700F5042E5EC2D573A1FE70AEC4D756

Function 00AEBB70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEBBD7

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SQLAgent$SHAREPOINT, xrefs: 00AEBBC1, 00AEBBE2
g`z., xrefs: 00AEBBB9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLAgent$SHAREPOINT$g`z.
API String ID: 2296764815-3972077307
Opcode ID: 7c68010af23e251ab974d45ea5d22c234de600d35d077c7f0e96679c9ea18bd5
Instruction ID: 9ef983143073f34c7a6a25158008b301464f1c6e94ad8d102dae5b1dbd72e43a
Opcode Fuzzy Hash: 7c68010af23e251ab974d45ea5d22c234de600d35d077c7f0e96679c9ea18bd5
Instruction Fuzzy Hash: C2F08674A482089BC701DF68E94296C77F0EF09704F4042E4ED59973A1EE349A859B56

Function 00AEBC90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEBCF7

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SQLAgent$SYSTEM_BGC, xrefs: 00AEBCE1, 00AEBD02
lim., xrefs: 00AEBCD9

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLAgent$SYSTEM_BGC$lim.
API String ID: 2296764815-1509451271
Opcode ID: c2d49411da77b4a0ac2d7f3de3ab6ad5cb628273859f296bff077ad07cef6e08
Instruction ID: 57dbc3f9562419f373aa77c3e481af3f8a2bcd7e025e7686c6921328f645fd2b
Opcode Fuzzy Hash: c2d49411da77b4a0ac2d7f3de3ab6ad5cb628273859f296bff077ad07cef6e08
Instruction Fuzzy Hash: 44F0D130A543049BD600FF68E84299C73F0EB6CB40F6002E4EC095B3A1EF30AAD9DB81

Function 00AEDCF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEDD57

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SQLAgent$SQLEXPRESS, xrefs: 00AEDD41, 00AEDD62
k}}., xrefs: 00AEDD39

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: SQLAgent$SQLEXPRESS$k}}.
API String ID: 2296764815-2125356181
Opcode ID: 441970a8ed849b81e8b1c683ef5a8d9660319c4d791bca2b9269ec37698fb94c
Instruction ID: c845c3351f9ea1f0c536b982dc93f31cdcb3bf954d898b6b93a9e0120b7d25c2
Opcode Fuzzy Hash: 441970a8ed849b81e8b1c683ef5a8d9660319c4d791bca2b9269ec37698fb94c
Instruction Fuzzy Hash: 90F08170A54608DBC610EB78D9866AC77F0EB08708F8047E5ED19673A2EF30AA84C741

Function 00AE7CC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE7D28

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

Z., xrefs: 00AE7CD6
Sophos MCS Client, xrefs: 00AE7D11, 00AE7D33

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: Sophos MCS Client$Z.
API String ID: 2296764815-950724333
Opcode ID: d0df63b9a6353098b516333a88cd835e89ca57cc68115b6bbff92d349e801266
Instruction ID: 9020bea171c42190a6453126906ba86c3d884f20f6df8f501662944b92daf922
Opcode Fuzzy Hash: d0df63b9a6353098b516333a88cd835e89ca57cc68115b6bbff92d349e801266
Instruction Fuzzy Hash: 3BF062259546459AC710EB68ED425BC73F0FB04700F5042B9E919973A1EE305AC5C799

Function 00AE9E20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9E88

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQL$PRACTICEMGT, xrefs: 00AE9E71, 00AE9E93
z., xrefs: 00AE9E36

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQL$PRACTICEMGT$z.
API String ID: 2296764815-3153748571
Opcode ID: b760f590d97806627f96f6f4a3d5072e47eb10be54d0d204d452f2c84d486287
Instruction ID: 519ad54123bf9ad1511d28b40c7a35c9ff8c4a7e06c4898317de469f833e2cae
Opcode Fuzzy Hash: b760f590d97806627f96f6f4a3d5072e47eb10be54d0d204d452f2c84d486287
Instruction Fuzzy Hash: 15F08178A5430897C640EFA8A9826A973F0EB08710F4052F4E90F573B1EF706AC4D749

Function 00AE9FE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEA047

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MSSQL$SBSMONITORING, xrefs: 00AEA031, 00AEA052
g`i., xrefs: 00AE9FF6

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MSSQL$SBSMONITORING$g`i.
API String ID: 2296764815-976202717
Opcode ID: 5efe91250bb867d045730868bfc3a738f252b6146fe7d4201ba97df3e85b0dd5
Instruction ID: d91845b7fbab2e74f3d8aceeb75d399301a677c220131b89bde4477b7684f0fd
Opcode Fuzzy Hash: 5efe91250bb867d045730868bfc3a738f252b6146fe7d4201ba97df3e85b0dd5
Instruction Fuzzy Hash: 02F0F470A44245EBCB00EF6CE942ABC73F0FB04700F5002F6E90957361EE30AAC49755

Function 00AEBFF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEC058

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

SQLSafeOLRService, xrefs: 00AEC041, 00AEC063
K., xrefs: 00AEC006

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: K.$SQLSafeOLRService
API String ID: 2296764815-2168568204
Opcode ID: 816429ecdbcd41dd6cb2d08705d586f9726aa50e1ed8b35b8c54fe0343ec3a7a
Instruction ID: 0dd65054ae731f0389c4f110345ab52f18d085f6ae857d29a2b494e974d95a58
Opcode Fuzzy Hash: 816429ecdbcd41dd6cb2d08705d586f9726aa50e1ed8b35b8c54fe0343ec3a7a
Instruction Fuzzy Hash: 35F0D174A54608D7C650EB68E9836EC73F0AF18700F4002E9E919573B1EE306A85DB6A

Function 00AE93C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AE9419

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

MMS, xrefs: 00AE940A, 00AE9424
cc}., xrefs: 00AE93D6

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: MMS$cc}.
API String ID: 2296764815-1769523345
Opcode ID: 3f34a5355ddbe77ab00f352188864e971a105f0863d05e71e953712e074ed1dc
Instruction ID: 4ca2602a1b011ccdac8ff7bb3d1d2bcb65d4bacd5b4b57ac6b78767c8f8e8a8a
Opcode Fuzzy Hash: 3f34a5355ddbe77ab00f352188864e971a105f0863d05e71e953712e074ed1dc
Instruction Fuzzy Hash: 74F06D74A842089BC610EBB8ED8296C77F0EB08701F4041F8ED19973A1EE306E899B95

Function 00AEDB80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AEDBD9

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

AVP, xrefs: 00AEDBCA, 00AEDBE4
ox~., xrefs: 00AEDBC2

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: AVP$ox~.
API String ID: 2296764815-2886911918
Opcode ID: 69ae49fcfc0488324e22aa1b351a7258c98e52b9803923296c5cb5544d3fc27c
Instruction ID: 14ede2be1ca658d10742a5d50301bd61b8597ad84ecf7f82ddeda347ed12f64e
Opcode Fuzzy Hash: 69ae49fcfc0488324e22aa1b351a7258c98e52b9803923296c5cb5544d3fc27c
Instruction Fuzzy Hash: 4BF01274A542049BC614EB68D94295C77F0FF29710F5041E4ED2E573A1EB30EE94DB52

Function 00AF3E40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 00B174FA: EnterCriticalSection.KERNEL32(00B7646C,?,00B685C8,?,00AE1048,00B7E824), ref: 00B17505
Part of subcall function 00B174FA: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE1048,00B7E824), ref: 00B17542

__Init_thread_footer.LIBCMT ref: 00AF3EB8

Part of subcall function 00B174B0: EnterCriticalSection.KERNEL32(00B7646C,?,?,00AE107C,00B7E824,00B56560), ref: 00B174BA
Part of subcall function 00B174B0: LeaveCriticalSection.KERNEL32(00B7646C,?,00AE107C,00B7E824,00B56560), ref: 00B174ED
Part of subcall function 00B174B0: RtlWakeAllConditionVariable.NTDLL ref: 00B17564

Strings

vssadmin resize shadowstorage /for=%s /on=%s /maxsize=unbounded, xrefs: 00AF3E78, 00AF3EC0
j@j, xrefs: 00AF3E7F

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: j@j$vssadmin resize shadowstorage /for=%s /on=%s /maxsize=unbounded
API String ID: 2296764815-1028298010
Opcode ID: 5b7e2b4a75b7d28b81afaa14e2b02f0733c1e174a8656d91c8de27985ff8a521
Instruction ID: b75f699dea381a7c53e91366cfb78b94298227546975ad8d44546bed0aa609e2
Opcode Fuzzy Hash: 5b7e2b4a75b7d28b81afaa14e2b02f0733c1e174a8656d91c8de27985ff8a521
Instruction Fuzzy Hash: C2F0D622D5478A82D2016B28EC421B473A0FF29359F045360ED59232B3FF707AD4C754

Function 00B261AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 00B261CF
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B261E2

Strings

pContext, xrefs: 00B261DA

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 548886458-2046700901
Opcode ID: 657b5059403af32dadab25cc2239d020bdd5e308f7fc4f682a38bade24311917
Instruction ID: 45febaa534a05824f5b0fa30f115968e85906d1079416ec60ac10046e934d965
Opcode Fuzzy Hash: 657b5059403af32dadab25cc2239d020bdd5e308f7fc4f682a38bade24311917
Instruction Fuzzy Hash: F7E09239B00228A7CB14F768E85ACAEB7FD9F8475070445A5B925A32A1DF74ED05C6D0

Function 00B1D964 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B1D994

Strings

pScheduler, xrefs: 00B1D98C
version, xrefs: 00B1D979

Memory Dump Source

Source File: 00000000.00000002.3974629023.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.3974595415.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974691081.0000000000B59000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974725080.0000000000B73000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974757715.0000000000B74000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B76000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974785388.0000000000B7E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3974843696.0000000000B81000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_QyzM5yhuwd.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 2141394445-3154422776
Opcode ID: 573250b33bfafd5f4590159f184b1b4ebd43485c11f6a83df5157c8db67f1839
Instruction ID: 726d57f9c2dd12350d241c6af8114f8820d3e642f7cafeae17ad16278bc208b1
Opcode Fuzzy Hash: 573250b33bfafd5f4590159f184b1b4ebd43485c11f6a83df5157c8db67f1839
Instruction Fuzzy Hash: 38E0863450020CB6CF25FB94D84AFDD73E4AB10B85F9082E57865210B0E7B4D5CDC641

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QyzM5yhuwd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\!!!READ_ME_MEDUSA!!!.txt

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\!!!READ_ME_MEDUSA!!!.txt

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.MEDUSA (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\!!!READ_ME_MEDUSA!!!.txt

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.MEDUSA (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\!!!READ_ME_MEDUSA!!!.txt

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.MEDUSA (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\!!!READ_ME_MEDUSA!!!.txt

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini.MEDUSA (copy)

C:\$WinREAgent\!!!READ_ME_MEDUSA!!!.txt

C:\$WinREAgent\Scratch\!!!READ_ME_MEDUSA!!!.txt

Windows Analysis Report
QyzM5yhuwd.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre